73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
304s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3724	b2e.exe
2716	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2716	cpuminer-sse2.exe
2716	cpuminer-sse2.exe
2716	cpuminer-sse2.exe
2716	cpuminer-sse2.exe
2716	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1168-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3724	1168	batexe.exe	85
PID 1168 wrote to memory of 3724	1168	batexe.exe	85
PID 1168 wrote to memory of 3724	1168	batexe.exe	85
PID 3724 wrote to memory of 4792	3724	b2e.exe	86
PID 3724 wrote to memory of 4792	3724	b2e.exe	86
PID 3724 wrote to memory of 4792	3724	b2e.exe	86
PID 4792 wrote to memory of 2716	4792	cmd.exe	89
PID 4792 wrote to memory of 2716	4792	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\9B70.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9B70.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9B70.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4C4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9B70.tmp\b2e.exe

Filesize
1.5MB

MD5
20cf49475bb72377c93d9bbdf890152f

SHA1
1ebc10e957ba58b5372d1e93223c324701d82b5a

SHA256
66f722cbc8cd183ead07658bc69dc5f57765f13be761958f142fb42c07710a63

SHA512
2ad3361ea59b4aa007cbaee43d44ad6f3cf634999bf837292ee0f05097c54047899efff42e361fd66fc5ebabe65ff502db0e4e952a72da8d561f2813974e64d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B70.tmp\b2e.exe

Filesize
1.8MB

MD5
7b5aa91f01298c4b5c0c2a1b0a10a999

SHA1
e433f0e6dcb6cb42ec2f27dc72a8113d394abe8b

SHA256
4e8ae7b74f98948d1026d74329a78a28873a4c644227971877f1ebe525d8e366

SHA512
7d446465c96c70794f8529a92b3774520cf86648947888ce6256800ea96c7d788a56d816ecd60a3cca00520ec6ab37320d5fd5d212fcf130422de5370f2c5069

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B70.tmp\b2e.exe

Filesize
1.9MB

MD5
c5fc3224e2f606dcdb4ef49ddff0f0bc

SHA1
b7af54e7cf534462b562948bc894ac6cafe36ebf

SHA256
e1d264a52b18e8f4bf1e73ed7aed3a0f26785e3fe9641eaa72fc6eaa4f024178

SHA512
3b7974c97b6421ea6e31ef47a6432f1d6ea9b3e5b6dd9a1ae47083242b4cc97d3434f9bf44026c09a2fed07d7e6371070830f4b23b42b008b3da0bc65b95ec53

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
535KB

MD5
2ab6a1b9760d1be866ddc8f70b64c33b

SHA1
7beb1221e5a3aed29e721801a7e6faa08b86493d

SHA256
b3c7222bf462d6eec526abbd9b08146d131c50ee9068bdc6dd65e1797fce1fa5

SHA512
4d1dceeccfdac7748e311de385a4465cdd4bf75e96cefc575b6cba9712b708ee48e6921245d7bd25e19c29d2ddda9a1a2454c8b020945d014f93e1c7658b64fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
183KB

MD5
12f2e4079d889b32b99ccb7903c8b50c

SHA1
a379aa0c965f590a49695659d530fabc76b7d793

SHA256
1f87f7f601c2c3564c99785a1554832e25f3907de5fc9bab42e0118e7f5ced70

SHA512
9f6062f62f7650d784911efcddd5e0da0cb53dff3ae3fea19ff11fd7e32599ab6fb28b5a85c9decdfcb9b7efb2feef488873eb93a9a50d5da2cdc42bb034ff54

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
386KB

MD5
76ade282bfae9cb18099ddf47f7b304a

SHA1
833578b4dca34964bce30057ee5d10adddb2d96b

SHA256
b1a6bcbee129d73b1a83f3dd68cffe7b6b2a7f73f650c0dc8596a5082f884745

SHA512
9c4264d4fdd1254bd37202399a82d51bd0174416a071ee26d244da4ca3792b3d3130cb07e753b37262574d914a41b8a8fde389c0820f49bf931dc888dba614a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
328KB

MD5
477576c446f6c997e9825674803c45e6

SHA1
fad0b755e1ecfb9d5c5f9f4e0cef42a20cac22df

SHA256
7a578410c79577aec0c40d9470d305d985fa72a8f61e625e94e074da8c01e0c1

SHA512
f7c7c5165f46f73afb0f05848f624ab27938fc207c62cc24b5c75bd2972169f4093cfd244b3fba5e202cabd0fd9e4ba81443876286d08bc7187ce89dfe890526

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
68KB

MD5
1e1757b62cb130f71a1ab3be14bac9d3

SHA1
1d284fccbf5f82265c002ccfef32413a6c1c1ebc

SHA256
5554950ba9411df611bc18e823dceaab97c55863266546de4b64e80fab4bc251

SHA512
c639ef5d4accc2766559bf860e61b600ac227a6474d6af7e63cc75746604a9b98d080e680c28b70b9634d5cdd704c9cf86de747db4baa20a90e9ae84362d0573

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
24KB

MD5
691af3d99d66103ed40229b93671f7c9

SHA1
7d93f18ec0c01770d5008faa51b4c59c433fa03e

SHA256
a871052909dd206ad113e4047af77ce22fa6b652c9b0913f17995762daeca786

SHA512
e547e705a5a7f4f4b9730457a176ce69de5783a3b375159bcca894938f593787d97922320e65be7370569c01bbcec9de8becc2f771c5c66bec46c5053e0da6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
10KB

MD5
54307a327e6365ffdbaaaf6a43012b7f

SHA1
0d2c742b4117c5760320961fe68f70e48e3fceca

SHA256
f6915b6baafe70981942524c63474e8198d497d782be9cf78f5f8d1c08d88c3f

SHA512
422fb87ce16f3dadab614b3d219f47ea96a23fcc6de919b1865fd1a5a5274b8110764a7766af5a74cb036f3342131b238098f9c7939582b0e484046b0f8c5acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
36KB

MD5
fb21c10049c3445f9b45d146c3e583a0

SHA1
0d8146bd9d05b8ab7dfbc160d949a748956fc035

SHA256
eb04163912570480202ee016b52638bcfc30bfd0f1e06b93682edef6e94ea25f

SHA512
8b452843195fad966136abf61c62f47462d0ac241f6a4ff90bfb64a2d99a7bd6550b7133f23779a5b01e1f9b67f4003bfc1916ebfabf7d206290ec41bde9d9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
65KB

MD5
0c282a439019544f5682a8b7c0bfdf49

SHA1
89260fd6682037f33500a5e0511680aa87db9735

SHA256
567258980a9c1da7540f029bf40d00d752bd0a2043469f55c6a8fbd0386f144d

SHA512
3fc46dd75db46b8c00c3db21be41c84896a1c98845232a65f971d611a3498ff89f176ea2f6ed67d110a7654542d7f2e18c67d872781ee00d1ad5514fc89decdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
75KB

MD5
1b515a2df0d106301f4295588495912e

SHA1
cf2b29f9e21a194d209a5b897b7c8d5f69bfdd8a

SHA256
49920a1767ac9e721a6064902c0e20a703c267ce37ab83f07a0a2353d8442ffa

SHA512
1d53cd94cae78d5b518c74da3108fbdaf83e7b1d3e912f5feeea534531cd3f54487cc828fb618cf3f820efdac166b056d5b3d2dbf265309c2f3da1bc14dd0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
135KB

MD5
5afba3e1ce31dc118b25f59f036ced16

SHA1
9990e35dbebdabeb7cc45eacfe3aa011d0104ffe

SHA256
78d6e2c3c0b0c948d5d2627ab1ebbf958a795d7a0511a21eca4ef7af8f7e2a78

SHA512
73b5afea391929f71e68d37c53d3c9b622ce8afdb9e129ca3d5948ab395de82e81ed69707882051a4933ba6a5dc8f003d56b8040e24380d854a4d10456605d49

Download Submit
memory/1168-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2716-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2716-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2716-46-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/2716-48-0x0000000000E40000-0x00000000026F5000-memory.dmp

Filesize
24.7MB

Download
memory/2716-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3724-28-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download