73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14-02-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4488	b2e.exe
2408	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2408	cpuminer-sse2.exe
2408	cpuminer-sse2.exe
2408	cpuminer-sse2.exe
2408	cpuminer-sse2.exe
2408	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2904-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4488	2904	batexe.exe	85
PID 2904 wrote to memory of 4488	2904	batexe.exe	85
PID 2904 wrote to memory of 4488	2904	batexe.exe	85
PID 4488 wrote to memory of 2136	4488	b2e.exe	86
PID 4488 wrote to memory of 2136	4488	b2e.exe	86
PID 4488 wrote to memory of 2136	4488	b2e.exe	86
PID 2136 wrote to memory of 2408	2136	cmd.exe	89
PID 2136 wrote to memory of 2408	2136	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\7119.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7119.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7119.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7530.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7119.tmp\b2e.exe

Filesize
17.9MB

MD5
6514ef7d701e71a091fcd20cc63238ad

SHA1
95b36ccbeedea6d471498e65a8d1041ed094d2d0

SHA256
28b0fd9465c05d565ceb7bb622d1ebc43cc4fabaed0a728b298ad6cf033f2d39

SHA512
adbcd00b33de44c59e6cb9bbd1d8e6742f81aa542c569f4da0d3f0e229b0faaa45eb22e0a6cef709c6c87ab28c593a1aebba8b4851982d6305369127912d44c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7119.tmp\b2e.exe

Filesize
5.3MB

MD5
f33a0f5faefcba6cb34d60d133ceba8f

SHA1
36fb52736688734efe275ff57261cb36fae4929e

SHA256
db41f9c97b844f02ff67a24572addb22402cafc5e1a1f4c9c63d1538213c8d1b

SHA512
14d3e4da2d3f741aae18cfaab2e7ba9385b3eaccc7de4c54f0a759730a2f276ac193a9fbee264d39d545bad7177498264a8e8effb97eb006639d0c706f59ce11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7119.tmp\b2e.exe

Filesize
4.6MB

MD5
7d7868459691a2c328873b785a431e5c

SHA1
6c3ff9e0d21a95df0900c498d1bd6b29b6a780d9

SHA256
fc1461f288f8798085b382f92a49c1f41127d18a15ff96d5c772f58a34c032c5

SHA512
e6cd8ff58d9b05ea241678f213047b679b1df9787d5f3608015764a4bf3b46bfb6c76e6b6c7407cde0c1200d5c95720a602a857710b3fe615990f4cab5269b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7530.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
995KB

MD5
5ae2db8eed06a5bcd37e0e6eae582055

SHA1
9477dfbfee401dd1cf8135b85ba424cbf4cfd74c

SHA256
7fda3f7a9b07fe6e91b9dae2b8165191b4416dee54d8241bb51d3860946eecbd

SHA512
c261b514072b35500f1de7f215cf46c7ad8ac52c530d8f431321fcbc0dde46d55eaa11009d57b04aaba92d9d59f67d95f60047515d8174239504dc6111163670

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
992KB

MD5
740529e5fe410285c47cb284bedebe08

SHA1
50b1c0ec8ca53611aa9bf32c0ccabce3d01050b3

SHA256
0e07cf377f7fc3c594867941a66ec6726c02e44f2ac4cd40e808d8c2866ac12c

SHA512
10586b06474d34232e814c7f4e3702bdfbb50ef9943534d4e7d851c18764cd289502f363db13b32d81d04f9ce78bb9d74cb8ef647b3e95dbcb149b7124e891cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
597KB

MD5
c8274c3221d5ea6615acf4c5e7fc9409

SHA1
369770f860e1db3bf98bebad7939f701628763a1

SHA256
0cbaab624d8dff114419743250bbdd32054d57c0dcf6ed67f19e69f436655718

SHA512
e6f9368b60d719aaa2c8200246a47cff6b5dafef6690dd1380af5d49ede778a4ed2610679ccb969eb95aa521c01a298a53313528a2cc6955cb9a038a046dfd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
969KB

MD5
f9ac185ec6b591b5b3c26ef368adbaf0

SHA1
1b4a0308a45aa41a6bbe175f7c37728e78ac0672

SHA256
df207329f4c4a419b1ab9bc33f844dbcfb0e7c3145395ba03ac6df4571a627d9

SHA512
f71d551d7fb14046d19680af276da85f08487000ccec108c0644e2ed73e42aac7b6e06602d0d13015231450487cb96ba67e0d7ea0c589bf43f1073f909f3db13

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
665KB

MD5
6d8377b2897a984f0e48255456a5f022

SHA1
c77f4c231f18043cddc6d266b796a3868900f9fb

SHA256
f05c23fcf702cecde89289655a22f7d64b245c3e6a9486432bd9db756a8ba254

SHA512
9f580195df788a61fdda52ac0c56c201343988a0b177974e7963eaf49f20942c3d48067db967734bae36cf3cf26455b6ba1429bf714d9f9514d59fbc32b0e15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
c0e6739bb34b652b2265b83a25687187

SHA1
fdfbb11f6d43e41a3ce1d7461650e1729fbfa7fb

SHA256
10dc5bf722528f9e1fac95342b026ba9273d9fd577439799734a328cfed3585f

SHA512
8f43eea3479b8c62fba13299ff3968a98cca657cc7a9f1df575f32df47289bb5496295661d824f8194b03e3036b761b330e189b21c6fe85f95e4009b142547a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
744KB

MD5
8a0d4d71732b959eec260896f6a05379

SHA1
6a0040d680f4742526985737ae2522a5c9884f9c

SHA256
64a87939433c060e81831adad24a1a87062c71d6f51370de18f446d13b5d9ab9

SHA512
74aff0ecf3605050250cbee6ee1e42886288d02c7faa22b7e26bc3c103084f7671abf95581e19fdde3b9430473e21d8e3a2a1059f2c56248e061ed182d3e9a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
413KB

MD5
36582e187e589118f40ab86370845193

SHA1
fc3ad02ba4c264916bb16e9d07f7c8d4a6a56562

SHA256
cd2ebe0685c6ae72bc3db4def5bf81b002c373978dc13b1f442674dbeafde34f

SHA512
630091990e7150c699868b9e8907860ea7a4fc62536fb06f09d1bd075c19e10f0fd3413f89565b94534363feace972f6ada7c8957f0d7a6183f8548842bbdaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2408-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2408-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2408-46-0x00000000747F0000-0x0000000074888000-memory.dmp

Filesize
608KB

Download
memory/2408-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2408-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4488-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4488-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download