73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 11:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	b2e.exe
1420	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1420	cpuminer-sse2.exe
1420	cpuminer-sse2.exe
1420	cpuminer-sse2.exe
1420	cpuminer-sse2.exe
1420	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3972-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 2892	3972	batexe.exe	86
PID 3972 wrote to memory of 2892	3972	batexe.exe	86
PID 3972 wrote to memory of 2892	3972	batexe.exe	86
PID 2892 wrote to memory of 2064	2892	b2e.exe	87
PID 2892 wrote to memory of 2064	2892	b2e.exe	87
PID 2892 wrote to memory of 2064	2892	b2e.exe	87
PID 2064 wrote to memory of 1420	2064	cmd.exe	90
PID 2064 wrote to memory of 1420	2064	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9EB1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe

Filesize
13.4MB

MD5
7499a32900b317c2eaaed7121ab7aa1c

SHA1
42fa5bb4900b7669372aba9577f59dd80b8a0b22

SHA256
5a2f4eb151b0efaae48c5b57696b12803b86469215a80883ed6554be5ee1a7b2

SHA512
b2a2b7ccdb8b817e576cc005a187b3958c8cb445587700fad49301f92113097f76944b913344572f754af687168a62dd6fc1296122547378665b4bb10d0d4f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe

Filesize
1.4MB

MD5
9dd2dc550af767f6d6c914b393c3c5e2

SHA1
f0fe0689b47e28d5b9388c641e79377d1aebedf4

SHA256
b73448f7d2e1ee26f65da78bff688228b309a5d4784d1deca08ae0dc5b90ae2a

SHA512
d6f21fab0a4569387a37a3c0cae0e3ad055c322e837ccc36c3bcdc6a19594c9c337fd7f4f0dcefa3109775aaeb1e197fab9690c3983f7818d6140c75ff7eebd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe

Filesize
1.1MB

MD5
a43a8e689cd5eb2690d211c1d48e729a

SHA1
92acd696234142bf22c8b5f1c1af459f38dc3bf4

SHA256
de564130f2706db8cccf91eb5cda9c55b9cb1cf5c775c3eee2d27c4c63ae5adc

SHA512
d804a9846c745cebd70e25fc740f2d8ab555e3b66ec9a1199539d08a0bf9c7cc4d2122eb5fb65ad6192835649fc0cc55f08ea2572c131c6b1931be3d30991182

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EB1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
482KB

MD5
7a604cfb250978fddece8d4acf895c7c

SHA1
6c6927f5e75cbd903b1a88f772074540b3eb6337

SHA256
e433f188a8e139b7fb196cf991126047216184e206d26d141304f8c12cbaade5

SHA512
6400ba8579ffbda589585bfd37f9056c6e0b85a16d3c91f3810a74ec591a4c9cd8e628a8bce2083d75626f6158bcaea4779c8d4162eeab78304a68fa205b4fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
481KB

MD5
595b45c48e6bdeefed32d3cff6599e59

SHA1
a6766bb5ee7c2802ce3fb6152be090e92555d177

SHA256
6398261a48793d057915c200af8a8d33553daab65dcd81072f8401c64558d495

SHA512
4fd63d603b376c623a2ab43251ce42989fed94789970a12b9cebfff39583cdbe09ac00de758c62023eb5ba9631eeb893a8c8eb033b8e9fd3fece7b1f19918d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
470KB

MD5
4d0fc2f1edaf1aa1d8c3d5edfcf8426c

SHA1
ff1a28f80c202695b6b0e9a8bc8f47856ead52a0

SHA256
2e3fc3cc86ffb32f8041445d5b1aac76b22d2328bb883931cc729a31df4dabce

SHA512
bc9695431eefb485f4e182413daa1a806246313394ad22ba19c41f1ed8d1a939ff1ec6ba5d4dea848fb4a4efeeee82997c705e1127229c2c1a2b74e5c01865a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
418KB

MD5
49b5ad5032e8abb96efb24f6def92125

SHA1
86a37527421a7a7185e689b05e7130ccc61508c4

SHA256
36db52cef7be5ed3b49c6817aaeb3a2a92f835443a21a1368fe35e8287edc813

SHA512
bd4f542c5f44a92c43e8d60f381f1300786b1d50ea756c947684dd1a4116f9d22226c63271570e92f8e65e533805f1b4f57a4d51b458ee40458ba85ffadf4f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
229KB

MD5
10f6a7a83fa10b71ab9275ad2823ff4e

SHA1
97abced63ee62e598d905b23b29971cdf01fed9e

SHA256
a700a8e69e859db71ac2d62bb653c903e7c51e3aa8a3959b3a2f4316c7f5fd53

SHA512
936203a12d69dcd24ea9ca64873769bf69016936d480f10c233233c5a173d17316bcc811cb1a7c9973187c66f6c34a4788c767b5363016a6a00a4cc935dcfdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
399KB

MD5
5b52e8ed06211deaee77f56fbc36002b

SHA1
00e62563ffb79f243250282c0efe57c9e04a5e6c

SHA256
92dc9300755371964b45ae17ff1a6b6cbcafebaaced7f6626f953e7ceae36bb8

SHA512
faf2882c15a935cb2cc616dd37054e75919922f1e772c367e1b815167886818984340cc081a2ceb6cd8b1ed87498d28f5dd6346bb8301854594355ae43ef948d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
402KB

MD5
00d929d0a006a2cfa182bd57b9264daf

SHA1
fce639cc88db3139e0c1aa3be8b1b239e55d10ca

SHA256
da9de3fb6e7007a6774bc2f9c572e29d0130530e97aea91722b3fe186ca7f5eb

SHA512
cab77e2547fe23f060db042e3d2bb427612df45b89c21eab93328667a2cb711f59d4f6eaf493040b5f0d984ee3ed08e9c52386ee63a6feaef8849f89099d73df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
377KB

MD5
45fec87dc746829670dfc4617162c601

SHA1
e540f0acb8a04403fa2eab85f1e0d2eb8469b6a3

SHA256
50cb76148ed54a3b8317bf8b54c380a5c4a2f009ef498729c701d1adb007222c

SHA512
b7e6d6c9e331edaca63e64df6601725f9eeb5235bcdda73d3a340cb06b548e13e76902b6cbe2d38d1dd1420ebd370d09712b204b30a3a5881be388118bdc5c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
321KB

MD5
761872fca24ee69dc38fbaf0f129992f

SHA1
6d65218d5577aab901f7670b5b35d2b88d259d20

SHA256
e121df664c55e5e1477ad909e4deea3afdd7f726b9567409b2c49eb1e72a553a

SHA512
f941c0aeb2182c73254e5812b1b74cc4bb0ac3b287a6e4957c642950c8216426f80b9a68e6b6057fc3ca2e16f1a27f90d59a6ca8b29e04642453ab3d94311788

Download Submit
memory/1420-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1420-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1420-46-0x0000000073670000-0x0000000073708000-memory.dmp

Filesize
608KB

Download
memory/1420-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/1420-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-63-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1420-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2892-62-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2892-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3972-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download