73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20-02-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4088	b2e.exe
3768	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1988-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4088	1988	batexe.exe	84
PID 1988 wrote to memory of 4088	1988	batexe.exe	84
PID 1988 wrote to memory of 4088	1988	batexe.exe	84
PID 4088 wrote to memory of 1664	4088	b2e.exe	85
PID 4088 wrote to memory of 1664	4088	b2e.exe	85
PID 4088 wrote to memory of 1664	4088	b2e.exe	85
PID 1664 wrote to memory of 3768	1664	cmd.exe	88
PID 1664 wrote to memory of 3768	1664	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\85E4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\85E4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\85E4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9248.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85E4.tmp\b2e.exe

Filesize
5.4MB

MD5
20849d500adf882d9a36df3ea9fc9f81

SHA1
eec879d9e0f3689133b0daf337f731aed78da9a6

SHA256
694d25cc4b227106f92ce13d2f713a087d7477676c0ccc88b7adf63bbef0e02b

SHA512
a5427289e40cbaa1cee14b1d1a6f3e00d7728d74bf082e25d9c72291576b6fba4b6a2dcaf7f3a1f84e2c68d7328cc985c853f602c7a75fd1bfb1f978af756296

Download Submit
C:\Users\Admin\AppData\Local\Temp\85E4.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\85E4.tmp\b2e.exe

Filesize
2.0MB

MD5
b3d7bbf5bb6a415d93031fdab6cfa023

SHA1
1e3a5b89538d4eb99fa37d21e8f7aae16000226c

SHA256
16abdfb93a875cb1317c09e8127104708f39e177a254cb2b5f5b140ba522cef3

SHA512
3087cfe1e68c690b8428929f6add496ab84dca73c1adae86b3bbe78a61ee6ff00567dd2bc4e2fd1c3655fc471a779dd2c0ef794f58d714b4fc6de251d3c053ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9248.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
350KB

MD5
5315bb240efb3279135359cbe5ca172e

SHA1
160ad8d881d43e9ab7830226c762e353021dc608

SHA256
8195624377f6986c69555e0690ead751356374e08ce5fa379f7bbd386765e101

SHA512
4cd129fddd95350c2ee3720af37fa10dd89fd3a3c073522fce91aab2d82af5a117ebddeaf8d4468560cb77cac108a6b9ff4350c14415b16ab63d75db6a4b8a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
312KB

MD5
ed73ccefcb71b575976eaedb315763c4

SHA1
913f7e804d6f2f4033b2f65a62bdbfe0171dfe27

SHA256
7806329e3f4f8da095e2a4a5f29e2f711c461fe30a358a221a35c2c9f1344bb7

SHA512
89123fc3b7fcd56bacccd93eb9963fe5153b557228a12b3095c7bbdd20c647ec1835a14079f66d845f110f1395b1902df35fdfce222d11c23c02c80594767f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
228KB

MD5
6700d5147987dcb00e9ca668aeb067be

SHA1
fa3c8d6464f10fb2fbf49bd6500cef87eea1f76d

SHA256
f9af06031b554a6a63d54e911f69a1a4c2ae055acd6e9067481e3a89ff430275

SHA512
26ec7ceb36b0713fec3eb950bdddf9f2bc30168db22ab222b9cd36bfe6bf8c7bfd1c631de96f2bb1a01cc176933e3bf6b1bc7faadb0b6e0330b4c518ec77315d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
337KB

MD5
6886f038878891fdf6984945a6d80ec6

SHA1
20892b843f05729ef6067e69e7543643e6de3e67

SHA256
70b425b76039b27c542e2b43ff4abd643313d0b84e74a3ca616b39092f3be8ad

SHA512
bba8ce6044b8be55be3d56d3b0af6dabbc312f5282a82a6c175e8fa17305e6591058a16176e2a973456bc63bdb6d450254758b19c6fc11a57d36a7b1313c2c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
194KB

MD5
8e0150868449eb6843d6730f5b4cb542

SHA1
812eeac2a437918d98eb2134539417684a073c3d

SHA256
770b3e4b63fa25ab5c9d2a1af900b4f68334c1a8125ec1ef4c924011d1e3887c

SHA512
f1d4bcf2691c2e2731a8c6fe320e4b8000e11c4450a9432a30968d52d080aaff097a9e2420f9157a033d0a53bdc5056a05cd14eb927997a255835da6a393e674

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
305KB

MD5
05b4d3e331a58c1888e8d81c032a6147

SHA1
bdd9c7b8daef6fca08874e4a14771a9777005a4e

SHA256
e7da58c24343cc98eb3c59b1772164b52be1ca40eb9d8f456bdeacbff9d6da40

SHA512
2af80badaf7fa0cd68a608e0a29ab0907d81b44edc2309fd548dc04c37eee6ceb925b40436f16c38fd6c38c4617e0c001d2cf30643fc3f1d7afab837d6dfb4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
121KB

MD5
df447fc0d652007b2c59ac503d048f17

SHA1
6cbc42c4a90be2ec80c3c9657324ad24f9559d08

SHA256
026481cd74d12bb75d8775e07b3682d065aedc0bbb55e22a9c51bff64732b68d

SHA512
fff6d9353b2269296a863b3277b26dcb455152fc1314055280c8e7c4e2cff50a4db8bd42a086c56eaf0ec02923950298ca01143bb6536a1bd7826c44ff968382

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
141KB

MD5
50f2667070758b3b4f4c518fbf4a078c

SHA1
88d92963b8b180998bf68d1d81cedc3e8c663e26

SHA256
871dd643e6ea97e83930ca52499ba3eabb7f2b0e77a39b14bf7fca5a0795fd21

SHA512
3273abc6a7740ae7618cb9c5301449a90a1867d9b1109992025340537c067ffd1d97d6a31059938f1251c461e97eb85342febc65c51595d2e00fd58a1b584cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
181KB

MD5
bde145ba0f8dcdb3c082678c94a8261f

SHA1
c3557544627b5808715eb2bd4f3d5c4b3b81caa6

SHA256
73acaa5202d8796bcaa6675115fb192bb7057eee945180777c789a2acf95a475

SHA512
f0218dae0e88b3402feceffa659297dc543d7c87391e5c99dbf7881c67204097b65220567ac625a24de8b11a815bb4dd5715120317035c123aac0dde345d4312

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
286KB

MD5
75e4f6823989ae7894252318ea7e7106

SHA1
e93dc14ebb2a6af4985aaa18294c5fe92ef83884

SHA256
fb99716581d6c6c9e807b43d90cf4c8a365974ee96d4b53a6edef1b6edde32fc

SHA512
42906959a18ee6d7797d87bdd620355f2aa052ff3f4c272c60bf611c6525757c24a2f0ceaa3f5a0f2082a496b5990ab1b43090bc4cb504cc48f5b8335cbd0ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
315KB

MD5
5481cedb2a171ac7f7c068bbdc76f608

SHA1
47ffc08cae449b95375f1315166094b780af15b7

SHA256
1971658c980df1f91ff2e87251dc1b6c6369382de1e5cf1310a6da1484849cd6

SHA512
af30513258f0099576be4fb5a251cc6fb69bbde40e6266bdcdb2cf60db8cd7f80fc674f6536648206631419a33575466e55e196cadbf174aa3b1d0bd61398753

Download Submit
memory/1988-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3768-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3768-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-46-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/3768-107-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3768-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-67-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4088-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4088-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download