73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4112	b2e.exe
1128	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1128	cpuminer-sse2.exe
1128	cpuminer-sse2.exe
1128	cpuminer-sse2.exe
1128	cpuminer-sse2.exe
1128	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1724-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4112	1724	batexe.exe	83
PID 1724 wrote to memory of 4112	1724	batexe.exe	83
PID 1724 wrote to memory of 4112	1724	batexe.exe	83
PID 4112 wrote to memory of 4628	4112	b2e.exe	84
PID 4112 wrote to memory of 4628	4112	b2e.exe	84
PID 4112 wrote to memory of 4628	4112	b2e.exe	84
PID 4628 wrote to memory of 1128	4628	cmd.exe	87
PID 4628 wrote to memory of 1128	4628	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\8B87.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8B87.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8B87.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\947F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B87.tmp\b2e.exe

Filesize
16.9MB

MD5
8941aabd0797c4be23d3894e5bb1c7c8

SHA1
c0536aabe50c45afe6e7885b52fce3ae7e0e7f90

SHA256
836896f7aca1a5fd6d868a8a26a0c43f24cb8f6df083ceb501c4cf78039a012f

SHA512
c3f48065a719f2278272a1f19cde5e92ca9e33592ec4d5e619460f699d59f8f1ff9b81b7512cc64651448fe2b2a99ac293750ca1c52f79b73d5a6258646ed82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B87.tmp\b2e.exe

Filesize
2.4MB

MD5
ee04099ca04456aa3ec3263fc8478095

SHA1
dc89b1634e0fff0e8203cfcfe26600eb97514e7d

SHA256
97d4085421fc14574d853c4bd8eef8f0a70aad1666fba5a51549d26abfc63dd3

SHA512
6bbcf992e0a1d670a0e861ceefcc03bec5cd5b1f9082ccd4324cca368665b135d63a332cf76bea1ffbadb409078c83d8f31c02141c6d1d053c7ceb937b68531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B87.tmp\b2e.exe

Filesize
1.8MB

MD5
f51fe7ed64e17eb639e2b77a503596fc

SHA1
9de36c8a5bd8a21c006aabe8c222294852a802f1

SHA256
706fdab761081f7c0cbe20066009c226b25636178215be354891409ae09eecc7

SHA512
ffd4c6f3d081da80edc1bdcc52052d9965c854f7f4fe83e655da803a0fc5f9c261219ec8e12b45ba432cec0d740d314e2be5700a592e581b9f057bccfe516fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\947F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
768KB

MD5
7511ee8c66d17030a4f24226caa425c7

SHA1
aa5bb6b2306f01ac82133f54ec36ca2491fb1911

SHA256
e9ad1acfa96a3be152713809498617dacb74878ed3ac3ed4e5b1455cf1fa5ac5

SHA512
4838197b397552aa7c22ca54d27ec420df0629689e111c40068480f5e37879bfbc89c84245ae8b0a6b4a16ee7d75197403153151eccbbe468b252f508e8466ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
559KB

MD5
ae8d5c6748a22f57e557124767efbef9

SHA1
b626e84ef11eed1eb9093ba023ac5beef0907985

SHA256
218ff8e3b623485b7307085dd2dab63a8db98a7f751130a2a79eb932a104f6ad

SHA512
64fc4da18104e17394659924b9fbb3762014c68b9513be1a1bad4b5a292346650412acfa733a04e533f822cf051e1b2181a9d2e6a0006436c74ff1bc030c89bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
46e1c7531774dee6a7125727095ea354

SHA1
2248bc2bd821aded068d2e5e55f5e7271b50ab91

SHA256
cecc229ea9e416207638b67d03bc6846fa188a14fe1c9e75028afb48ff4e2081

SHA512
fa9dc86df3e0a8f7b2579785c03717a43eec14beab8ca3176f73d4ecb0716d047241ab30cd53518e7acd645e9f8282a20552a6fa33824c34afc5c5210cc69f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
15.6MB

MD5
04e88f6509b7fc523748ff24e483eaf6

SHA1
14124839be44681dea64c1ad1bfd060e0fd23883

SHA256
93f287fe157c0f3aa5b0e9375515ad8bd35b724b6fd2f895ba17a7696e7aae74

SHA512
2d17bab394e4bc397035eb4a346da5709331ae9f5fe2e19fe77977e981070eaaf113e7d2f911219c4ddc6ba262c7521b5ffc3c710162a6232830149031e2490a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
12.9MB

MD5
ab73c09f0a6010e1d8de5e409b804195

SHA1
3824dca62a11d1ae295b93ef44fdde7dc07cb8c4

SHA256
c31f33e9879d630fef4a63454fe2967974671f1a802fe5c656411c651a018f67

SHA512
05d598fce48c3662783fe36f98ba61aea0510b0404821ee5b521cd40a8370d0b9a29b6495dcb6956227780e5c0689d123abf49524320b8bbcf05c0fceb28755f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
5fd46a66845c804b88dcd97ffcd66652

SHA1
9556ce5607bdd245c8e4d6a24b8217def653f57b

SHA256
b7fd85a2268a4d62fa15fde3d9e51d6fa3bc865cb4d8e5fdca309be7b027f193

SHA512
0896697d588401a6d29c30e77574ece4f0ba699b082b1bad93964748313a5903eb4994ec81c61bfcbd75f2be3f5200dadda3fd1454381cc5874a9c8952ebeedc

Download Submit
memory/1128-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1128-46-0x0000000052A20000-0x0000000052AB8000-memory.dmp

Filesize
608KB

Download
memory/1128-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1128-47-0x0000000000E10000-0x00000000026C5000-memory.dmp

Filesize
24.7MB

Download
memory/1128-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1128-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1724-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4112-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4112-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download