73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
312s
max time network
327s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-02-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3972	b2e.exe
4536	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
4536	cpuminer-sse2.exe
4536	cpuminer-sse2.exe
4536	cpuminer-sse2.exe
4536	cpuminer-sse2.exe
4536	cpuminer-sse2.exe
4536	cpuminer-sse2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3144-0-0x0000000000400000-0x000000000393A000-memory.dmp	upx
behavioral2/memory/3144-2-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 3972	3144	batexe.exe	88
PID 3144 wrote to memory of 3972	3144	batexe.exe	88
PID 3144 wrote to memory of 3972	3144	batexe.exe	88
PID 3972 wrote to memory of 5220	3972	b2e.exe	89
PID 3972 wrote to memory of 5220	3972	b2e.exe	89
PID 3972 wrote to memory of 5220	3972	b2e.exe	89
PID 5220 wrote to memory of 4536	5220	cmd.exe	92
PID 5220 wrote to memory of 4536	5220	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\E5A8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\E5A8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\E5A8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\765F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\765F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5A8.tmp\b2e.exe

Filesize
514KB

MD5
840fe5c2a3e2a8819adca70baa8833a7

SHA1
46f543475d3a4cc26e938c0075c5c1b78b596e95

SHA256
565a72f8712f5c8fe98d12a12c57ca119e2a43844e1910b723bcb8dfbef7d3ee

SHA512
8738aa558e857e808e402f44a60bcf78aed3193ce6820566aaed139f77ffda1ceb8653fb8d28bbd0cfda46a6f106b3dbfb8361c6c5bee5f123a317daa2225c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5A8.tmp\b2e.exe

Filesize
527KB

MD5
07ef234fa683a59ce1201701e20e713d

SHA1
1c27f843f2d2528f4d3b5821e9a51a2f17fac027

SHA256
3e0d0c2a0d08688af760b0976b4429c94df08f01920f8cba4c516548cada5199

SHA512
bd32a3975692f2b2a08f62dfe55d2271f5db850dc8248f40502566e44bfdab3c9fca99481d8e574a9c3f80d002bc4089237ee8849bd63792a6ce7dfcc2a02e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5A8.tmp\b2e.exe

Filesize
572KB

MD5
27a7c81fdf654be5f950ba528b0e4b48

SHA1
73da3d1bfd24ff43b581411ec18e1e760278560e

SHA256
de786c151a90e9779d1e848853ba9bba6e9625bbead498e393534505ff4de763

SHA512
99081d5b396cda70ded45363048b731be10b33f1becc8b44a0cb68d1283f66da5cf6bc963aec836d4ce9c1027400a35258f7601b7733763a04a3205f5b836df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
507KB

MD5
69c3884b620f378ab6ced3728c3471fc

SHA1
f54a7b347b612ff1b797e2056fc2caec5b06af13

SHA256
fd7431924cda874edb3515a5985885dd434a7e944eca9ee496a5fb306ec5d41c

SHA512
bb282d48acbb1a85cdf81292df7269f09245d33027c95c96ee86d2cec0ebd4650c0f36cd61955437a82d03aa5ebe5e0619983cdbd86c950561bde229e181f2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
793KB

MD5
d46394247d2a07f0c7a4778483747016

SHA1
73037449dc5161cd7c8139c36f01691fef46346e

SHA256
b8a4c8343f53371bba011a27a4db64d8da97414aa7c8e5fb6630713433de99fe

SHA512
7b2525bdb8739bf744913853c0135ba14dce1789c05281339711d38533284eeda9cbcee6b767bcc893a67e13077644e379a70550da6c0488d86c341b3fd81c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
407KB

MD5
6b856dede888d9d1de7f63f5f1ed6bb1

SHA1
6508e19748a1ad68392d2898cdb8ad4aa0b254c2

SHA256
ddc6930ee79704fc8f539d5907b6b00a9383134507ab93d75c24e88ac85f5bf2

SHA512
fc8c9198f8eb6a4dc264657f541bc6fea2fadef2ad690deb5c45a1603b574f415809d500637cc647f8c9fa69f23862fb8ce965839eeaaf25d362cf15ab3eac10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
287KB

MD5
6d57c0bd0bdea6c5931535d43b6c2af0

SHA1
b624ecae97d0db5a97a68656a3f66baa08f3d6c2

SHA256
f12dbc85cb90a020667c28cb6e3199f291c51588340c1758637ac23df15238cd

SHA512
89474bd18bfd570fd26e20142071207dbe008f057a342678ee8aa8c633603b3dc15f598836c764bc623271b5a23b78ba96cb6308b419f36c4899e2a5560efd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
544KB

MD5
3ebdcc49cd2d0e864bef25443e13a01a

SHA1
a32a639698b28a6405549652c96c90715693b919

SHA256
4843a5f955188cc1097de12234b1ae42af999f226aa4b8669b4f8c1fa9e6b460

SHA512
616fa0e9f8e03ea90cd31d67367f7901e20dca3aa1fd348e971295107502c3dec54c83ad2cb60f7049385b50f0f20bba66a4307773c94f451075a2be6b88617d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
638KB

MD5
c9e01b8d14a82be34d90ca8430350699

SHA1
a0a2f1bd5eaf52174da080774e63ffb508ad694c

SHA256
5a78b1b592266983c2dacbfcb48c91fce1f7a1a5ff092fd6bf8e45f255cdeb79

SHA512
507592c21520e5cef0f064622a30611be3e6ab13c298e7334faa56df7b4a4332c2952b259e4370c749dc5d66f002f2b5f48701676fb8464de2ac3b431d1570fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
243KB

MD5
ca8d73a8bc4c4890ab5f44c1219d8b98

SHA1
a9e9e435180f1fc157fc4826ddf34216f5160808

SHA256
cd2759f78c91c58372c62a64504232d340609484eee70f5308092cdbf4126541

SHA512
b328bab66594e4c1c32916bc957bf26d253237f2435e5028b2983dd0d70990c9c9f10e0fccac4c23aec0f35f4a15eac4715cb3b669a374c7a4d9babc05178205

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
104KB

MD5
cbf1d108413367912d47eb1444f6e7b5

SHA1
d493ad4488ca8bd57b28737dd2bc6b0248c6b069

SHA256
ebe85e9c8eca312e076751793dea1945025a4a5824468b7cc3ff3213d6731e60

SHA512
6a48495d9664ae3cb9ac7a0b69dd58b77b1415bf573c82db8b0cabd9c23e661e955e7dd7cb225428313a812697ac88f08e3a188dece195167467f66079933c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
467KB

MD5
d34bfe94bd98c76bbebdbf41f56d69ca

SHA1
d70916ae56012af26c894b228ed9b9f2d26d0f47

SHA256
5bacb012ab733e93757f08f172792b6c18928be9ddd1e88c7e2c4d0d8a25872c

SHA512
934a752ba6666aeb1a7ca61119936967c185146a1dce8cb15a4b01ebb35932c26e2a1cea777244d5fd6460e744c310265c2f676bd9e2844af1e78323c8fc565c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
643KB

MD5
313f8bef44d0b45fa04b3bb4a5faf312

SHA1
36e434c72e0a01bae976e07bb17715c8f33d1c97

SHA256
7ff074dcf966d50e29922acb174a12a4fd7caf354c7b9d179e3fb410c896767d

SHA512
437eea14d6eced15af3a0d16a489c15d68221cf03c046940945add507ff3d76bcc13f50fa247d99ad7df9e77df2ff29f2bb34f32d93ccc9e55d5c33390413bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
291KB

MD5
81b8eb7c1a4ee44d559f40e0b51426e8

SHA1
ffaa8bba3438db8ed4f16382709de0a511d0121f

SHA256
9b8ff5fc6a129476d680d7d1f44f732d05cdf2c76a0cafdda22b3d41d4f6047f

SHA512
9f5655a45b9e0a17b0f84584dbb0ae9c3c80a39cd0c0e5ea7e46c1fc6d211771e7c39362b127600a1ebebcc2da4df5dd4493904788113332d5e9a7a4ff9cd6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
185KB

MD5
9b5f1cc6193ba0d39f20dfa501516c74

SHA1
66b507e2cdb4c4328948d77a95e1e14b8fac57da

SHA256
67621108681c844fde6f9ba671bcdc7e57e16b369cffcdb4ab41f559445b28fc

SHA512
2b4328d3c1f2bd0ab4e8cb0439a7bd2cd4ea79b2724416020e216fe33b4740977d39474800b4200d4ea1962d52de801ce94cd62aa7a6ea96a7b3ee8883c13cc7

Download Submit
memory/3144-0-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3144-2-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3972-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3972-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4536-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-54-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/4536-52-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4536-51-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4536-47-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4536-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-53-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4536-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4536-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download