73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
836	b2e.exe
2368	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5240-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5240 wrote to memory of 836	5240	batexe.exe	85
PID 5240 wrote to memory of 836	5240	batexe.exe	85
PID 5240 wrote to memory of 836	5240	batexe.exe	85
PID 836 wrote to memory of 2604	836	b2e.exe	86
PID 836 wrote to memory of 2604	836	b2e.exe	86
PID 836 wrote to memory of 2604	836	b2e.exe	86
PID 2604 wrote to memory of 2368	2604	cmd.exe	89
PID 2604 wrote to memory of 2368	2604	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5240
- C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5C92.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe

Filesize
14.8MB

MD5
9b09c129be2b578cb0b77153f9773970

SHA1
ca614ad00f31c2edacaa3a1f1a71b6405e991f30

SHA256
47e21900706aef859211893d9f8251bf01134e0ed9a91af3f9ce831b3b8565bd

SHA512
2cb7bc5c5c3e4087120000c4e929b103d24bc452d5ae6b995257990536ed576409b975800e13da8b09715cf7a88390107add2a2470366153bba945685375efe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe

Filesize
898KB

MD5
3e22f41c1121437c170ec22cd3539713

SHA1
6e9369fbf7634339e65487417798c28429eb9609

SHA256
46f6907fd26468e923d22ea93c95eaee3ba030bbac9db749aea989bf37d9baf6

SHA512
82b039d418d4c8fb5ab0dd8916009cedadd072ea53aca64aaf6ad186f5399680a7f23169a4f828340041a51572d2f3a2b4814e754787a07aa2e25de1fa52a500

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe

Filesize
78KB

MD5
affc542ded9dabb0b582cf2bad98bb67

SHA1
14cfb2da0f8c0d2f12f22cddc7c0459eb1de37bb

SHA256
e001293c9abb393c501260b545c356577cfc1322e341559dd904a2f4e9b41a17

SHA512
0e6746662f1f8fd0e6baf5f5d36f547c8a0f7b1bafd5ca62220cee1f3e79cd7f6c0785f0c2671ee49af04cfe9fd2c1a3ca57f5b7ddc0e3f5e221a8a0e12c36ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C92.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
ed2636f6462778ba1696ebce004dda34

SHA1
f6d3823901a4913ba99e13c4a71a2bd27838d31f

SHA256
359d243e78e4323e8b049bbb1cde4c8511da0dcd1b7f8cae3e4bf6fb894ff091

SHA512
8dbb2b866c6a1b4eefbede79cce4e7c3e329fe2eb231f9f057bb9d5f843d400e5e7e6e3b5a91584cfcb1ce52209f38041d5cd605f487b078709ed6a61433d96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
f03efe7c4a1e0e6d69d20618c830e6cd

SHA1
5d48330237332c36ddf568104b3505d0cf8bfb19

SHA256
f2069113c30f06beb00f2ec316eac7a5dbc1717d304ad715ec678d654b0a1b66

SHA512
c1ab69fe273855efcf547573d77c34240a33d54fa912037fe2dbd736343f0b0e44f05426bd27e774c48f7ea37d9ae8b845001cdc00d0369d50dd56d5ea8a29fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
603KB

MD5
5e9fca14d28765410d1662a1ec9ae42a

SHA1
67fc89edbdc5b1e6a2de1a4518f630adad160186

SHA256
f32e5505a964d616070ff66e8dc90ee03df20309e045875238f26790aba42187

SHA512
b324933c610e2082dac95ce543dcd2e5090be50c7df3df7b0b6b4e9948c2256fdcd518991380eee99ec24aeae9e15d22cc5eb33a014783ce68fe824e864411be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
699KB

MD5
c01746b5a2dbe7f1f3f39eef50b1a985

SHA1
482a7f2d37eb496ac341e1b109e3c9e3a26658fe

SHA256
5c974e18a7d702595ff6ac1e3165ff83f0d29deb772e865e19243d99e4c5c5b4

SHA512
cf36bb737f0c94cc520a5f7cd4a2a6961c5e8d97bff6a5e21808a67e55f080d863b0d546f2255c1fadc7b949ee9f5c67fb0931b5566c871bb35f6e17f4426d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
4e2d1c598a06933d59213aa1f1eaaf83

SHA1
55a9ad84d71100c4fb668f6212e0d073f9974a9f

SHA256
4430ce991405e97221076db15fd3ebf764c0553ad21f5a0b47abab01f1ff6a03

SHA512
507a002cfee776dc61a0a46f6bf5938977b691a23a799d5dbcd16f445cd2cdbbb964f4f08ca7c562995ebf8b5e85e25508a57c7807b6f04f967e1b4a76c858f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
875KB

MD5
5715b2129e16aaeaa4bc93a5706dced0

SHA1
ef139deff2a9325a8f59dcbe9067a0edeb22b398

SHA256
1d94213df65bde510f227c26ee7fb419b523594a4f4b3eda66273410700f6e71

SHA512
ebe6504c564a2907db923bc9082772caf8d2707207c13eb07f5dc8994438adb743b39dce4ef743b333c0421f8ac59aa2faf711521bc982828f0bd55e6dd15b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
fc82b0b7afc489fdcf432586b32f0656

SHA1
b20cb680ca1067f82695a7e744381db3943e96d8

SHA256
84be72b3c6b71b2182287be83ce3957a56286d26236474e1a6c15239170c1225

SHA512
d08197de5c13285e6d3bd57d9011be3aedaa9acaafeaee53c2ea5fcb7b982acbf1170169671c957b453e9e60142e3e3c06181219bc4812127c03d94677762613

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
932KB

MD5
6c31b7bc9578c43a460690a743709c6f

SHA1
0420ab83d3ead914601e737333bc34aa7f57eb64

SHA256
e57dacb7f7d9bbfacc495ece7567f6fba7865239d957e86d73135aaf41f4ab51

SHA512
d8075529870b6838506567315e1e370da1939755d635e1d3c7a089d48a05b62bbdaf0137756d9bdcadaccf3a54dc59b561eb16d303879c792294eb0ed4dea179

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
830KB

MD5
ab91eb752617b6d80a8907939fa3acc8

SHA1
eb235e12b78e57a9ca9a50079cb1a34ff8ea558e

SHA256
ed45c90854a2e7a74f03d19f7700be668ff9786feefd08f6c2972b1ac015e6c6

SHA512
0ff911384afcb9f14365cb75ae5c142808a0d1938bc16d291910b71ce6f90f81cc35b60109b603f0356a0d6e7eae4428ab4e4a9cca135e673f75d6cc536b00ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
513KB

MD5
d28f6c24fd786975eab6ed849036b1ae

SHA1
5553b5a3fa7eba289444a24f28631a4d8c5aa493

SHA256
6e8104752ae37768ec28acd0862c310ee88a091667c600138e88cf8a8f150e7c

SHA512
05eea4922364d25524b33ca0f6a5c542988166b15d513225d4a0b5747d9cea6a3b66d54a17cf0d8f68603cdcc23e16cae20613c5a86ffb7948302c0f068fb6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
547KB

MD5
04f23c2140364f62a9e06e9414bccc4a

SHA1
9f9ad5b03d7d7ece82ab19d26dac43bcaae7cd18

SHA256
4772e820661a0bade809e86747fbefb9606c009d17199c11f11e9ebed4283557

SHA512
a1afeb9b8b1957e64746b28345f29349e9537cff2777f3f289f7e7a2cf30d52867489e4ef6aaab7fe4a96eb618e6be9d65d8145a8f68275670705877ca6e39cf

Download Submit
memory/836-10-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/836-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2368-48-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/2368-47-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/2368-46-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2368-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2368-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-85-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5240-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download