73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
302s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 17:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1284	b2e.exe
1756	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe
1756	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1284	1636	batexe.exe	81
PID 1636 wrote to memory of 1284	1636	batexe.exe	81
PID 1636 wrote to memory of 1284	1636	batexe.exe	81
PID 1284 wrote to memory of 5096	1284	b2e.exe	82
PID 1284 wrote to memory of 5096	1284	b2e.exe	82
PID 1284 wrote to memory of 5096	1284	b2e.exe	82
PID 5096 wrote to memory of 1756	5096	cmd.exe	85
PID 5096 wrote to memory of 1756	5096	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\5D7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5D7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5D7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CDC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5D7.tmp\b2e.exe

Filesize
15.0MB

MD5
afedcc7df779c275834cff0daffb052e

SHA1
39a8ef48aa724ab480af29c35fc6a93b59bb1173

SHA256
80748621c05c97d781ca489f59d115ba94d895c34ebbc484cda88f6174522fbc

SHA512
b2011b26a1abd83406a0d8429927f6a455b93a7228b2ca69cf8a795fd8f64b3d695b43f7610561ff1fa72049755133f2222f0f03351ce8d2df988f1964943b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D7.tmp\b2e.exe

Filesize
1.8MB

MD5
d01f97000802d5b1cb1d402fc757b562

SHA1
cf2755b18c123d59c19a4f75bc82b2a40f7b0634

SHA256
de53387f4c021d64b10252542999661e41b1175bc783eb5109adae2b293f3093

SHA512
3eae416a241a573f56c10890a9012b3d8237a81b43a7a7844618b6323023866043ae43334d887ef9ab2e67924cdc875a21d49840622196d41c60d4ed4a457c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D7.tmp\b2e.exe

Filesize
2.1MB

MD5
bf7ebfac312328c1d993254fa424cacb

SHA1
45e5b8cbfbaedb44520c66b4708b858b760bbcd1

SHA256
352b1ed1ec43f04350c4388983737728333b58854fb9ca6e95caf3c6ceb7d177

SHA512
0f7ec1e1c7b0ecf8b6a5b1da104bb80f87bf16721c97cbc40b0c0913e665252f19225630ca2250b62ed9559f597a10188c7fa8a643a60404575d45920849dc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
461KB

MD5
ca36daea922a0bd5d7e27173338f7e9b

SHA1
620c812ea714861ffe83b22b7d30fe95b408a750

SHA256
391cded4733594fe6995e39b8d566607ca35752be9a6bcb65c0ca1a0d7a86cd9

SHA512
6dbc03ea13fe8da79305a4104c6a23899e9b197ccffa95ee7ae4bd4e7ef10c6e3fdf7ec359d3a9fbafdb55f3373c49957f20de20c3328d88682f815dd71c92ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
108KB

MD5
3eb4f73215e762356a18e84aa40b6f0f

SHA1
f32cc57ac31046685b92f15eccb9cde7dca19f34

SHA256
a87ede2310becf4dbac75581651d20d8488e2d88d1a4a2cd73dc87b9a9f8d13e

SHA512
a8e05e55d78fd33b47903acb384bd6b29ac19fe6a02e0a657fd3b54ed5a52e31b93b580dcb274eb263d1196fd4d3a252fb8f6d3d1f4aa5545748eca116a63091

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
173KB

MD5
829c53207bf4e862a4545a285b0b87b3

SHA1
f87f4b0c61c8470cd2aecbd53843dc91d226bd59

SHA256
79308f48d5e91d2d78b3710ac9c34dfa445df31ff4d550fb410f2dcd6033f292

SHA512
4d07af1ac53eeb425e6623baa616f20ed1e0717b720eb8dc0e53920fbd096cde43814499a6b13d185c13abc2eee506ba497a81105a3890ea9dee0b872a46228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
104KB

MD5
d7e3330b69ada8456b5c1bc3a4b71392

SHA1
7366403e07343fcf7389a96aef4e1a0a7310f6a2

SHA256
5472ca14087703af92d92276d08e1157c39c5217825e4be45dee7728cbe1cd14

SHA512
e69c8b63b308b29aaf5f327a355c0ec415e2b010f42b64a48612ad6cfeb977d0eb3de06c924769708910bf4f7cd888dbdb23d9322ada70636c7bf4095807a8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
64KB

MD5
7fcedb6e973c5df3b6652a2afafa6a13

SHA1
116728803559ab58a8127544df80b75a0dd1c6d2

SHA256
fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825

SHA512
05c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
169KB

MD5
d47c0fa77c7de0c5e0d8bc5bce1078f3

SHA1
9741bf9a2f12904c0242e249f2238597a4cc5b4d

SHA256
171ca3b2f948036a93a47cca30ec79d45d2f85949ae946d51f5f7eff12a8a501

SHA512
1fd02017bc904ac31ceb25ff3e7e5a6050d3e71ff0d22c47b10852f91459bd0dbdcb5651083258d20e60d631825126f296ab2771966971a184d6ca93bed28c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
73KB

MD5
dc2fc2dfaab3226bffdfa2e2624a12f9

SHA1
8ee4094ff772032bfa11f8dffc800624d8feedf8

SHA256
e1d8270184d6f95176a2afff1b680249ce6cf84ae4f72ec422345916b231a7a7

SHA512
699703761855a52f736f4152297e2bdf6f43a144f86ed8918fbc7e06e0ed2c9ffd126866293b5498b10c740bb2e545e78fa450c36d20fcd9d16776947528c406

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
109KB

MD5
9cb53b060375885464db05bb241cf227

SHA1
71dbee39b2a0a5ff956150f9b32c74a9d63cf6c7

SHA256
28148dce0ffcfaa028723649878b497841732fb71973cb3be19286eda82dc4b4

SHA512
01b151862d8c137769e49a60d14ec526a43ece2453f74b9df910ad7cd59959cb8cc543e685de1e75b209fc090659e0b061d32c5189b3aff1b9969606622e3329

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
14KB

MD5
57bc28e77ba7f02252d5d1c6ebeb7e33

SHA1
03d31966e052d14ff5f92d69ceacf8fc886e003c

SHA256
094b3dcb3308d87ee8c065d27dc1e0ee818c68d37312bdbc03af9c88f20914aa

SHA512
c11bdf493da9bac705cf4d31330ad4bfe2e93c5aa6c0812c47906645e441981880cd651ab20b53e0e9770053d8e3b5a7acdd515ec74f6e16a8c2cdccf49229d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1284-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1284-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1636-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1756-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1756-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1756-47-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/1756-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1756-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1756-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download