73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3484	b2e.exe
1328	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1328	cpuminer-sse2.exe
1328	cpuminer-sse2.exe
1328	cpuminer-sse2.exe
1328	cpuminer-sse2.exe
1328	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3964-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 3484	3964	batexe.exe	84
PID 3964 wrote to memory of 3484	3964	batexe.exe	84
PID 3964 wrote to memory of 3484	3964	batexe.exe	84
PID 3484 wrote to memory of 1676	3484	b2e.exe	86
PID 3484 wrote to memory of 1676	3484	b2e.exe	86
PID 3484 wrote to memory of 1676	3484	b2e.exe	86
PID 1676 wrote to memory of 1328	1676	cmd.exe	88
PID 1676 wrote to memory of 1328	1676	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\95F6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\95F6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\95F6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98F4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95F6.tmp\b2e.exe

Filesize
3.2MB

MD5
35d614acc52ac1f063676559357ef3a0

SHA1
38bb0f406b81b4c032d7958594010287638ecd96

SHA256
397dbf36993a3df62c00ff4c243d4fa121db1cedc849f2463fde7f4b6b8005d0

SHA512
0c20d72bef049a19448ff7864f4f57a113dcbaff81dad6c45b4073cddfb9e719f5053242d98d312263a7bec791a002f26c62a24b83fc755a5ee1f47a7f8427fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\95F6.tmp\b2e.exe

Filesize
597KB

MD5
c28a30757dc0c1834aa9c38c2753b2da

SHA1
b0d6a2a316626a198b02dd354dc54358f309cabb

SHA256
6edaabcaf7ad031eff9e063159e3a8548a46d2d1c92e67475e5b44d6811cf10b

SHA512
60ff2d6c8464b7a1295876985c35c459cf2ce922a51f7309985f8dd9a736ab12c8d9a730edce09f41aa523c70f6f437492f20b8af43c9e1742ed40ae7d4a4bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\95F6.tmp\b2e.exe

Filesize
512KB

MD5
e4d2817f5e794155ac4a8a1445b9d728

SHA1
07f6972ab84878cee3a3e158cf9b0b27c8ad175d

SHA256
24781b2a837565d59faae5eff35a839726a5aa2f952f46e5e5b593f53ab6774b

SHA512
9ed2839db8465f9eb07d9bb2d29e1a35cc1c2e0b8c8f52007248752df018c899135e6d3f944e7e1363b3d5fe4928ccb71725fcaafedfd3cd496307619cf164f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\98F4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
320KB

MD5
59d36bdd941feb6c770ec68a37e8c21b

SHA1
1191d1e478164cd720974ea1ad2bc248999a8d45

SHA256
d5227dca74d9be12116b359c9d61265b102c0986eb6196e269cc3e3b895c0293

SHA512
b1620dd0763f2f7c263ae69c71eba7cba29d89f1bb551356abb7073e4e7013347345c43f2bad3c4733300c5b98feecf2fd91db2a363c9e5dcdd87f170edbe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
4c04282fe6b38e50fc79e766bf90d3a1

SHA1
04b150cf9193a284d9da43e4c4be38ec7c7b8931

SHA256
3e744f69739594a52a595e2fc4773bdbefa71d09de11731c4c62bddd9f8debb7

SHA512
cca56dedf44c3b981ca5c148bc8e165c605f16650ae4ded3c3b1bb93dd21c5399064c68bc7942602fda2148b2238a60e7160c1b23a677a095f41499935aa8007

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
192KB

MD5
8c933a591c8d0c1fec1da393587d09c9

SHA1
65f4672c0e0a6a20436fbaba57dac8c1a5fc5e51

SHA256
c22ca427c0e65a0bb3e011afeba5244dd5a6e9c0327cfc7d15c4875083206b10

SHA512
96b84267fd9b7c5587c74e30d5f647acabbf6b09feac19784de4e046619fcae78f2e6aa98eb7f06fe13197bfd9207b9044b09d5248480421ceb23cb01d511881

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
286KB

MD5
07ef60f09c45890ac30f396e20e03bf1

SHA1
89a27e36d17f7f29bd4379668904785f753539da

SHA256
8fa18405208bf457b29298c60ca1f0ec4c41a4de8e3241696df27c7c4aaebffe

SHA512
f6698fe8f3343833fdd304b40d1d4811a6805f606067847136cffe9f5039732c6e50442626b25d0af9386ddea1c625c078a39bf2f6ae15dc594f390598605df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
35KB

MD5
266d605392c7c5e9d92cafca4a186989

SHA1
599c572d0f2e2b80f529e97242844d24780990f3

SHA256
8ae29941fe33a297a0ae87c3b367b8e2e67077c66f34c21237c2f0234b05bb46

SHA512
85638236bd70643813b3ae95bd1118b2e2f1e382bcf69de3245dbed34d2955b6a2c5a4adb0ade99c39f2a23012b399d59202c6ee6e80800755dedfb572704edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
204KB

MD5
35299bc0a0ec7a43d4410990a7a53da1

SHA1
64e9f9b63c8b525cb3b57bac4a556683dce59538

SHA256
c370d71cbe70c71909752f1da9e55141803900c9215d64e33f3e41d14a4d3c07

SHA512
307158110b33b0fab4e4ee6566d5948c21b8935451ae02c948f2044e32942b4a8ddadf9f2b2997a38e0db680fb356693089956a30c5f02fbad708cd4ba44730b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
443KB

MD5
042fb890a042875f56de7192ec146f29

SHA1
da2183193ca83e7a6d657a2d3030627d503a8cbe

SHA256
d5e6ebacd7de984e42617336e22e2cdac8dfe6b5e402fb3d33ccf428aeb50d8d

SHA512
93ded9836a23aa9cc3554f21d7eb30ea76144f91ad97df819d2c3ea9f921d82da183584b68fe0f0cb2b7c989d9929246d6930fde0c08f1e71c38037104a0bf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
155KB

MD5
b9b90f14242d6a8535b5581a2129194d

SHA1
9134f81ce992b01118db12c7c582a7890a574a1d

SHA256
64f242a99f7641b2e340df541c79c9bfa2cfe88d2c58c4982413933abc9dc71e

SHA512
d99dd0b71b7faab1b139721805f32dd44d3dec7131e3aa33e96325c0fdb102d40f403362724b80ffefcbbe77a6c1d11107beebf6727e44dce56457ca6093ba73

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
612KB

MD5
f919df9037b8774104cbd32586cecfdb

SHA1
7aad4622c10823d98f409fd1155c89a7bb0a62fc

SHA256
3d180377fb4b3978a5f6062175b465989f30de1bc42b8222e1dbbc346fa79fd6

SHA512
ddb4e370254661a55a9992ff85966d8148849d335bb32ba5cefb107bc09a7f1ea6c155d77b393f5acba81bfd90d436cf04beb7f6e94fa756e59c3644fda851df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
92KB

MD5
cd89e90e6ace3d5fb268fe1f45396147

SHA1
96517bdb91c984e50353bfbacf2f875d61f7ba61

SHA256
2c69f5e4d2198a18785149c29781b9d49d1bc02563b5f9b2d183c4b312e73d77

SHA512
47af42f14d06f54cd5b404f0860f9bfb0b09c0346402763bf88ee32b47d9ceb21eaf57e5d86a0c2a7c056dc8656d188d725cfcd5afecc215ecc3f9257c138116

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1328-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1328-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1328-46-0x0000000063360000-0x00000000633F8000-memory.dmp

Filesize
608KB

Download
memory/1328-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1328-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1328-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/1328-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1328-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1328-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1328-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1328-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1328-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3484-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3484-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3964-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download