73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17-02-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	b2e.exe
5408	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4756-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2328	4756	batexe.exe	85
PID 4756 wrote to memory of 2328	4756	batexe.exe	85
PID 4756 wrote to memory of 2328	4756	batexe.exe	85
PID 2328 wrote to memory of 4860	2328	b2e.exe	86
PID 2328 wrote to memory of 4860	2328	b2e.exe	86
PID 2328 wrote to memory of 4860	2328	b2e.exe	86
PID 4860 wrote to memory of 5408	4860	cmd.exe	89
PID 4860 wrote to memory of 5408	4860	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\2EAC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2EAC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2EAC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3A64.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EAC.tmp\b2e.exe

Filesize
6.3MB

MD5
792436b8352cb6bf7879316e8489c5e7

SHA1
dd6efb074a7f667e5cf992c0d849c97c9017ea4b

SHA256
408e08e6fa64469f4300ecefae08af44e98f5ab2912f7983a5d3f20e323cc2d9

SHA512
e3e74543eeb6915341f16ea09ec2ca662934427597bc2cbb6f0e14739bfb51b58edd7bbcffbbbdd2305f65ddd430706699220490fd65333bb0982174e10a392c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EAC.tmp\b2e.exe

Filesize
193KB

MD5
bf8546c5e8efb5b6616b05246228c7b2

SHA1
c53bead6f6c29d4f1c683c95afed931c3e756a5e

SHA256
ee1f483ea5b346e1ae0314a2f9ffa873177010ed3c0154c6523e0dcc9698b764

SHA512
cd42d65ef1887882e4f1e35a04d0dbebf571bdf27e288dcdcae59dc639030980eb39f779256096c4800dae35caf483f5e188fd85d5591cc5ad698659255adc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EAC.tmp\b2e.exe

Filesize
306KB

MD5
c3d402f9996ab4be47be7258a4f5d43d

SHA1
ee5f247bd911090563a11d8f46c812e4d5dd061a

SHA256
94d23f27705b37d7266af38e64de737b2204a748215e4693457656a22b591d82

SHA512
09c494833238d246753d37337fae4d7565ec991d865f2adb0c5dfb209ea456b86e544a83458dcd7f8f462ab02dc62f17e5d9a0851782e7d56183009e50b024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A64.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
629KB

MD5
563117361dffa98c4dd3c2178c0305cb

SHA1
ac45545ebbf875e0325c6857ab413b554bac2fe9

SHA256
dcb98162ef3cdbd56b2b0a09fed1c4c447def49473a57ec9ef241bf72e237457

SHA512
a9de74636e6edbdd96de20949068ae0b3c8c2162a3bee91e44d9b9067cba18bbdbe642f46259a0e77b531e66b6c11eb59891ad3596464d206786d3c869cc76f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
594KB

MD5
ab42eb52d1749ab841e87e91df92d54b

SHA1
78eae5d55c93272d3d34fbabd5803c4f5e065a93

SHA256
0d662727ff46d7daa49b0c8e7905231590979b3d72f5fc11f5eff9510e6e3191

SHA512
87223052d0efdc4dace332a7ae81497adc07bf433dcd09326fd4367c63f3804e9319da964d662f6fb64d4ff3bbc0d6748d468c5b0716cbe98daa10d4a9907f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
380KB

MD5
27f293ff7d66c179acb5741a860fbcf1

SHA1
6b177a8affaeefb01906537419b525f1ee717e38

SHA256
37e4b9fe1f546a5577974499017897ca399e78d4df2bba00b24c4ea0bce4a8e7

SHA512
55969588fc11c4f92cad65030bf85942b0d9c220386628a6548211092077a11d2cacb8dcf8e3fbd863a140ad6a77f6ea8374315ab5c0cc5c398ae803b6de8362

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
728KB

MD5
21f886f67855df4a81865664c8ade5cd

SHA1
e3fa5a76fb204af06f95946cbab2fa52da708a8f

SHA256
36b89f087630319e99e08dc9c1d66f7ba32a82c2effe56eec1118d9c93f671bd

SHA512
e55695b2699eb90cae80b7756c16f450b1cfd33287d2a98041ce4054be773c62c17f57764c40d61820ee586120d4b78c3531149fea52c728fccdc6b844b0d9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
554KB

MD5
932923269c893a60ef0030776af588e3

SHA1
c2a07f9560e54828d5a3dcdfa2b6b5b6c7f4949c

SHA256
c4677a9e7894860467062cceaf67dd5669f2acd3d00d6b67753f44e0bfbd6552

SHA512
4fa02cc853ccedec5e66fab54348ba1d4b7da65c6e5d36494874df83fc6b925b34f02c36d46ceec4c6380c1ee67a03c3ca36aa5d3625cfee294dac61e007f11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
670KB

MD5
73debafe80b9f9fc074636c0b2476254

SHA1
3160b6b11857756b5b17a0b88cd2c2b31153a410

SHA256
d55a66384fc46d061ed6cdd712f13e628992ac8a33c74375fd4469310b4f7f3f

SHA512
9b77c70714248336851f2ff63a11c849a49bd7b45c4c8cc0fd15cc907966491d3a3133f2dee30e723cd2006a4bc5580fe05e5b07b1b853b358599d6811b2c0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2328-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2328-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4756-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5408-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5408-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5408-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5408-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5408-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5408-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download