73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 13:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
552	b2e.exe
4900	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4900	cpuminer-sse2.exe
4900	cpuminer-sse2.exe
4900	cpuminer-sse2.exe
4900	cpuminer-sse2.exe
4900	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/916-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 552	916	batexe.exe	85
PID 916 wrote to memory of 552	916	batexe.exe	85
PID 916 wrote to memory of 552	916	batexe.exe	85
PID 552 wrote to memory of 4924	552	b2e.exe	87
PID 552 wrote to memory of 4924	552	b2e.exe	87
PID 552 wrote to memory of 4924	552	b2e.exe	87
PID 4924 wrote to memory of 4900	4924	cmd.exe	89
PID 4924 wrote to memory of 4900	4924	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\69C6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\69C6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\69C6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6CA4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69C6.tmp\b2e.exe

Filesize
1.6MB

MD5
cad032dc363c0c1ae507c90f27bd67d4

SHA1
2433934aac8a7f43bef4b940599c1cf665d70258

SHA256
f163acc96232f5dfdc2d6886512c0adcbf51cd37d7fb50fb0ea141592f6ca87b

SHA512
fe0f4fc4f24c7e8c0d00b74f8405c25751c8ebd159312be4d9926b857b23aa5296ee99c1b38db002c46e609a9a0a76af57f9a49f24382dabf1a10249ffb97f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\69C6.tmp\b2e.exe

Filesize
285KB

MD5
5604346509dc78941da54239220ad0f6

SHA1
b532845c3715cc3c77a21e78c79af0d35c642f59

SHA256
3f638e9d195d0db510173606e8f165036c779aac7b8fcfd775e7263fbc18de24

SHA512
2f6309c56decd7190af6acb66800277eff2ddbbf9ec11d8022dbe5a33768f3915553409f71d5f0e2438cc5c94cd244b33aa40e62439009aefa9b9634b4e17079

Download Submit
C:\Users\Admin\AppData\Local\Temp\69C6.tmp\b2e.exe

Filesize
392KB

MD5
4f69c8df04034e16db8ab873279dbe40

SHA1
961bc238346742f29490342fabb3efba959051c3

SHA256
cda6e1cc0c0188df92ad8c2555a7b388c24fb04d8150240d61e1fbc9c06629a7

SHA512
56900ff52ad463a2ea6949dcfcacf8ab99cdb74c5be346390ae2f1d9fd98c6f68cda71c0f71b272d9d26e9cad0dab450e8691e9dce3926050d171e0b7bb6396d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CA4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
389KB

MD5
286277ad6123985b619cff6cb66bd793

SHA1
9cebebd285a9e87045ceaf8f984ec9b119b861ba

SHA256
4ee12d43c4ee7675419b499492cca7d1a3ef1681a55f1669da183e29b375647e

SHA512
fa568e85e149a3783f128820a9dd78c821e0faf188c1806d7f7be67156d1fa3dd6c6c5709b4b0c289f6c6651514a13b17a4adb9c0691a70050223d5391421ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
331KB

MD5
fe83109743bbc57ea3fd0b5c27e731d8

SHA1
aee930bc63b815a677c5dfc9b1918643fd131239

SHA256
56dbf2bca231816cdf3505c2f8bd9c047e80e42c625676c3db716e55a0f45ce7

SHA512
8f4142a4810300e162313cb37d543422a1f015983f6123d23a2862d0190083b76d68cd2a4fbec3349749a1fb8cc7db3eef37adea10319d80e40d5941a5807e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
264KB

MD5
dd8a2d4a1a98b83552537c7b5caf91ea

SHA1
acf171a008e20c8deb92bbb77680684563a2905e

SHA256
0c0b12d13511ab09144b4674217db74d2cf74b59996efd80b36f029226b27cdf

SHA512
bbd6fb8c527aab68cdd44ec56d94943f96c6658405ae06403a1e61dc5f1ae268e79a7dc2f9288772738b5147f5bb964dd8e707e524d386fc347cc7f34d0a48e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
358KB

MD5
17a32781645ddea3f10362debc2c17a6

SHA1
9728273a590c2a86d036c6206553163356f60825

SHA256
9776499095e134468d1762864040bc526fa01a17fd4d4c6637b215b8735b5e0d

SHA512
bf92d746057954c9451f18a3f3ca0969e624e54305163d2bd1ddf4922aead1124d0287f9829a6fca3258849aab4a4e727588432907ef4c6c4f8b260eea217ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
312KB

MD5
1b63ee0f287f55ae95fca5c486060e19

SHA1
4dd7cf76ac8b244641173f05892f96c9b97617a0

SHA256
793c325fd0b521e57e9384c4a268086a1666be4e82214e9eba36b0c6a4938612

SHA512
42b34c01d175784d119332bb2de0cb2580942acb25458ee8854398ae33d75fdef66ac7c4469fc1d2d4e30be34855a9ac3ca2b3e2133105243dbcb3e3fd4d19e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
351KB

MD5
c12f943606c3fd2ef33805a187e5d313

SHA1
c833b2786001a430a91174c914337d12679d4a50

SHA256
56603932bc191fb1a9411ed4f6c616a775f0596d253918440742f1ff467befe2

SHA512
ee428ec93d13279da6827f07e9238768353f77441d00fad8f1805bed5618a3e916b09cb6fcaff189901b3d5b86bcf6a1dd560e775f90b38046d82747c1598896

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
279KB

MD5
7c4ae7f962a32928f75128b776ccbcf0

SHA1
0dda635518a7ffe1ad7c5822a7eb2cf649f01ed8

SHA256
a914cd8a9447c4d37936ca5089f98d745f7eda88188bdb630c14ec01ae3ea236

SHA512
9c465539e253c1fe2dd49bc1b043fef015570989270a1aab4d2195d35dd85b6193895f4427da39e87550d423dc1e8577b58fa6dc701b8ddae29b7c617e825d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
323KB

MD5
9f4e15233155d966754e987aaef15a47

SHA1
f60920ef76966d557824168be251607c61cc2c94

SHA256
d593b435c259c1e617b46097af1a444a6ce78e70a7ed98f789e865e5f2902715

SHA512
4af22f0ee374bee20337f7ae12235fb446047cbc8348acd5ddb6f1ca556c893c2b0ac0625d54aa3fda878985f018c7b8f6624c55f19c325e0a08321bc9b4ca64

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
226KB

MD5
93b79594155750ece8f2abd069dc2fb1

SHA1
64edc02d44f8df73f33a751a053e78fb8638c87c

SHA256
98e4ec54848dd8c6b5be4c3079813875e4f62a4b6aa0729910096082256136cd

SHA512
ff6b491f032e5c4c71dca3663510915fc51f512db1a20cd671b1c2627852f457a84b020538f72b336206175e3d1c5be232540b5adf92bba91ba8c8f7c17fe75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
409KB

MD5
1ac18cd29689ecdb1398994ba50a3286

SHA1
a884168d5e7e05e7f0e443171871dbff48e5a94c

SHA256
ae7652f16570e6be833ab395dbd16cd58e85f3b8860eed39cead4148bacf87f4

SHA512
b4a557218b7ef7b163b667d0b92d6a956bae91cefdd7474e6baec6595bb70425b1582f41942486160152de6eecb3fd861709aa31cc499ad834e00fc455929554

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
245KB

MD5
4bf31932cf853d00146e0a96f3f55d3b

SHA1
5a18b4bd9756112e01d4e191b45e6bacbdbf03ba

SHA256
deba461b426dcd323ac46859cb5839ebe85bd426de851a7a762e0063ec9de254

SHA512
d41e7d4d1c9ffc4877d82c8fd010626c3adb82a2e8cfbe1cfcc925fe16815b61b0645df6f59e544f4cabf5c4bdd7171c752c3d4b0144888ed99a6c752c0c6f17

Download Submit
memory/552-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/552-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/916-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4900-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4900-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4900-46-0x0000000070B30000-0x0000000070BC8000-memory.dmp

Filesize
608KB

Download
memory/4900-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4900-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4900-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download