73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1312	b2e.exe
5708	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4116-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 1312	4116	batexe.exe	81
PID 4116 wrote to memory of 1312	4116	batexe.exe	81
PID 4116 wrote to memory of 1312	4116	batexe.exe	81
PID 1312 wrote to memory of 5168	1312	b2e.exe	82
PID 1312 wrote to memory of 5168	1312	b2e.exe	82
PID 1312 wrote to memory of 5168	1312	b2e.exe	82
PID 5168 wrote to memory of 5708	5168	cmd.exe	85
PID 5168 wrote to memory of 5708	5168	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\1A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F9B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A.tmp\b2e.exe

Filesize
5.1MB

MD5
d63e0ddd837a7c4b407d06a095c05e9b

SHA1
f9cb38b770a885999c1278757bca4009ba6f9538

SHA256
986790621b6ecc9267764ed56f1c26df5e7a367fc70118803bcfbd663fe984cb

SHA512
786f69caa7220da6541525bd444ada0b04bc6265c8d8fef5036100a5ba0b73e3243badda1f78ff04e152c25974787032f1030a75b3e68256d9d13b65c83deb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A.tmp\b2e.exe

Filesize
2.0MB

MD5
d3bc75fe08e2fe53e6d0e1ab7248d2b7

SHA1
20a6427ddf83b60cd3558d94848d75e171c0bdfc

SHA256
c722022e2f75b2007e35dc47b066c3c44780c9399398e81d521addd001f1476e

SHA512
80d4fdcc900f36f6aba366d83c6ddd70d02b1246b5fabe6bb27e1bab1fcdd08609a49284179dfece5557eeb73258d206384a043007226bcf44a0f36b8b1a2e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A.tmp\b2e.exe

Filesize
1.6MB

MD5
e33150620ec9ab1b959a53b8f7ab3339

SHA1
48ac3ff646b5a534e9ee71739625135ba9bf438f

SHA256
d6a4a711b09ff486c66fc08dba332ab5aac7787ed2dccb9e1298599f50d28739

SHA512
7e2fc878e3ceb470640088661b3234627222e6f92fedf848cda0a89f2e868121923e290b30a773580e5463bb8afd7df15f531390dc5b72d70c060d42f49253fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
65dc07d109fdeb3d206e9fd5e417cdc4

SHA1
b6749c01043a7bced8b5219c4949e26a2afcc81f

SHA256
997a5e88e8e3a4d5037026cf4895f24bbb6f3ca22b00fe8df629ed7d373d122c

SHA512
fdf60a7f76b6e04aac267b9b8babf1adfde9c93305b4058c6ad01ff54ce95750b7581e1b27f13921090dccb569ebb4617afb2bc9b52f30b85abcc1d40d1e9c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
d931a8f508674e27d998ee18e696eed7

SHA1
f4de121d0708a7f194a1c82ad43e24b8e916c0a8

SHA256
f6f89df1578ef96e1ebe5abf159171dfde2d3998b319b6905ce0e01ba4c15869

SHA512
9fad09bf72d940cd8cf767f6c3ba9465958d53eea863e8862115e82213273331a1c5ad53431625d8d167e99ead21e993a729745b4aa7ad5811b14ff1dc8581ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
971KB

MD5
64f4becb0e31ed77a04ebb8a6d760b13

SHA1
02b195800782b010e22702cc027fce26feddabaa

SHA256
0d3f3c36e49ad5008ac20afbabe2b0e4e20beb014b8d2c117b73c4edf303489b

SHA512
6d96f58e5f4ff453c88fb3b880393fb093e0fcaeb546782e8f400f35c0b7aaf91975178755eeb2899a8fd82d1487555afffdb191ce4a0064741547105c8f163d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
683KB

MD5
bb45728c2ca50567dee9533a94a90439

SHA1
0f050b8833e2a083ed168e2c2f4ebac68120da1a

SHA256
ccd0f8addbd0e7c61894c6aeee646ec519c892222ed6372563825b899afc2ad0

SHA512
798d92c5ac34cde68c3844a237680ed92ea448cf497089068f4e10be2baf147b6cd9a5e9dcf2cc709712e0ed551a3745beed6f17c3df427ed89d2ae767bccd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
675KB

MD5
09986e2f49aadcbf4135a04f6405c2d0

SHA1
3c1f0bfad68ec8e7f4eb67df739aafe7fdf4f523

SHA256
1a18d96cd1594661790d4b27f28394994e6740564e9b66e02fd637aa0d30f67a

SHA512
ed6a54c0767e0833f0a66a02e30b8b42125dea4134be5edad41d7ccc111cbb8c085e5188471f4fc1988be24918362ea54c3b6936569e276eeac10ca9c7e5531b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
893KB

MD5
4e37fa3fe627254e248323f10ce3d8bc

SHA1
a4af5cd8455366a9e6d218f47a8428ed17f3666e

SHA256
138ab4ee0b01fc9001ecfe28497ce3895af9551592b5db75e566cd18beedec48

SHA512
dfa09b5385e52d115590de0ccfca3e1818a333d1dac4379456d694da7ff8c079660830b486f8a5d47ecf892454f0733c2e7f747cdf2d48394f7c7752947f0a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
5425af0aaa50c888a78294dae506579d

SHA1
45d7f0cb155043b8187be8c6ea2f5d8c84c80fdb

SHA256
d74c40bb27ccfdbb70416129fcfcaa4edb09a27561ed484cd67786d90408767b

SHA512
dec89374dd7808008f3595d0c2ab4227a87a01d76485021abf877e65699dca934ba0a8d5a83a1b91aeb7e2d55e3544642de0f42b40cc86d5ae399890dc7a9764

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1312-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1312-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4116-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5708-45-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/5708-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5708-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5708-63-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5708-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download