73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
5708	b2e.exe
1180	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4412-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 5708	4412	batexe.exe	85
PID 4412 wrote to memory of 5708	4412	batexe.exe	85
PID 4412 wrote to memory of 5708	4412	batexe.exe	85
PID 5708 wrote to memory of 5252	5708	b2e.exe	87
PID 5708 wrote to memory of 5252	5708	b2e.exe	87
PID 5708 wrote to memory of 5252	5708	b2e.exe	87
PID 5252 wrote to memory of 1180	5252	cmd.exe	89
PID 5252 wrote to memory of 1180	5252	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\5E4C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5E4C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5E4C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60DD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5252
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E4C.tmp\b2e.exe

Filesize
8.7MB

MD5
6dd0d14e549ae8854b9e84498dff98ee

SHA1
86cbac2ba655c8bb85359e899efcd0bd7ef80e38

SHA256
bad1331494da08b5f87df625120bb215228c65e2b34c77b456eab7aa183d2e00

SHA512
b32a2c5950c469044d1fdb4b9f515b4079f5b2d81c5af1f41e1afa2a76a30e9bbff6d478459e94cdb7c7bb945735659bafe9f8a8fe9694b49bd06ee2f420b17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E4C.tmp\b2e.exe

Filesize
2.8MB

MD5
938103a50095e1f2b5c1945ae1a8ac95

SHA1
250c9a5edb017b5ed9d916911b2d19e1783849a5

SHA256
f618dc500bdae579ca84e119d629aaf6f6d0462837338a0e847416dc40773772

SHA512
1bf1331f70b6d9ec1e35d4e2ed134b15e4205f9efe6b336b45e1787d20c70cbc0ed013f2d1f5b8d4d4078cc42f1353e52ddcf6378a8ab365267dc615e3759812

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E4C.tmp\b2e.exe

Filesize
4.2MB

MD5
4e28bfc981daf085bf9bcfc886fcd149

SHA1
f156cff33fcb2d90383a72e140e594f350cfc8b1

SHA256
25840c64954f929c95df2f78fede0e1e2abce3e21adc4d06725a5eccfd8a6058

SHA512
45f836f5104ff28a10254abe95e0e61e590a287d786ab286d29a232862b2f5d16d398f62267e0dd02c23ffede6db34b2e526cc630ab4648c7ac88da817c39e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\60DD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
801KB

MD5
1a32105477d018440be9b9826b029b92

SHA1
392d683a829e16bab6434ed1fdef5a0bc2186afc

SHA256
5ef23305e7b16605b0dec613234ca1ca7669fe452c28549bfcb69bff137edada

SHA512
6bd6bb4394537a4f7e7ddf5e5f6934b08163642f0d0d516f7443a0f68596cf42f2ab3006c716689371546a82de8e3207a5dda0085e9552ecd8313cb2c0f08dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
715KB

MD5
0abaf80b7cc8d20e5575fc76830c6692

SHA1
582978d64d0f64bc13ab00d92f7a9e20bd90d85d

SHA256
48d8bf4b64a5def46428132e86ce38a55b48222de6485cf0732bd340391af378

SHA512
0d1975a985d36e8094166b4afa20a29483a75a307ff403872eb86350a331359be83abbe6a17878012d8d70b6f880c1fc7f293f8d7c052692b88bca74fdd28764

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
825KB

MD5
f16842d97cdb35bc10186e8465c6ce06

SHA1
5551abed090c4bff0151e3ea972754d7b483eda7

SHA256
bc73fb66f6175db85c86758a4aeee7ea3e8c9e22ce0e06ca9c7361e3d5400c8a

SHA512
990f81a7b10845840c54a7e5dd3dcef7a4ec75606c22b3fd7dd918bf2a6554c5f9b1cf2c8314d0aacf3b9ad95ba2c6dec8b44f7cc5d998465ab5d6507f0fbc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
796KB

MD5
02c68056761e886dd5fc47f18dd21750

SHA1
9f59f555c6cfdab8432651b8e612165730f49476

SHA256
a3fcc569bb48a00ff45fe7f42f55514e8ff8ea6cfed800925fbbf7d71ffacf4a

SHA512
d7f71b2e6dd17965897dec925529bdc31ba52cd4f145018eb60190140868a221c8e3bf3e5063267cb8498de2d8ae938c6f172bf3535f1f1538dd0565905df046

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
534KB

MD5
5362de1e0a89d1953a9ca902422dfaa7

SHA1
e579cd28ef200b98cef1d84ece18d3447fb62d26

SHA256
f9fc49a2f7145e20d2887f5ad1e66940a00fc8c374d6d7fa12772e6a8fb94874

SHA512
a3a6f0be528107b9af5717ce5b2fbab82762485140f64dfbb401cee67c01f6dc7b55e911f3e9c70be14028533e7658e20a579bce30c11b46312eb8d22e3f5e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
786KB

MD5
68acaf6ccf90a77ca2061c7de9d1433d

SHA1
370d89349614bf7b140ad9f8dd45b6c25c7605d2

SHA256
67c252f2a6182037537197d0d1a86bf629dd9118858ccc762cfacc9387f06e2c

SHA512
727eb420eb421be3f6f0c4c1a086689471ce89fc3b92103a690e071afaed4b3d73eaaa78214f86a06c05a78711034a0bcd5931a953eac5ef48128d4fe30847a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1009KB

MD5
730616d4fde5258b6e0230aa3236b30a

SHA1
c16d3236f5f58969f0b334df0f37c20a996a6990

SHA256
a216c59c862943ee6c24d883923164b3fe32dfef0d3b437d0d546ff9bf557d5c

SHA512
f8a12b9290e5ed8ae15f6d3c01052dbdce0ad9aaea7ffdae6af46e1fcc0d559547cc23f82eebed775fc6962630094a2f08588021746def454538683fa7941e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
693KB

MD5
6b13ee803b8435a9ff36c6daa38ef992

SHA1
883666fe62fc75f4a178dd2c6b0de83f8cea06e8

SHA256
e4b2b7001ab2ca683eab7409e9c1b806116b52c218aa10e278537b81e7939564

SHA512
29f8c47f4565bd7fcf456361eaa9322789f07242861061724d5766fc740c06851ace897ede365ec37f592aa789b9d68f3d89022913e83d95f8ef9ef601ec2ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1180-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-45-0x00000000721E0000-0x0000000072278000-memory.dmp

Filesize
608KB

Download
memory/1180-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1180-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1180-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1180-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4412-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5708-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5708-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download