73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1124	b2e.exe
4372	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4372	cpuminer-sse2.exe
4372	cpuminer-sse2.exe
4372	cpuminer-sse2.exe
4372	cpuminer-sse2.exe
4372	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3232-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 1124	3232	batexe.exe	84
PID 3232 wrote to memory of 1124	3232	batexe.exe	84
PID 3232 wrote to memory of 1124	3232	batexe.exe	84
PID 1124 wrote to memory of 2264	1124	b2e.exe	85
PID 1124 wrote to memory of 2264	1124	b2e.exe	85
PID 1124 wrote to memory of 2264	1124	b2e.exe	85
PID 2264 wrote to memory of 4372	2264	cmd.exe	88
PID 2264 wrote to memory of 4372	2264	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9CBD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
4.1MB

MD5
4f52d9fe21699e428428e83a5a6aa37b

SHA1
fbcde27fc982026f78a6579ce4e305d3403682cd

SHA256
b141b875c64cc46e53575940f40c868a38d0cb0ab96d7b6940bbc09ae97ecb34

SHA512
23a9248639c931f4416d0efe3f336d25c90a20ee28831a5c2e0892d7f8d7d32684387d3e1b1163b58730588785be768bc3c4261e23712152b853d3204fbfafcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
3.8MB

MD5
cdf0486a813fec93e26cb2d3644e3b75

SHA1
58af4a9361cb13a89440f4566e09cd609bfa027f

SHA256
8db216bf32c3cce6c9c0d51ab986bd9a6bb76aaa8491c9dd60719e198ee18ff7

SHA512
a0fd28d32f91ff53151014f65de87a515121d8c09808529f817a4c2c6ff52c9853738134c198d08f0db36600baa6a0a45c6d3753c7eeb5f3567d23cb2572469d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
3.1MB

MD5
20909bc54622cb27872afc622d90b90a

SHA1
b2643c0a26f50859c66a490f7fb0e97163a2bb20

SHA256
b8f2043a5c521f6db1cef46db66abb3d1d6d1f4f2b34a71c64531991022210e8

SHA512
bbb9f04e27baf945530f58b204eaa5ad61e5886c10e9e6b02a3cd70c0e091ec6a27c086d584b1291980076005b15b42dbbe8c747088088c331c523b0cd70fdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CBD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
462KB

MD5
62a0e1c244d2b7067c9ac4ee4cda4ad7

SHA1
cc88dcfc94850016136979ce48b4631403da6565

SHA256
c3802a9aeaf5112199c856ac67dc7d6470c5740a8c01a318e276f85877f8e59b

SHA512
715b5f7bd18ff0db5c6817d12491327362c807b841288c641741363199b659f1d16b0eeccc16e8f9540f0afd23f1838376ad14f7a840d514ff197424205be044

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
330KB

MD5
d74f5bfb9a5578c17a9d1d1c758d71b5

SHA1
515a779f4d6ef4667c9ac232204c7bc5c6de65eb

SHA256
38337c1f4720a64b0a420ae08a5db57118234ce7a2b06f723004e578a8ae0288

SHA512
d78d0e002a6f2f145eb9074e4e68a0796bc61f58988d69da1c792c17b1757495fc8159778751902574b51df120c7cf0ef08c199759dccdd87fb5d6ea5c82b687

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
389KB

MD5
0032d45848f9153482e2555ed7c8ce81

SHA1
f18c589028ccdc9d098ede1fc36b3f8e936ec86b

SHA256
6321acab2ecfcf74378cfe0c07399dd00eed3438f3ccb5f2ee612cd635b00d32

SHA512
d337e744afac88768895be36cda46006fd604e096a52500824743b85ca0b76823d293c7fabef20c2164c2eaddf278ba1fd7667f809764190dfcec89e8b79ff74

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
186KB

MD5
dcb61e362b4df6e6f9b53898872b0bfd

SHA1
bb7b1f16fb3bf0c4a43255e61d284a77995b2067

SHA256
4cef3126f038c1107b5607019ffc5609186599f709933ec0ff13873cbf1f1fac

SHA512
2f6ce566cae75a5a8fa1d063174130cb54d03958aa722512c31ce40550570daf72b10aca09f48ecfb5f3a112c1b1cbe6480889767bf07f62e4f06a4148bd1497

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
413KB

MD5
b06086ed4cdc0c3d64f455babd7bcada

SHA1
0666aaf3f7b75aac6e959c9edd8c3d12c8fbc53f

SHA256
f199ded042d774bf6b7af03568d0579678c56e2237a8b71c958199c918a2e484

SHA512
8c73fdc35224f28918bf423e38d894d9a7fe583674746b11f42074e849ead0c6684913bfc9f9832788f59e3bb2a82de4e59cae52aa29eba209f3adfe68834ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
157KB

MD5
b5d2bb4edab3800e8ac169aa36c363e4

SHA1
9d5bd846b365ea078f35a7275ac43c3821b0258a

SHA256
5dc65cbc4a612ff6ec8a527a0bce1c06d6ed4f4e2c0d6c33123466c1a0f00c02

SHA512
0a575a2f17cea9717e9a755dd38c3857d504a720b087f7d50ae654e772652a82cd0a6f71d1fee8220ab71c10929d57929675f39e5e1b0ca15d6e9657ed44d754

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
219KB

MD5
894d4864d1c576aeac9b1ceb9dee0a37

SHA1
98858cbd096e44867adc4f4d34872b22649b4572

SHA256
cd1d6b7db4764141f87a1dfc83077583725c49573a6bf062f059c8232ad086e0

SHA512
908d2355ea82dcb17c83c4e6d19a311e7756ba8c9514a5031af898ed52ccac1fc795b09b34d62226b9b62a1c1c0db4ec10b033999e04fd1afc7a57acbdc5fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
137KB

MD5
9e490a84bdf62276c87b883c6c3c30e4

SHA1
407fce7aac51dc36339e222f2a79b0863cc49dab

SHA256
716213f353d39a4fad1eb93e98b94968511d844226ddf89df38f6a8493fa0872

SHA512
661b1374ef204ca92de99579883492f83c9aede586c46279455591edf8f45a800554a825ca99505752ee0532518b62d492e3be925254682e013f0d336f12691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
262KB

MD5
e961112246c8a30183ed8655be908beb

SHA1
6c7de22df5df9601e8c721d96edad0d5dc1250b0

SHA256
5bc2992dcec022d4d2a9b7492f91967bc332728f89b4f58294e3788d35a806a9

SHA512
6922e4c9f6effbbada429b37cdce3a84db72d53263786328061a673521ae957ec98a15cbac22340588ac17afbd6e863a410af1d0185d211bb8a55ca648452188

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
280KB

MD5
9a3620f953bf73c1b9b52401fc9760af

SHA1
c630a55bcb1cfb9e880aa6885815f619a19379be

SHA256
aaa525cc945f0f1f191ece3894ec0d036aa46e10b0cfa90331d03856dffd1734

SHA512
3e5751cdc3c6ce441a3a72b044f5106e011517eab7f0a393bf1dc037ad742d262a650e90401ad3f4a091b1276b6bab15a4bdda7c84d1ed189fa9ea978e940a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
231KB

MD5
cd611b331242bf691c9306f446f660ff

SHA1
abe803a96ef7e94185a4bae7f1ca86492ff95997

SHA256
2f6a7359058044fdae5d226de56a09d9e074852bef1707442303349b275e18a5

SHA512
0bcc058e28001fa9c60cd48894b654c55c6286359eef192b170b5f8666d8b0ebfeefcb631452f2950fcff6307a36f3bba8f28688d9985afff04d91c07f866574

Download Submit
memory/1124-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1124-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3232-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4372-46-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/4372-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4372-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4372-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4372-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4372-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4372-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4372-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4372-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4372-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4372-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4372-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download