73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
552	b2e.exe
3928	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3924-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 552	3924	batexe.exe	85
PID 3924 wrote to memory of 552	3924	batexe.exe	85
PID 3924 wrote to memory of 552	3924	batexe.exe	85
PID 552 wrote to memory of 2796	552	b2e.exe	86
PID 552 wrote to memory of 2796	552	b2e.exe	86
PID 552 wrote to memory of 2796	552	b2e.exe	86
PID 2796 wrote to memory of 3928	2796	cmd.exe	89
PID 2796 wrote to memory of 3928	2796	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E1B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
4.3MB

MD5
fd2b5c9dd6104be21481b1e1a0ff5bec

SHA1
6d9d1460cc11b9f1e13a57118c615bccda0432bf

SHA256
db1364c1b5b72c9172afbd21da848198737d4c85568650ff3264fdb1bb9a233b

SHA512
99576d7b6c74bd2f36e097f952cef1badc4ef1e23cc1b3223d82698544cc6aa1b63aac5c23eac01b13a984e80f366180512ee5a8924c9700fe275e5c088f26c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
3.4MB

MD5
048edb7141d43d7615f3d1b43ea54fa6

SHA1
8e7cad028fa4107d3cf837e27cf517430f32e205

SHA256
1247db571dca3d8a355025550a0963569d7a4411e10e9ccbf38b4029d307a73b

SHA512
77581a82409b646c687a3812cd7b490551e15ec239d95f48a1469019d0360c946b3c9b005228dc011abf53fb482715fe7e4c972bc2555256fbd54bec0dd20c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
3.3MB

MD5
7380ae6158c8d5b4512f48a20a207710

SHA1
cdf01e87dacbcf9ae9b33443e2004543e13fb729

SHA256
b4f3da4b2aa968bf36cfd821534027a45dbc3fdb88871df5cdbb8a31eaa21f90

SHA512
22f5b1106672567b591309855d46466e1cfee774c09782b23e0eaa8113d831572263fb48bab8ea54d574697d67b9cbac3c92bc55a3c0f2af090388005a215947

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E1B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
670c6e2a179f378a493a5c0a2c43b688

SHA1
a89f49b88123ffce78b6e37279aca49dafb5cfda

SHA256
12625b878b21f7eb41c5edbe0990cc15026e316c4dbeaab14804a1716651f109

SHA512
88c60361368917ef179b0950028fdc5f2cf314713dc5368f42e770d9aa5f2867aa0080f5022930652b9aff89c51a57d2cca3298194f92997e6fb5454962d000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.2MB

MD5
95aa2d828d34d86f93c1b9d19a7cf0ad

SHA1
1c6654cb778f60be8ef7d4586b54f2b8df7600b3

SHA256
8783f412bb5b47ffa40a1800b0f0dc9b30064013abe3f628ce0719af2430dc0a

SHA512
7c5f8f2e6334b254f766c07576e77322f40b5fdf5068aae0abc167c7be6660d78bc8a093c4cf5499292686ef93a71d1f73bf267ded96b24ed9ecc353c7f4738b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
58ffd9d708431cb2d57c8588bca5cc09

SHA1
2dddfbccc511135b90813d2dd2c90625b408841f

SHA256
52e7c36a68ac9268e6899c9a8b52f274c6aea6b8ad3ae7af1e83f458d394f231

SHA512
0eb28c195be6c80fb9df06adb6daaf9c44c5135f67a578b5653600223ea613bb998319e7249ad9dcfc6e49c5a731dbce2123e59ca63d0a1c0ea609d10bb44790

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.7MB

MD5
64a7abb6300a13f6a01a4a295f46d2c7

SHA1
9f2b0bc95bfe62fe8d45a987bca64b7442946f53

SHA256
8b1ffee303b3a00fe64fad56cea5fe61b5dd1c4feb6084c6e06836cb20f50229

SHA512
cdc75622a281d8069fbee382982bcb532f535f41f8680b77c38f434c07adabf319b28f263628a4c426f445c4af9af616c70a6ab068b893ac4b477006e8abb0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
178fb736895ac7e076d5f2d269499134

SHA1
a439ca90ff5d7fa6fa71f83b8d84e1354ca0c985

SHA256
19feb65714015249dd11c697ffdd12f49e6bc4f0987162bf11d5f9d3083d2fdd

SHA512
f4094d8bc8cb30956d72ef6a268ac5b2918e050d65e08d976da94206f8862b6320c7abd832d4c93cc573832389047b8cbb977a89eb23fdadb71e08cceafef0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
e44f687ea6b425ad17b490a18c8dd0d1

SHA1
dc4bdbe683e7f2adc3f9b8bd8797e67bb64aba2a

SHA256
a6506163f904fdfd81e56bd0ba8284d89ad547c9cd18219456fc9dfcde811984

SHA512
0549bef142a0413af4550864079a5baab6d68f12086e3199d31f3868141ea4d54dc8f6ed6af75cb9d55f3262be7282643b5320ed6d1f325570f93e4b957c3b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/552-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/552-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3924-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3928-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3928-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-46-0x0000000054460000-0x00000000544F8000-memory.dmp

Filesize
608KB

Download
memory/3928-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3928-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3928-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download