73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4892	b2e.exe
2384	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2384	cpuminer-sse2.exe
2384	cpuminer-sse2.exe
2384	cpuminer-sse2.exe
2384	cpuminer-sse2.exe
2384	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5472 wrote to memory of 4892	5472	batexe.exe	85
PID 5472 wrote to memory of 4892	5472	batexe.exe	85
PID 5472 wrote to memory of 4892	5472	batexe.exe	85
PID 4892 wrote to memory of 3620	4892	b2e.exe	86
PID 4892 wrote to memory of 3620	4892	b2e.exe	86
PID 4892 wrote to memory of 3620	4892	b2e.exe	86
PID 3620 wrote to memory of 2384	3620	cmd.exe	89
PID 3620 wrote to memory of 2384	3620	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5472
- C:\Users\Admin\AppData\Local\Temp\36DA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\36DA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\36DA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4A52.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36DA.tmp\b2e.exe

Filesize
3.4MB

MD5
469424e937356dea074c63081720fe60

SHA1
d14394b46fcd54d4411d476a533a3e93c8dea268

SHA256
9215bfb29240d1e784c2418fe7b634ea1c930c61530c57e74977d326e33d6eed

SHA512
602eae5f59014da9074de6184fdb5e6fd6b6b89af487698b3255672681a2f2847d4c94b0bc4d6198fee64dfb59715886d0297b41e74d5746b0a70652b26617f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\36DA.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\36DA.tmp\b2e.exe

Filesize
674KB

MD5
3e3d3f089a69341fa680770fc75fb03b

SHA1
1de6e82ef190a8ed7134a02ffabc2ce727935369

SHA256
8d2448a77f1b1943af8cbcaf707de1670cdf69dc69d9b844d60fd132d09ea5c5

SHA512
14463b1795adf56a1173fd7abe4717b83d1c1224a16007c5cef4628bc0cfab9136d62409a6679e3d05d94606a9d87b443267df303f5382971626c9f1349a80a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A52.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
0f8e4f1dbc3b73d35d7502495695754e

SHA1
b991ce183b5fb6ac89b879e4756dcccb0eb38e3b

SHA256
bd3addccc97c7ac51e96eb83b5869618111bae14c4f57d58fe30152d7264d9b2

SHA512
5ad3492461f4b3766b763f0d8fb3f85ba29de5c8ef7d99c02eb940fee01ab5422cc50ab9cc46738d8fdbc1828022368d270cc99959a32641f2209dc3f4fee1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
815KB

MD5
070d2036a7477bfb487d4fe0b211ff49

SHA1
694d18506232a2a1941d1f1296042aa4f21ac8e0

SHA256
336bf40391e2b390851a93f2ff1a47d1cfb9034b7653669d320194cf9685801e

SHA512
f2ce9922d9c1256c832c8d37bd2f04eb6ad4673ff8fa3bbb5cd95e09a02ad5becf0b11d6c1c518626b39b35e0c130b4d59e1ff9cd87989e8b4171fe41d503c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
566KB

MD5
9a8c303ade43d9a3c1955dab676fcdce

SHA1
f1362e247b04895d0d9ee8d19b6fe17bc635f3e7

SHA256
09647eeab9631657ad6ecaf4eba1306e57fb1da0e8435b621b8aee37eba44797

SHA512
1b176ddd152d0e051c7f1951215b10c00add2f8cf55625b501d0aa24fd0c46ddd5c6be991e14f46b65d641e0452a0e7008861ae7aeab8c12e5bf161f216cf43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
550KB

MD5
e3713f53d0139129e77c78de3911caf5

SHA1
31c0042f86955f096145b23c42dcc31bc7fdfa58

SHA256
7651d4461f39777e024bdee539e8ad9c7ed25b8a979350aa951fe7be05178cc0

SHA512
91b06911e37745cc65e7748783c751a4a18c5dc33477e57cff4bd6f0e9f548b45b128bde87b7e4526df3a4c9d89ed68b3f335347bec4f016079a072c48add516

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
592KB

MD5
dfc885cfd31596506fa79f9f6e831fed

SHA1
2a936ed3ec9e10af2bac29212b932e7f5b134a1d

SHA256
6f7973785f8ded0db898bdbc23d31ece827d264cb7456509cd5525cec8c4aaf9

SHA512
670ecd9d890039fba6b5b6d3f403e13c475df64ef5e187e8d856fd2762808ce22ca80ac6ce67a5e49b47fc5bfde5e3834f49f270655398bf95e71095fdbdae50

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
757KB

MD5
9fcc816776ecd4a1ed1a11821790b03b

SHA1
31a0136d3b440e6f905dacf6d2f2415a2502271f

SHA256
34615cc8a1097b5ae349a32c0148de31a838ca02716b742dbd470632792e1ea0

SHA512
ed88b3ac3dc4b56fef3ad131483685c75a877a043a21f66c6ae7c41eae1ea243858d3150a1f5d6f3cb87f91a82462066baa9c214803de87d3303e619e0726e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
804KB

MD5
4794a05f650b97706d65d297de4ca436

SHA1
f300c50966a1a83fc33a58072877c3d4e0a97158

SHA256
4c87ef0b26e0f350f4fccd5b5a08089904efca1fe5402096b126c7a2c6e806d3

SHA512
44ba779b209c8e9d61bf24ea38d310b143ed80e2a97ce9ef7ba654b0fb534e1d8335a76737a93807422c24a9241b96be6d1bf54ab1ad52243bdc673b038a5d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
884KB

MD5
8f905fe8357d09cf060a232b6e567752

SHA1
b1be0b3b6a88aff3463a0568ba17003be86fc493

SHA256
3653d71ac305ebe7490da072095b830490f050eb613378d0f7af0daafd3008cf

SHA512
a6a23609fbda583a0ff2d741677354c0e150cf4577a2992f2675819a3a6c4c6df43fb450b816f14bceef1841440a8b65e55e13d9787ece71cc29436d02ceb024

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
564KB

MD5
90bad6730e6b2380a20d8d5d7fb68e90

SHA1
bfd3f1a9d6e50272a438c656bbf6574e465157b8

SHA256
fb67ffc2134fc0f2e3f6f06d8050d700e5b5954784fe1473990d79185f90dc91

SHA512
84167abaf3fed7129675e2d43b212bd8fb3d632b4714d4f9758ecb6f24c7864d44855786f4f63e89ae5b5f25b5033eb63482eee6b9753673a717ca7b28d9f1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2384-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2384-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2384-47-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2384-48-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/2384-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-41-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2384-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2384-85-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4892-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download