73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240220-ja
resource tags

arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
548	b2e.exe
5124	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5124	cpuminer-sse2.exe
5124	cpuminer-sse2.exe
5124	cpuminer-sse2.exe
5124	cpuminer-sse2.exe
5124	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3880-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 548	3880	batexe.exe	85
PID 3880 wrote to memory of 548	3880	batexe.exe	85
PID 3880 wrote to memory of 548	3880	batexe.exe	85
PID 548 wrote to memory of 4688	548	b2e.exe	86
PID 548 wrote to memory of 4688	548	b2e.exe	86
PID 548 wrote to memory of 4688	548	b2e.exe	86
PID 4688 wrote to memory of 5124	4688	cmd.exe	89
PID 4688 wrote to memory of 5124	4688	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A3C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe

Filesize
4.6MB

MD5
45fa8fbffb4ba17767abdcd887fa3340

SHA1
c87bd3f253b0a859d360a23d98d82c92fff05ca5

SHA256
cdbd3777b685c8b3fe930a9fde03afa8c183bee845f12e4c38d1d6f3e8f3e826

SHA512
bd92285d7a63477fa651b40f36eabba2e694e96f8686cd980bd3b39780c3efaf6f3fe605983f5354566aeb548c904ad9eef7f2efe8722b050f81dc8d79d57e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A3C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
d80b98cad14ab7d8ad49bdea10bf6f78

SHA1
e36f47025de04864ea3233b946593dc46c7588dd

SHA256
87fef499779eccf1270b3f4b1b875f43ef9085178f27475affd5310df78ece4b

SHA512
bc5b18eca17a407e1eb233ebd14921a3150e77362ee337dbdb730fd4462e836553f5eefa6c484e1dadcf52e6fc2683dab7b9e2b2182d9b5fa939e48dbc6a8688

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
46e1c7531774dee6a7125727095ea354

SHA1
2248bc2bd821aded068d2e5e55f5e7271b50ab91

SHA256
cecc229ea9e416207638b67d03bc6846fa188a14fe1c9e75028afb48ff4e2081

SHA512
fa9dc86df3e0a8f7b2579785c03717a43eec14beab8ca3176f73d4ecb0716d047241ab30cd53518e7acd645e9f8282a20552a6fa33824c34afc5c5210cc69f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
384KB

MD5
b91f7bb5508b343188ec32dcc7880611

SHA1
fe2ae7ba4a1bbb2a5df7b73f21a0b8fc745cc11f

SHA256
47881756cdfcb302e63efb2016c122a1bb61574d81186275aef3d5a9fb72b84b

SHA512
a5b91bc653cbf28219b6f169d5d849fb53eced9a932b8edf468c9092544795ee8120d5c76f0c45f27b7a2464c328f5bffcabf3e83d2e7236263ea930cf92eea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
a3dea3777f14f1235327b648410a9406

SHA1
9ab139a0c947962b3c471c36e8b9cca4d750c889

SHA256
ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1

SHA512
b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
960KB

MD5
f3707fd5b389e53285dfb3815a4785b8

SHA1
788b2ac7be4acb28e804021893e11cdd44ee0784

SHA256
f7ef0e3e60989fac5636e6e5a018b730b403b75889125b56c4d07d6279e94c94

SHA512
f11d8577758db08f597987f525b4fc4c8c3f5181255f89281300968dc90fe4b298c322e3f531f768cd5014d116bb7161365c9d3fbaa76ab835405d8a1e231f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
eec15153c344f43f1919cb379b9ee2f9

SHA1
3e4a09390ac885ea2797209603bcfa1ec6ff0cc6

SHA256
4e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222

SHA512
7cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
320KB

MD5
1ae43cc09627ff82d15527ea2693fd76

SHA1
c39ffa1a4b80c29fa1f5caed3e7d091253266c66

SHA256
b63980c9d592a6d0d8521f74bd4c6f7cc4ae5f8c3320d2bd63764c56648ac45f

SHA512
21945e4e2fad3ee2b2a19d19bbbc1ada832c33a0d3bf499d6ac8f093b39021323ea0f7df3d54167a3456cbaf01ff126a6e6abbe17dd4eb8d5a24ca000888c271

Download Submit
memory/548-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/548-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3880-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5124-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5124-46-0x00000000675B0000-0x0000000067648000-memory.dmp

Filesize
608KB

Download
memory/5124-47-0x0000000000E20000-0x00000000026D5000-memory.dmp

Filesize
24.7MB

Download
memory/5124-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5124-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5124-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download