73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3924	b2e.exe
2632	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1652-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 3924	1652	batexe.exe	85
PID 1652 wrote to memory of 3924	1652	batexe.exe	85
PID 1652 wrote to memory of 3924	1652	batexe.exe	85
PID 3924 wrote to memory of 924	3924	b2e.exe	86
PID 3924 wrote to memory of 924	3924	b2e.exe	86
PID 3924 wrote to memory of 924	3924	b2e.exe	86
PID 924 wrote to memory of 2632	924	cmd.exe	89
PID 924 wrote to memory of 2632	924	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\73D8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\73D8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\73D8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76A7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\73D8.tmp\b2e.exe

Filesize
11.6MB

MD5
47949c67deb165580cd231a8d62fe24f

SHA1
26bb55d71c7f5427d7d9ef91bed1f977fc0d4888

SHA256
41485153e5d1302f1c7e048bc6e6a83090e375961ace90dbf385fa911e1f3985

SHA512
2603677b91cfcb35e57ec2020288bb2a18efcc2a20c0e14ed01dd4c390826179bc729d98d1943af506da5a974dc4c9f5c690e498c919ec8555809aa59a2363bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\73D8.tmp\b2e.exe

Filesize
4.1MB

MD5
d2c419a721d788c886ebc0bada6a278f

SHA1
94d19fe33b785b89d1060ce3dc9ae4a228791210

SHA256
650228630db655f08faa08da1e0a36d140c2212db9c910251b7805de8e8c46bb

SHA512
59ee192be1b742861e60745fa7c44ea0a8ece045f6c7938ff8d83cc8d59d171a12d50fec02c3f98493bfe1a2006183e13b92063011e6e805379f31510f44eb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\73D8.tmp\b2e.exe

Filesize
4.0MB

MD5
7a400794b4f5a387864a5ce494bc6f51

SHA1
b9d86a7749491ccda2aaa3556c9925c8db34c767

SHA256
e32fe27c76793d6fc36c74e9db721a58b31d369ebce970b170fd36f27f31267b

SHA512
f3ccfa05ff5d841b7d6558553ca90ce5c842645f9ea082a24f1cf2f30be9d7c05f97102ef1e344257a1be0c25afcc4f02dc92227ca5005d1cb85c0944adc527d

Download Submit
C:\Users\Admin\AppData\Local\Temp\76A7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
0db8ec7cd5d858aea8b2cf7f3af355ad

SHA1
d2e0138c2f059a698a83b07ef1eed88f07e0dda6

SHA256
c028eba85823331eb919a16755b12ea16c08163c6d6f6f6ea47bb8b8d396ee23

SHA512
aac206aca7eeb7077895c828a2389cc184514f969481faa6f27a5b54454339c48972165a485f52f8eb9fe15666adf219b8225d1669e53bf67a4ebdd38c946b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
1f4f7f9418996ab144a239b1cc3f43ba

SHA1
1516201d454c13e24d048ce7c019fb2869015299

SHA256
69a0b1acd6f2f4c458fc5e8a452b4216de003b869b0c7ad8d528a0d4acc51df8

SHA512
2ea08e43987d565c339e8b4887f67a89f8aaa51359c49cb4fb812135d8f6ada8cf4cc4ba723d0c53fccaba7b63e5a498c6b906f8a72afe5b9dd05f3b97dd729e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
7df61c76f9103b3d6499976ec5481250

SHA1
8624730ebb5008bef2acdc8dea174d72db393c77

SHA256
5406c486105e496cb339ef6a0f22b57793d18aacb0f00d080694e2cb2dd7bbad

SHA512
8c7418e81c2385ab90953abad00d97f6b8c346221ca0b11c27a21313299ea0b330453fcdbc56be040a955b49ff5862fd22ac7a66c1c66e4046be478ebde91799

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.8MB

MD5
5facc6a57a3b8634eeb08113fd6fa543

SHA1
58c649943feb76bc701c4071ae7d9ef583ce15d4

SHA256
1cebdd22d06284aac9e431a3cad2c12b1dff7d5794ef61e536efcd1828fa72a5

SHA512
6fe466b7a5d21dfe9683d939a7cbf6f729db6e8fc1d9f64cc801343e89c92d8a7588c1c0f2151a9f2601b5e9969ecb805ae0212976b1ce24a37dcfb6516b8cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.7MB

MD5
c4240dd73b87a290b61fc2da791a94aa

SHA1
4f0fd1dd905deb4a8628b63f14659107fb0084e1

SHA256
c655c30efc80eeafffe5c5f57629d0259661604b1159d2e2fa432f3667de4da9

SHA512
4e138a96281a169c88dcab0f9943c8c3d20f9847abdadc1da80ab9209d40acf4fdd13ba4f3322bf3882df750f7d5cfbd8bd2ae94609abafccbbafe095d25939e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1652-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2632-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2632-46-0x000000005BE40000-0x000000005BED8000-memory.dmp

Filesize
608KB

Download
memory/2632-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2632-47-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/2632-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3924-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3924-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download