73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	b2e.exe
1756	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2448-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2044	2448	batexe.exe	81
PID 2448 wrote to memory of 2044	2448	batexe.exe	81
PID 2448 wrote to memory of 2044	2448	batexe.exe	81
PID 2044 wrote to memory of 5096	2044	b2e.exe	82
PID 2044 wrote to memory of 5096	2044	b2e.exe	82
PID 2044 wrote to memory of 5096	2044	b2e.exe	82
PID 5096 wrote to memory of 1756	5096	cmd.exe	85
PID 5096 wrote to memory of 1756	5096	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\F6D3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F6D3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F6D3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\366.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\366.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6D3.tmp\b2e.exe

Filesize
6.4MB

MD5
ae81836ba1a7cef8bd80c5683d7d7b6b

SHA1
92793f6bd869efc13bb2b6a0ac7d281e009e08fa

SHA256
bff8d89deded6c92e69d56e0724b913a7220d968991bb9e6b97c24b0e38fb9d1

SHA512
1e66725775d3cb082b0f807fe365d7755043c0c9c734a9ad7d2d10053ba4b98ce1fda313b214abe2c02f939d26fecf35cac790ee3ea6ccb06a860bbfac4b6707

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6D3.tmp\b2e.exe

Filesize
4.2MB

MD5
a844ab32bf530679c91465f8d5a9a052

SHA1
7a35e8c53cd19d3b96f548d25760720f304b013a

SHA256
fae5418c4cf6f24c5160101d11c3a3ef0c780ccffa23d9f664f558629c7300cc

SHA512
3981d1470f1bd3ebb215e5a7b11846eeb013b7a58c77790d25726c207de09ed0f52332641b09fb454330ac131823002a9cb5dafcb89822c2708ec88bddf52601

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6D3.tmp\b2e.exe

Filesize
4.7MB

MD5
7e2f349120e0a182352d466b284864f0

SHA1
a0899b4b659d2893123574a4ca2c835ac75d978d

SHA256
682206c31b1b1f1254793e588fa4863b94040b0751bbacd018ea2e79a04ee0e3

SHA512
fdd60ad0bf24f3f3371e0c86f18fcbe880a53bfd9a918fbf06a520bdf7b8df7d1b5bc15bf0b7e8ed3eee57ab48f29f9e6e44c63cfe015da80047c7d0dafeedad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
167KB

MD5
925fbcf23c2a603ab1be29d6d311fea3

SHA1
5a91c04c2e4ee64ef20ab6a0ed97fdcecd374bce

SHA256
b710c134e39a6388afc93c5d825c84b766038a35e490213293df1da9597b5960

SHA512
193cce58b5d1594a1f1a8ee34d20e4c322bc6b9e82eac463ed6cb1c9b4bc1ec2b784120fb93d42e09bd56bcae6eb1242ac5a2f897b521d105ba6b445612f584c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
53KB

MD5
b71c9aa73dd0ed45ac455110a682d482

SHA1
63570d83cf2f4709ae48c4ea55fcaae71a4dd014

SHA256
01d8698b5ef673c550f20c7e288cd326a65d742a2d5c93c85b721f8864cdfd64

SHA512
789ceee837748da8582c1ce942a262fca0ee2e632f0a41510ee902b6b1524d7657122586a704049600b47f0194145a7f787f2ff21821c9e511dd86d6fe72ff5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
2711567b500d80cc71bf1d76839a741c

SHA1
1a792cbae9db9d0a6a3682003c89b7d90b1d6dd1

SHA256
b39cd8748e18017c50eee5c892155718e08a1890f673ad05fafda6468dd638d8

SHA512
3430d7dfd1c2645485295d1bd6ce87df25256d435960bd205ce5b2750dce6172b54c92b654b611a0b0bf65a2bf02351abda86c9a2b4727b0e6bb7e95bce6ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
2b60a4475d9d6c6f408623d27ef28af6

SHA1
5e0f8317d6469d1b28102f1ca3a576907b98bf2e

SHA256
ab783905bad433ffac9fab42e7a686ea22ee8749cdfb6fd204b095f3be0b7d30

SHA512
7a4b5ef23d7dea210cbbe62c5d68861e799461bc4692d7a1d8b52b472924d2d5c7a4876c7edfff842047581c8050bf27d9d58bcae22186eb33660cf61e00ceb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
4e944ff300960354b18da42e98a3c24c

SHA1
93edaa60730e9208e382dba087c2b9effbe318cf

SHA256
3f5d69b6b3fd36e4bb3a3d49ed5bc334b82b4944bf2bb7263c84c24081bdf55e

SHA512
a747cff4fbb6ffcec866a22337e6c2f35b4c010a6d276c4fe7696042b03eaa3115c3bdcfdce57a1bce62a5c1feeb457136522af9776d201d34971ef9db36bc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
893KB

MD5
724c64672d415168fb2b8d9053c6137e

SHA1
258ab637c0f1c58b3d6842f1baeb2916541dd3b6

SHA256
fda9d76b5b7b7c54bd63d9e056fa679c12341b7da8def77d065bb68256ecea07

SHA512
ff102318817708468e1c29b574bca93584cb57402ba980a2a8656da5caa583f0c93c295f164d66b8e7205dd7d13637b25a65baf3f3370c56b4022b1914720799

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
58bf48c8ca1e1c5cf2d4dae6b25c386a

SHA1
a1b1ef64ec5cebfdad4936e8de6f6bb4372d8176

SHA256
5233c4036d8f1354b28e61ad11d3c5d6c80ed20b6312fbef8dc3ba7b94047774

SHA512
1bbdbe9bb6f2a45d0ec7b6a51b13b1be9a5c239dc61d070fecb15b82ae2af6dbc1ac6923815f464bbb4f8d979db603ea43b07591d7625b905b01158616da4027

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1756-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1756-45-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1756-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1756-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/1756-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2044-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2044-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2448-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download