73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-02-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	b2e.exe
3768	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3316-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3028	3316	batexe.exe	85
PID 3316 wrote to memory of 3028	3316	batexe.exe	85
PID 3316 wrote to memory of 3028	3316	batexe.exe	85
PID 3028 wrote to memory of 4760	3028	b2e.exe	86
PID 3028 wrote to memory of 4760	3028	b2e.exe	86
PID 3028 wrote to memory of 4760	3028	b2e.exe	86
PID 4760 wrote to memory of 3768	4760	cmd.exe	89
PID 4760 wrote to memory of 3768	4760	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\83F0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\83F0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\83F0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8FD7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83F0.tmp\b2e.exe

Filesize
7.0MB

MD5
5e3ca49334f6c3893592120a5c0f9913

SHA1
a69fdc59ed5719d78351cb12bf25e2b47f8b93ae

SHA256
eb021577be29d80a37a789d6eda0fd4f153575b27b0b3fe3e633e25400c11f8a

SHA512
f279d55d68e04949f09b84085202224ec89c2ca2517481c5d4500616667e9d41630725a3272ac34081289e29f2fc1be41b462aa8feedc580fd50202fce21a01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\83F0.tmp\b2e.exe

Filesize
3.8MB

MD5
ab398aaea1c77b495336563318b8e199

SHA1
eafa864e75cea8535e0c71247a5400dc6fc2985d

SHA256
a76ef6c8f2ad9b0a0780034451987f348f65a7feeefcc64fde420a978ca0ea16

SHA512
c7b8b5d2250ed64b620f8801e7f0d044804b65901e3aef3f084b26ac6e0f837a84016481c3b114d9c089decea462ef38702b018713457efac7b92bd7824e9ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\83F0.tmp\b2e.exe

Filesize
5.5MB

MD5
b8492d8753b33449eab5fdc1847d1035

SHA1
ac08b88b9f3882272885c609ff3fc3bf06639be8

SHA256
f8844dcc47c630dd69fc4b7c967349b4719607fbcc135fce9bd687f5c5a584e7

SHA512
09e8bf9a2290e1bd08fdf96cc4fd9772e95c7af7aebf4b7ac574958101af1ffad614b83ec1740000df5da18d13c8b83d6c3c0f8aedf8912ebb6e69fc3512e07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FD7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
53KB

MD5
9256e08b21dbae21ae1198908692f089

SHA1
5aea7b823c181f44452f47a8ea178c3fe7022137

SHA256
d7bc305bb42578a48e0543cde5722b8e3377028751bb8a5853e44cfae9998934

SHA512
03ecdb98542f289e175bed3ea95914960b8fb950c3de3a8058efaaa7c6eaa917d4a673895ec8b50f8efaa0d0179aa214032663356330f0008165cdd659cc8f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1KB

MD5
188a47d70938e27a394a0bc7ecf0369c

SHA1
97eb7cbcdc7fa30dcd99fd3866d5d2ff9e2e36d9

SHA256
7e026af94439b7ce11daaacbe7ea28359476d6a91fcd49ae1eefce611d8bec45

SHA512
166e254351f7aef46a4c1c4630f89992d4d87bb6b5b0f65054fc1c00c52ef44e9f1ab47d19558ad299a2557f6640a7e56c917b5e239ae5e85f2cd50191bde1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
42KB

MD5
127f4d4d1ad84c2c3ad76c6eaffdf7b7

SHA1
1c4a40ed7926c5d096618437e858b23956122613

SHA256
f45da784610fc4cdca29e5a9803920c35509f8d9f9a1a30af0ceb80133d08bcc

SHA512
bd24008e2ed302598b047b2616f8dc40680673c4c1db7cecdfb7ca6d129179c8af4a09c5fcdaf97607534921c03f43ff6a6efa3ee4ce9fa99d5efadd66d312eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
15KB

MD5
88b0df511928c415e9697b6c5a73f5ab

SHA1
214146d14a77ffe339c8408e435b70e49e2b4cfc

SHA256
360e754525c09d38da50f253441aaabe645b6263a086ed463f28a23715e25e92

SHA512
1d3aea9da6b90015086890f9abfdbb6dd5a3ebbf095c487338aa9a79b07bab423485bbbe0e34d8222cded365d8544886dbb716ea7ae3fd691655009b827fe390

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
716KB

MD5
09ed84c8fe4fe0fdfe5a12f129cc06b3

SHA1
29ec156e50ade8b9794e597b30cf03251ce82d63

SHA256
4887ce2616fefa700dc14667424a7f3aca1cf277b6d089cf7817b52ee1220841

SHA512
4f5482569a5ae6e8b26824fc2ff778ab2a53d5ccbe55f4fc20238fc76f140db5cd8897f407a5b9a4a88a1b6a4da154e0f6626777205f0d3f41e5b54008559ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
838KB

MD5
cbdeac1ba60a85403e4fc6d9786d417c

SHA1
a6ca5db0c8aa16e09589e64be6aff223fbfea385

SHA256
f818d690c37f5c7207fa57353408a67eeecb1e2da7894f158381904ea67b76da

SHA512
97c78465376047e8442688bb3d35a2f785f706322bc4ed6530f2f6f2c7c605586aa43fa854529aa99192d97dad2feec634a5027dda83a0a22d7a191b34ae9380

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
710KB

MD5
7d7d356e6c01f4e2787badd6efdc316c

SHA1
6889416edaf1d1f1a5b4761f6ce20140bf691ec8

SHA256
eff469813f2323acdab6132a51cfb6950fa7718f33e3df4708f653c391057715

SHA512
dccc6ef4bc44c2a6e4363d956d89cb754a1fa55b1d341cedbdb01536490e4e8a5f09fdd985875be259d9e34e3ccaa3eceb7bd632bdf1ac237bf73b0fb9340ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3028-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3028-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3316-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3768-47-0x0000000000F20000-0x00000000027D5000-memory.dmp

Filesize
24.7MB

Download
memory/3768-46-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/3768-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3768-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download