73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240220-ja
resource tags

arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1928	b2e.exe
2100	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2100	cpuminer-sse2.exe
2100	cpuminer-sse2.exe
2100	cpuminer-sse2.exe
2100	cpuminer-sse2.exe
2100	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3152-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 1928	3152	batexe.exe	83
PID 3152 wrote to memory of 1928	3152	batexe.exe	83
PID 3152 wrote to memory of 1928	3152	batexe.exe	83
PID 1928 wrote to memory of 4424	1928	b2e.exe	85
PID 1928 wrote to memory of 4424	1928	b2e.exe	85
PID 1928 wrote to memory of 4424	1928	b2e.exe	85
PID 4424 wrote to memory of 2100	4424	cmd.exe	88
PID 4424 wrote to memory of 2100	4424	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Local\Temp\83D6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\83D6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\83D6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\926C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83D6.tmp\b2e.exe

Filesize
15.3MB

MD5
75afbf7fbceb9bd92313cd435316a88a

SHA1
9c944f144ed5f1f684d9d24f73a1be1d5c07a785

SHA256
a50c0f6a6b7776b652598ff53176cfc1abeb221fd233566afba350ed22be62ae

SHA512
6150c420e1d578cd04d01b2c742869bab8fbb26998a864c96a712d0482306d932f2f4508e409b66221b18992b53e5100c7983170f0a93ab8a25f2d2a6f18aac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\83D6.tmp\b2e.exe

Filesize
4.3MB

MD5
225ad63ae4285536842ee1ca4b56e051

SHA1
73d1fcf4006c841ffcfa1269566d8543a5aaf7d2

SHA256
23c4e0cec42cfccabe7c01b688e5d50a0d271897860bb8b395ca6e8e6e6fbc13

SHA512
2dbceb2eab4bb328a2f5569013574eb7bb07f0c3539cab08a00e383124a4d08bf414739cc50380b10c8a1079cabc410323d4b1fbe99e61361d3a52372c46d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\83D6.tmp\b2e.exe

Filesize
2.8MB

MD5
271f1f58742aff0ebf71fc0c3ab4a9cf

SHA1
63ef4434110ac1ca03865b31406c2921e58bed73

SHA256
9f712a59b09b14ca76baae87d480dac0b1c38e4c7eea45140c28997774690279

SHA512
18ade3b96c697954d59b8697eadae2cbdd856ebe9885f21d2966041e5dbbe9d9e150954105154f92bd78d1c3100435791b20a105d708b62986cc8910c362dccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\926C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
576KB

MD5
bfba8ef054be5bee0da072ed080beac4

SHA1
090e6e60a6f0f1e351978e91b99e8dce8e63413f

SHA256
81f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4

SHA512
85a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
8185100383d0fe360c9198e5a883b08d

SHA1
ab398c469573f8e84d3cfcef01287a0604d6ab5f

SHA256
05ef7288b0d559bf67c3d69c201da9bdcaed0b49ecc538640f7b96c5b82eb538

SHA512
24930ef0caa1f2db2ed60f7dfdb832a172cf7747b0a336b051f73c0087a5f2fabff721487cb49cf5a3bc2be5426554b0a3a0e51541b6a4ca735646af24f1404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
384KB

MD5
b91f7bb5508b343188ec32dcc7880611

SHA1
fe2ae7ba4a1bbb2a5df7b73f21a0b8fc745cc11f

SHA256
47881756cdfcb302e63efb2016c122a1bb61574d81186275aef3d5a9fb72b84b

SHA512
a5b91bc653cbf28219b6f169d5d849fb53eced9a932b8edf468c9092544795ee8120d5c76f0c45f27b7a2464c328f5bffcabf3e83d2e7236263ea930cf92eea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
eec15153c344f43f1919cb379b9ee2f9

SHA1
3e4a09390ac885ea2797209603bcfa1ec6ff0cc6

SHA256
4e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222

SHA512
7cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908

Download Submit
memory/1928-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1928-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2100-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2100-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-47-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/2100-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-45-0x000000005DDA0000-0x000000005DE38000-memory.dmp

Filesize
608KB

Download
memory/2100-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2100-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download