73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 03:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5568	b2e.exe
3916	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3916	cpuminer-sse2.exe
3916	cpuminer-sse2.exe
3916	cpuminer-sse2.exe
3916	cpuminer-sse2.exe
3916	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1956-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 5568	1956	batexe.exe	85
PID 1956 wrote to memory of 5568	1956	batexe.exe	85
PID 1956 wrote to memory of 5568	1956	batexe.exe	85
PID 5568 wrote to memory of 5252	5568	b2e.exe	87
PID 5568 wrote to memory of 5252	5568	b2e.exe	87
PID 5568 wrote to memory of 5252	5568	b2e.exe	87
PID 5252 wrote to memory of 3916	5252	cmd.exe	89
PID 5252 wrote to memory of 3916	5252	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66D8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5252
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe

Filesize
12.3MB

MD5
57ccd3b53fc012e823129a1697021834

SHA1
eb29a9b9dcebb02ee4e0858e701e8480490edaee

SHA256
2f05efc97390c5c7b8de7175f885631bcf57629728640793e4fa2961601c6d21

SHA512
e963438e8d7485bf16280589bf1a746538d1dc226f41ffc57280292e11723c87e6fbdf8fad67d46c680fb194ca3a42e22e2231f035f781889c2029b4db55975e

Download Submit
C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe

Filesize
2.1MB

MD5
7a6cf039095c858e19ab9f7fda8df505

SHA1
533be1016710f94ab95dc0fd0084e3aee0bfa188

SHA256
a82f6202cf089974afb3ef395f8d86b4b7364e4cf06b75b919a0763f267d7bf0

SHA512
15761bfea083980e7e6275a0aea17c072b4e83ce2b2d1fe515d6863ace4ffb45ac3a65d3fa44821a67590a5c082a3e6dd29367dafeddb592848c0457ffaea729

Download Submit
C:\Users\Admin\AppData\Local\Temp\63BB.tmp\b2e.exe

Filesize
2.1MB

MD5
9a73f2886e4091fbade167f84df7db84

SHA1
0d9ab82c9a15ea07cb2519bb04f66d74d5b81010

SHA256
f80272cab42845a0f9c48ff8b2444807366d1c417b03f498f92c5029952c2b5a

SHA512
a29996c96cf76750b155a4877f6fe1138ff078d8279e9c6a2fd5c2d17f465c6514ba7a4a31d20d0ae8de37b1b10fa3513dd6bac45b532cd2629d779476e1f97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\66D8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
84d721e4ba537a00a0358f94d64fb8da

SHA1
a6e4f5d524786e88a79d864db2038bcfc150f5dd

SHA256
4758fe53edd49c27821dc923d178abe856a0edf866c7a83068240f77930740a1

SHA512
c1823c36ee75f4807136b50a280c956509c089b15bf2c4417316865ff6d597981b066ac981ffbda15e86023d3aec3baca3c2bf22d97299d9028bac02af23e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
187c6efb4797810531f98d3f44e2edd9

SHA1
9580cf9752a17fef9afca56e21c390b2295c69fc

SHA256
60786dc4733c9101bcc3f2e05447305026ff0f7ea2beee34b0989c64bb6ba114

SHA512
8c2fcabae55dc18692ca5d5db9f31a0ca9e9259d040039b58269f6358ce9764284e5284d3bcfc730ba416566d5f52ec1d80a50d7d9fcceb1c11c809b587a6d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
116KB

MD5
83b6821fa1c858f802fbf4114ffcf1da

SHA1
4ec3f7fb4be82c19c7943fa9dc0503f1f4f99e58

SHA256
bce651b25bd75edc7725f7c41cc57a0bed2d85d6d96862bba498cfa1f283a817

SHA512
9d9d0a1fb626ea5a86ced221d90c39323e78472c97b6e30ae4bbacae6c7b058949e7bd76e96bd67b43edb8b0e31292ef682e10aae0976ef74be0ecfd93552b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.8MB

MD5
5acb8cf9d90d7291dc544fbea1261ae3

SHA1
9c69cbeba317216f1110328053ce26979dccf556

SHA256
d0dca661ed9b2d452da3cb8fc3d43a9821ad4e7253d0be41d97b8cd836122d5d

SHA512
624554adde9640fabb87a75b53a382a5d58e53990226b587683f69f76f2c32270004e8726d3d2819ccfaec8dbf3dd71a8c035d79f53b3c22d568c3a6ac6a6ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
181KB

MD5
5ce4e05d7bcbdc8d97b49c8002285f12

SHA1
8a9c74188d492bc7a1f9de95b7d71c6b02b22b84

SHA256
46a33ad24e8fab422abf1f6781e68ac6b5f1e800c644dc76e69750b36a700170

SHA512
a9da677280147772d3c5700dd5a7f8c14fc553aead40cababa7026259d570c1e6f2a988c4e192425286a248a37a56d308fdbf78b122010d4363f4806d9c0c110

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
237KB

MD5
b67d200e211904ece6eab3df182362aa

SHA1
83b9d1743eb89b7b54dd2fc3aaa0bddf55f442cb

SHA256
ccb04736c1ad090ad64722e0109fc280e3f93115a27a83c565976b93b32f2008

SHA512
761583a263837ad6d008eb0b73c79ac8f94b2b30dbb5b18b313a9dfe215d0d01b6cb76a0b43bf66e85aae498de0cf3e2fb268420b859f514baaf4161c816ba8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
7KB

MD5
b93d59c337cd18a4b4be6071fe618964

SHA1
a859554918f0c4d3f079339ae65c5d50db3bce7a

SHA256
a20dfa0cb6bd40d998f2a70489c6b2d125dfeac71ec10564d772df016d9aeda2

SHA512
05c1220fb56be16e5396d16390027080fb5aed6e342ac27f0f642614108559054300dd1285a6a0c3b90da79a2a53db3cfc91420a029c38898eefa3ebbb5c13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
179KB

MD5
b40244d0a4356dd39e4353d2a7367a04

SHA1
0458f47d5e0719dd4f8639ac2bca98076f1426a9

SHA256
611bd4c24a66f220e0f6f4626e6e582619580f06ad9341609d3fcb785df5e973

SHA512
e6b540b967486af1edbe4003e08901c31b7eb5d301ef8244b228a8f1cac9e2c09ee42ade0a51c79d44d8341c81dc340fa69aa6b0984a49e785f87355122ad05a

Download Submit
memory/1956-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3916-47-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/3916-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-46-0x0000000055450000-0x00000000554E8000-memory.dmp

Filesize
608KB

Download
memory/3916-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3916-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3916-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5568-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5568-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download