73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-02-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	b2e.exe
228	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
228	cpuminer-sse2.exe
228	cpuminer-sse2.exe
228	cpuminer-sse2.exe
228	cpuminer-sse2.exe
228	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4524-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2208	4524	batexe.exe	84
PID 4524 wrote to memory of 2208	4524	batexe.exe	84
PID 4524 wrote to memory of 2208	4524	batexe.exe	84
PID 2208 wrote to memory of 1604	2208	b2e.exe	85
PID 2208 wrote to memory of 1604	2208	b2e.exe	85
PID 2208 wrote to memory of 1604	2208	b2e.exe	85
PID 1604 wrote to memory of 228	1604	cmd.exe	88
PID 1604 wrote to memory of 228	1604	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\A160.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A160.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A160.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A894.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A160.tmp\b2e.exe

Filesize
2.6MB

MD5
a3e25cd9e45807d709d73378c2def255

SHA1
046c315beacf822681c8a1d248f08f04e4f1fa0c

SHA256
eeaa021107a49e0a778dd863badc6516234474f171d11e7e3e53e1883ba82db4

SHA512
49db659da1facf62a0540ea67eea03cabd5879897100542c982a6c2e225b7b56458e851304174f1bbf8dc2f0a3ee7a40f9d174f3c740a7379db9d5e4e9b1dbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A160.tmp\b2e.exe

Filesize
833KB

MD5
1cfada1929fc2a61a11a57220a460542

SHA1
c2dd85311b35eef950c301978f5416e6170232a7

SHA256
8b61c8a96e476730ac65005c8339c73fa5a64d9680432e7a2531fb377bfd5cb5

SHA512
5196136825a4d3f9135c27d942840cb67e84c0c1d3ea8ba9c93ed3b44d0cdbf9f5b14210ac64eed5f8748145bf04d749ccfdea6dfec72c3cb8d5fcf8cd08aa2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A160.tmp\b2e.exe

Filesize
619KB

MD5
4fa0fa309ac4ae5a43c93cb4c91f6948

SHA1
49572e74a20aa242e14bd53b7f3d8586224dcf64

SHA256
9041442e433d42c95493af55387abbc7630ba1ef47ac5b226fdeb08624181cff

SHA512
16b000239076f6bccbd0d364713fcea60f284944c354b34c439e00d06e9dfad877f4de2ed3e0b4d8f1383e464434e976acca97317de8f2ff6a20a00b61044162

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
6.6MB

MD5
95f427b1ad03cd73f89346a4da6a41f5

SHA1
0cc0089ddf6adeaf118033ce72ad91d0c40eb138

SHA256
5a944087be4a7bda4b40ecf502a91f335624dcfb4734666c2b91447a6cfa01a8

SHA512
d4263a8ae46a064fbb60f8638e48b203aef9c4e4af9e8c66691720b4284bcc891c8e6bdf3de97d1f451b826ddc71bc904c587c0ae1c78f90729998a5813622d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
8.8MB

MD5
f324c8613f16b8f059bd271f9886f5a4

SHA1
2b2db25b1867650b99f579a854dd631a1064f89b

SHA256
c163a67a191d8c8c572d95d4fddd8047606b4115409328b3a3ecb2eec95a672e

SHA512
93c49bae64b3171696950a0579dad96db516fb96da2e6417673163c9faecae7fb76d05f2fca15e49cae875885a237527515fbb7f6c17bd83ed66b4b0e9283659

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
7.3MB

MD5
9f4600e0182d645faca16f7ba757d51e

SHA1
544f361c7db1cb397fa4fbf80646b41b06aefb3d

SHA256
ea3aea4754074060c7dd665241a09c7bcda0d232484e67f06f1af3278206ae43

SHA512
dcd97aac8bf1354e6aca80b50f21c6d1f308f67da0de6034ac9364cce121939bbe11498633594d7c7d26961850163a1d2d9c1ce44e4529e78e05a801ce4cff8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/228-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/228-45-0x000000006D880000-0x000000006D918000-memory.dmp

Filesize
608KB

Download
memory/228-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/228-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/228-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/228-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2208-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4524-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download