73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	b2e.exe
4980	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4980	cpuminer-sse2.exe
4980	cpuminer-sse2.exe
4980	cpuminer-sse2.exe
4980	cpuminer-sse2.exe
4980	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2032-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2724	2032	batexe.exe	85
PID 2032 wrote to memory of 2724	2032	batexe.exe	85
PID 2032 wrote to memory of 2724	2032	batexe.exe	85
PID 2724 wrote to memory of 5492	2724	b2e.exe	86
PID 2724 wrote to memory of 5492	2724	b2e.exe	86
PID 2724 wrote to memory of 5492	2724	b2e.exe	86
PID 5492 wrote to memory of 4980	5492	cmd.exe	89
PID 5492 wrote to memory of 4980	5492	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\5E2D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5E2D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5E2D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6428.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E2D.tmp\b2e.exe

Filesize
32.9MB

MD5
0842f414c3aa00131a0727e596d19458

SHA1
49ab3ab4fb06fbc354ba9b5372943fe459808eeb

SHA256
a405e78b5752fdd047ea6751fff1b7a5f026c129863450dcb03a9d0205779a92

SHA512
fc351c5429f160e142975ac3a02efb2b793014895b0b77c787b75e4584ca6934291812f64fac71bb2dbe96691c8fdb2b068e4b8608836f30eb1a3b93f274badf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E2D.tmp\b2e.exe

Filesize
16.1MB

MD5
e9d96c511ceb33baf9e6828443604b3a

SHA1
013a6a5040adf5283bd78dd1d2a106c536620791

SHA256
686ca37ada4aa580a616fe06edd393d6c53b6251026b360eb790c77dd8f18745

SHA512
c0530042cae81f0407e3178116121896675f60cb391744045843861367632588724686f444058dffc8fad402e3f385d189f1e48e4ea236ca14540e9d2e09ff83

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E2D.tmp\b2e.exe

Filesize
5.4MB

MD5
20849d500adf882d9a36df3ea9fc9f81

SHA1
eec879d9e0f3689133b0daf337f731aed78da9a6

SHA256
694d25cc4b227106f92ce13d2f713a087d7477676c0ccc88b7adf63bbef0e02b

SHA512
a5427289e40cbaa1cee14b1d1a6f3e00d7728d74bf082e25d9c72291576b6fba4b6a2dcaf7f3a1f84e2c68d7328cc985c853f602c7a75fd1bfb1f978af756296

Download Submit
C:\Users\Admin\AppData\Local\Temp\6428.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
896KB

MD5
9f9a8fea08bacf3a1d155567fead5940

SHA1
9d9ba8746c585446f53f442b800e1eb28a0df86a

SHA256
a22f9d8fb953e4f6bc93cdcc8aa650a5a093f1dd400fdc501d5aa7b00bee0289

SHA512
d41a048619373832c616d48f919595ac50dfbbd68095aec008b30adde91ceeeb86326c7d412ab20d937bab7096fb8165d3da8b4fdc40a03cc32da9ee3e9dc2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
768KB

MD5
e3f15c79f945604229fa814f57c79274

SHA1
19a7015dfbe622ab86c48693ee1605b26112a3fa

SHA256
7b09ee53447ccf77a0f2d7bfe25908f963d681433d3cba5a16c7f45646c42175

SHA512
12dc1df8a947caee13a12eca5a976feffd7408402b0495e4971d4bd7181e8d353ebc17da044d2ce6d1c273bb05a0ca5ddf7492394b355786d8b14b0997de162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
704KB

MD5
903e2cfee96d720dd5200a922b637d07

SHA1
f6d639d7b6bb586abcb5f97b1b212252ed6c85b2

SHA256
443ef0fe0e5e9cff04e267b1bbbbc98b547e5bd38a853eb79d06a43a8e7d17f2

SHA512
c9c357be28d1d97bd5255d88bc64255f452867407c3aa4c99b286913286780da1204691a0344514f070b8bad391980a88b165eb1e8e9ee97f77ef02eb85071c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
46e1c7531774dee6a7125727095ea354

SHA1
2248bc2bd821aded068d2e5e55f5e7271b50ab91

SHA256
cecc229ea9e416207638b67d03bc6846fa188a14fe1c9e75028afb48ff4e2081

SHA512
fa9dc86df3e0a8f7b2579785c03717a43eec14beab8ca3176f73d4ecb0716d047241ab30cd53518e7acd645e9f8282a20552a6fa33824c34afc5c5210cc69f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
384KB

MD5
4cb3a8d3af58faf78da4dd33a03029db

SHA1
5356e4fb04a7047f6fc82a4e071e4803f97a0f3d

SHA256
86df790940bd442466ea58a434a31aaaadd1d23a9e9bf5e6fe625ff49049d620

SHA512
244237f4a13a7666e9f9592451dbb8bb18ca1f828d66f97e2890fa8f6be690d8890848102a8be253542c9f4b154d9f0e1aeeee5a867c866b78b64f9949f48c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
5fd46a66845c804b88dcd97ffcd66652

SHA1
9556ce5607bdd245c8e4d6a24b8217def653f57b

SHA256
b7fd85a2268a4d62fa15fde3d9e51d6fa3bc865cb4d8e5fdca309be7b027f193

SHA512
0896697d588401a6d29c30e77574ece4f0ba699b082b1bad93964748313a5903eb4994ec81c61bfcbd75f2be3f5200dadda3fd1454381cc5874a9c8952ebeedc

Download Submit
memory/2032-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2724-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4980-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4980-45-0x00000000721E0000-0x0000000072278000-memory.dmp

Filesize
608KB

Download
memory/4980-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4980-47-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/4980-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4980-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4980-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4980-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4980-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4980-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4980-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4980-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download