73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4900	b2e.exe
2900	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4664-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4900	4664	batexe.exe	86
PID 4664 wrote to memory of 4900	4664	batexe.exe	86
PID 4664 wrote to memory of 4900	4664	batexe.exe	86
PID 4900 wrote to memory of 4276	4900	b2e.exe	87
PID 4900 wrote to memory of 4276	4900	b2e.exe	87
PID 4900 wrote to memory of 4276	4900	b2e.exe	87
PID 4276 wrote to memory of 2900	4276	cmd.exe	90
PID 4276 wrote to memory of 2900	4276	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A4EB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\b2e.exe

Filesize
6.2MB

MD5
3895d468c971fc0e777c38eefb977764

SHA1
d2ce65cd94478bda13e72418cf85745bc0692553

SHA256
fbe733c6b15d866887417f3e614391b18f5bf19b20b65c3217ce574191334dfb

SHA512
a1fe8060b1c885ae7a573e27f5a1bc016090a66c32f903af8e9cca4a4244e169113006970aedd276a60236b502c766746133bc490c948ce49a44b5b507cb4a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\b2e.exe

Filesize
64KB

MD5
3e63d8d147aec3c4d5e3e08d79395350

SHA1
633cc399218c2915b895a83bda89bce9f37e39dc

SHA256
39cc053a2dc8074a4530b02f00bd8bb723e52196224d978d9aad3b0f75740320

SHA512
545308057e5ea490e55f5bdd7fbec20fd954f847cae6f60460a4b135bf76c4c8502d922768d8e3a96d29d4c3a513b91ebc40bcaf5395de2c50d4368fd46fc536

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\b2e.exe

Filesize
3.0MB

MD5
14c7b2ee0d38202cade9505ea9c03108

SHA1
2c363ef4e1e04883f9010d0701b2b52dd9581be0

SHA256
db0160116f8ccec7f1b1b4a502a3e60fc2f73a1167dcfe2f3c54981e324e2279

SHA512
9961e23166fee7a3826c47f433ff1f82122d76db1d1909503de8a6d2f7c707a1405380e9254ae20b3c27491bc4293a30c708b5f5b021991cda7ec02b6ae40623

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4EB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
573KB

MD5
1789e32fbaca585b90713500ffdd85f7

SHA1
278e1b02c61565e77ef4ffebd1c2b80943ef9f89

SHA256
f89274ce895961086dfffdec314e51b1dd2d54e35e44b4df18258f87962fb8d5

SHA512
170b5d5b705d87ac0659149af0cb512c2ee531448c16314af50a4856c5934670d5dd33faf137c705db0504b92e757de9f4386a2b1a754cda67394a773188a306

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
799KB

MD5
85f56aff5a58f4dc55a44dff21aa04b7

SHA1
1992e699335264c572296233b9a3d734a42f98f6

SHA256
9cb69430800e5449a3438641d8b327d78aea66b0edc8b457d65853cf9dc0bdc9

SHA512
7746179068d6c3769142a7f78149f9077846bccf96d9c51dc30e4f14e935dc6106e01cf537064d142b21e74d201bb95cf0a35c0ce703beaaf519303473f63a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
376KB

MD5
ed04aaac5af07c85b54da18cf9d4c6fa

SHA1
b8a654f3e0ca40083d7989e5348bdfffb0b767ce

SHA256
ea9322c6d1e3e2fdbb47a0a555815b410e4c517ab2b9d573b5af8e15d01a7a3f

SHA512
c02fe9cd1de4e1be8110f25d9fea2088ddf52f7c81473063cfa501809a8fa490c33774b737168d3f8312c4fc7f8dd6ed56a76aa36e0044cc0e13712f7cfc25fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
493KB

MD5
255d212198ab36d560200c6b6f858aa6

SHA1
fc08ef78042912caeada28d8742c40fb27e3b364

SHA256
7891a708e42004f2e2e40f5bf0e593e12d08f5de6fee32a11f86bfb6b73841ee

SHA512
4a6f0a222c2bf6fab6b42edced5afb4cb5cad66828ed29ae07ab543710672db9271eb511542be825ed4125de8cb145483b67a3eb5bec1f6e9c43f5ec0d6eee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
900KB

MD5
b9c5b059708bd6d2337928f74ea29bca

SHA1
abfc1b0dc0e3c5f0aa1a0e252f319a8f0d3ac15d

SHA256
ef862c9e2ffa75961e2935be5689010f64074dafeed734ea03bad6ddc10a0c6a

SHA512
9a83128fc7f1353a7ebd41edfc3f86266fc9f05dfd959707f06cd36e818e92477d3f13d81250827a4d5c6af0500879d9c8be0cc92233baadf97934428e6a3832

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
722KB

MD5
f16c3f6b5e5735ba212c201b5111fa6f

SHA1
7930357db54e8ffb68d2ac2229e36b5dd5795a8c

SHA256
39db0d956dfe7a95d638b286a6d81983de8a65aabf65ec755d7fddc3c9e4801e

SHA512
1c403d7912657da13575daa0a8e190cf8e11d636daa5a03f02b27849f59c57146fc24960665f8c4caf9ef97362e9439877baa12dc9c083c3e74e197d263bf9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
823KB

MD5
094b94ce99de1d4940c057c02c3199f9

SHA1
b50dad6550fe3a475bd00a8824ed72dbff1d57da

SHA256
5894485922a5d92ec5a0aae0aa0f33dba25d7d661c841e9e61865dafe7c566b0

SHA512
3b683ce42b4a7a2c53c07f6ff6a7db6fd8874dde8b68c9af59d0d92a803d82642f23550d50a65e679fee8cff89a9af0c0cfb88139ea68713df430608553e887a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
729KB

MD5
3ef77e93d7810e196bc784e4994e9ad6

SHA1
7212c1dedc640601ecab21ffbf06a92ab4b966b2

SHA256
0f207cce5ddc109cfba76d4e1992293c48337a4e104cc860b81570bee1c37b02

SHA512
30814421522a5bbcabecd26345e6ae3e1d545a9631833b7a004573b8e38872186186b0ce1c3e15a7a8e7785e6f6e73dec3c4cb7b34d3cab91f499efff2276fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
258KB

MD5
4f8417c988e77c92c856c57f523eb196

SHA1
806e6467cf2f59a26d04c465d55b09fd4c520b77

SHA256
9fed24fbdeb3a402530882b408de67e50936e19d4e1b5037899e6a0fd29dd93c

SHA512
dff5223f8752ebcff6cf760b068fba95eabac2dfc42c6acb142e84cc0f993842dfd84c9b56b8901e32c053c31c7f5778042e24fb46cce09cfa81e995fe8c8fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2900-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2900-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-46-0x0000000073670000-0x0000000073708000-memory.dmp

Filesize
608KB

Download
memory/2900-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2900-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2900-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4900-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4900-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download