73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
6092	b2e.exe
3116	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3120-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 6092	3120	batexe.exe	85
PID 3120 wrote to memory of 6092	3120	batexe.exe	85
PID 3120 wrote to memory of 6092	3120	batexe.exe	85
PID 6092 wrote to memory of 464	6092	b2e.exe	86
PID 6092 wrote to memory of 464	6092	b2e.exe	86
PID 6092 wrote to memory of 464	6092	b2e.exe	86
PID 464 wrote to memory of 3116	464	cmd.exe	89
PID 464 wrote to memory of 3116	464	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\31F8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\31F8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\31F8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E2D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31F8.tmp\b2e.exe

Filesize
354KB

MD5
ee53b0ba130e5b93372c8cd1c7d2b41d

SHA1
098c02df090cb01d38542e4e9d16d22f33d91bd7

SHA256
ce84fcd1d81d29df43a241f3865828e62554f28484b0992c7ebe77abc3a42067

SHA512
df6244ff783105c5dc1bc28ac1ef0e903ceeb44b0890c81701440f82a11c0cf0bb982458f6c1dfd435aac7958faf2464efd1ba8a794ab8a96d06afd9f9181011

Download Submit
C:\Users\Admin\AppData\Local\Temp\31F8.tmp\b2e.exe

Filesize
1.4MB

MD5
78b79a524a304c93b16ea08338121452

SHA1
a8ab9d89c40032d9c83877f1ff0844af2edae032

SHA256
03825d0e09f14365212d88f5751ed6d5386c1595ebca5cc48d6a3cf64b754ded

SHA512
082b9236d520ed1e201e0c2d6f7c3d70fad3b92e5e5015bfe488ecd7eb1b6546ea6bb2c5031c2c81a1f91f3ea2676e9202c00bad973666cffd27c885b20d1e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31F8.tmp\b2e.exe

Filesize
896KB

MD5
1f22d8bf5f6c3dda3e880ea1ba0417d4

SHA1
2a8dbf2319999a894714bdea650eb5be32c64c19

SHA256
afb7da96abe31529f462178372c48627a7e681e3c18cd2196aec8beee07f5b96

SHA512
217b89f6a74039807c135539482b1a769d715190f7756e2b0162a33da3d8ada909b80ca3fc1596e542f163f6a45726282997f4e52a36c352cc89b9e58c1e6e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E2D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
898KB

MD5
a3bbca6a5deada71d67e33f94593c62b

SHA1
0ca38479b5fc7292a05bb84f1d38c0d060daa19b

SHA256
035fd42a7035ebaeb965fdd8ce02100334ae5b75ece84ad8a8a0172b0fbd7646

SHA512
e50c0e0920d517a2f97f4f8166ba7f5ab662c8ccb156b0481372402acdf37af636c47ebd169674744bb76dbd829705a9e676a0150a4f22539db23388d1f89fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
784KB

MD5
38938a24829e23215fa563b2e91c190c

SHA1
87b3371e54bd4915b9ad74aac78c7c14ae80ff4d

SHA256
cb16a885ac5bf2d18d7e31eca3c5a51c6d1f736d0840b06c1dfecc693a1c4148

SHA512
526e96d338f1ca49e7039ee0dd47e20f36134c101e113e2e97a425ee8bd6195d738146dacf00ce8f25593db13e0092cdff992c5392e064e4c64092ece7341891

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
695KB

MD5
b1df6c9e8542dece3195c68694994ad8

SHA1
2c51ce12e1a866127a799d25bf0f291c223fefa6

SHA256
8e3ee03eb5b9dfcc64ae63b42f551d4840ee907790458756cbd391f17657839e

SHA512
7351fa31dd608716866df33adc5105ec1b4f919d5f83c90bbd83d15c83d8917719066649406b1a114cde1bff05e1debba75c044adaa0a3d2ef16a8a7416d07b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
570KB

MD5
a21153c6fe5dae7980f97c9c3804f102

SHA1
472b62c414c17af2f2dac170a85015a8ae30458b

SHA256
7aae19eca2064804fdf238589ffa8ebaf2a632c42f584eae939d7a7499d9d877

SHA512
5cac1256b4d61a59f1d2d5910757427ad290ff9107406a3ece44407e8419055af8cea28a348755620ec33994a70545e6736e574d302f5c311ee8f82e0317f879

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
265KB

MD5
2ab5f5d68d20c7b97b96ee92dd86d861

SHA1
bc17a24ce124ad952696983462069966acca47a4

SHA256
2b008a02d8a154d4a72003765fdd071394c2f9c74aabab0c7d9baf543e5f3aeb

SHA512
a27cb14ffcce7485077d2649fd3ade4795581ac61fcc2c5469548dd80be86df86d0259ec6cb701410844e0f18aa5088a6c92b2347ed22012ddc239d70878d0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
729KB

MD5
60f10d2fe9146a32519e606bbc96a8d5

SHA1
71e0496b5d9ee07c32f940836b0d8edcea4beb5f

SHA256
2b872ecb92e7177e39f53dce47a485dd0e392631518f9ba1609781d50aecc0bc

SHA512
09b0d601e135dc697e0ccecd7b8f438c6f1801efb59d9e633a39b69d15363cc8e2f9646636648ee703e26451876bc172e56829e443871966e8551c7672b2d74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
315KB

MD5
62a67567c12ff772ab47a137322df4b6

SHA1
e389eb0cec33f2a4e69d2cfa8e4420a2d9b537d5

SHA256
d8e57a43f2d6c68ff63faedfc787f3a395fb6c53a522fcbdeb0c923de489d67f

SHA512
48954fe53c072e51c366d5390cc0d6655f387eee9eca8f4a62fbc206001543688ab4acb01f826c8fd6ef5bbba6bfc44959fb5960bdafc99171a57a10f9a993e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
344KB

MD5
9613e770eb14ffad997f90af08fcff40

SHA1
019bbab006583732dbdc506aeb49bbc5c907fecc

SHA256
ab478b155133c185e4fffb27792addbdd0ae8c25eb6f6d1c06bc01b6596bab6b

SHA512
3397d0da3e21eacb5e525cc93cb493fb60967b1288d52e9816c19630a4dd97ed087b42ced9ad00d9076cf346fd8ebd5fd4456b41bd74bc2ca0ce416c94036c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
2cf3f9397ae75ba5e02f06e05dc3c9e4

SHA1
68e8f37569006f5b76e0e9716febfbce8fda62fa

SHA256
ba709ca66621f0b8760f7949a3cd0eaab02d10384b38b2d6fa253d17b0efbedf

SHA512
ee2a8c078eb1e491cda4b173ca8e09d1209999a0603289e6ecbf24dfa0a36ca856b754706f8b1231eb992d2280c25ee869845c5148ce4d9658765b7be1b5cb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
828KB

MD5
292e13f718219fa87f5e7f8c6fbc1747

SHA1
786afb1b431b76019cfc01eec3c51a369276884c

SHA256
7317d858b541078213169a66495bdfd2f33ab01c0ee79f6cf8330c6f6eae4737

SHA512
332d496c678fa6239045ce2920fd6cc175e0787a577c47a041c3c36165d058265414fee9f88e9d6a2ed7a865ab6020736d23681361af8f1af8e94744a9fc9c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
193KB

MD5
534417b6a52fc870033ba31023f522f7

SHA1
96fc3a38fbc8dee93dbb2c9866260639d8da642c

SHA256
6e7df3f453257062cc63af04d8bb65c7d6f8c0a573ae237eae490e8cdcf5d6e9

SHA512
4fa6b3de5e570fdcd32b2a11ec3523d02489f531f479731d746f660f7ac2b9fdf0bb5c6f23d6b4ef3f6a2743d3cfaf942655a9ceab09b74c6e1fa6314ad98646

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
280KB

MD5
adff04394a948f6cfa144fed220e3649

SHA1
47c4d42cbd8dc2a41b406caca64dc31faf826a3c

SHA256
55b6d61c22aab8979dfc6c69167622558f2bcdfc9c70962e4eab82a689a7cdbd

SHA512
c00d575de47124fc1ec96be8bcdeee723321d5beb6bad7d13236f461e1d1c39145b1cd01e1cfa2a60940de4d6fed11ac2e07ebe6c63b55de40498a8bb12e2c35

Download Submit
memory/3116-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3116-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/3116-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/3116-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3116-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/3116-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/6092-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/6092-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download