73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5168	b2e.exe
4308	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4308	cpuminer-sse2.exe
4308	cpuminer-sse2.exe
4308	cpuminer-sse2.exe
4308	cpuminer-sse2.exe
4308	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4360-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 5168	4360	batexe.exe	85
PID 4360 wrote to memory of 5168	4360	batexe.exe	85
PID 4360 wrote to memory of 5168	4360	batexe.exe	85
PID 5168 wrote to memory of 3288	5168	b2e.exe	86
PID 5168 wrote to memory of 3288	5168	b2e.exe	86
PID 5168 wrote to memory of 3288	5168	b2e.exe	86
PID 3288 wrote to memory of 4308	3288	cmd.exe	89
PID 3288 wrote to memory of 4308	3288	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\630F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\b2e.exe

Filesize
24.4MB

MD5
a69f20b9e2b0914878dd0853cc5f7e3b

SHA1
72f993258b0db72219c1eb404e239deb94c226f0

SHA256
eba35ca0224661acec4437e4882f842d9a7eee726f55b032d2b0c7c6a28aa962

SHA512
47d6a467edf4afe526b92ab74c636d8ddddc2e5ddf83a7c503226444e5009bfd3339a6706ddd0db5955015ec4a47e4d2d9c220b8076eb53508355f2d91f9707f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\b2e.exe

Filesize
768KB

MD5
41acb3c7c35169437c8e50c36e39f5a5

SHA1
6b7a95c8fb404247edb7430b46e931495eeba0d1

SHA256
77003c5f07279f31ace3879feb99ce0568a05bc7bc56ecd5707bc0581cb6016a

SHA512
670b258078f3ccd9e3e710a994d95d406094dab87b4e4e11e3b312a7883631877ea896bc53150cb8b9bb8a0500df129005973212fce0541978df505edbe7d145

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CB6.tmp\b2e.exe

Filesize
1.7MB

MD5
7b9e19cbeef48d1436f80636d98f1e29

SHA1
211ab3ec2dbf56621bfa6e7b4af51f6d59ed7e22

SHA256
ab3065d4cd6d2916257227617fba70a92bdb7b65f474d9a3b5a7910c6791775d

SHA512
cd561dbc1747d3f5e1a799a1d6f13d71150e273835ecfd1f84b00e742b04a23b41daf83db404ef527c1531f665bd6e74a4fc62bc84759208b958a4803063bdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\630F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
767KB

MD5
c2a2c235f26e13d0ae514253b4919619

SHA1
02eac41f6680f1adea157d4fa624891c209fcfb5

SHA256
9897637ad63a0c8e56fd9bbe6058a2f873cd548fb1da3ffc011751d1ce0a3b5b

SHA512
66fb0493133f46c175e3a4822032665eaef508a3b92905744b5bd65ab37857826145232455444ac5be18c6ed3cbf743f8e19e97eaaa30d35618ddc66e5b763d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
512KB

MD5
a5993c0dd7587f1716037dcfe1f63091

SHA1
9a4d23ce36f5fc5791692b47d977c0bf92842879

SHA256
568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3

SHA512
c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
388KB

MD5
8fbbaa3b8e26f8fc3003133221ee9896

SHA1
84b3edd72bcd142f5f9dca02cbca22ca047b29e9

SHA256
373ff8f917948f34237742ac30fa1b94a13bbd414a6824c38fea994a434225ff

SHA512
c03a1f5dcb51978da9d9d1c62483e0819cab5a8dc8af6d9db200f2d4da630dd0d52a41c454da261621bfcac5dc8ff10997d2f233e4b00db0f8de0199c8a05fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
376KB

MD5
7564867eb4a249dda14bad64817a6a51

SHA1
a55501d7158d736325feeb0d423f77f5350e9062

SHA256
de4ed0a50748abf2315222ad45b84077b971cc3df65ff5bf8cab0fe2217ef7fa

SHA512
157ee50b2a7d482210d9443804da8ea1ecd7c44cb86a88a67452b8b5803364669a8cda44d1a73bea69fd18cf3c72c2b564573acacff37a67d073e3e7e99bf29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
384KB

MD5
4cb3a8d3af58faf78da4dd33a03029db

SHA1
5356e4fb04a7047f6fc82a4e071e4803f97a0f3d

SHA256
86df790940bd442466ea58a434a31aaaadd1d23a9e9bf5e6fe625ff49049d620

SHA512
244237f4a13a7666e9f9592451dbb8bb18ca1f828d66f97e2890fa8f6be690d8890848102a8be253542c9f4b154d9f0e1aeeee5a867c866b78b64f9949f48c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
315KB

MD5
7e30bd4998bbec23291a4a505128fb37

SHA1
f148bd1cac534f3654bb6b981e20f1d4965da905

SHA256
d9144d155d2e73a8bc4a3f9d25b7572f5404b9ee481a193dfc3a7d969e790c23

SHA512
39ef25665404a783d73bbd8030b7608baf64164e1f235e6231adbc2d6c3fe8b07a227315379caa629ce51b7512697bb093dbcfba41963b3067f3789308cb8685

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
eec15153c344f43f1919cb379b9ee2f9

SHA1
3e4a09390ac885ea2797209603bcfa1ec6ff0cc6

SHA256
4e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222

SHA512
7cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908

Download Submit
memory/4308-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4308-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4308-46-0x0000000073350000-0x00000000733E8000-memory.dmp

Filesize
608KB

Download
memory/4308-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4308-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4308-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4360-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5168-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5168-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download