73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	b2e.exe
1816	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1816	cpuminer-sse2.exe
1816	cpuminer-sse2.exe
1816	cpuminer-sse2.exe
1816	cpuminer-sse2.exe
1816	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3952-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4924	3952	batexe.exe	83
PID 3952 wrote to memory of 4924	3952	batexe.exe	83
PID 3952 wrote to memory of 4924	3952	batexe.exe	83
PID 4924 wrote to memory of 3236	4924	b2e.exe	84
PID 4924 wrote to memory of 3236	4924	b2e.exe	84
PID 4924 wrote to memory of 3236	4924	b2e.exe	84
PID 3236 wrote to memory of 1816	3236	cmd.exe	87
PID 3236 wrote to memory of 1816	3236	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\830B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\830B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\830B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F40.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\830B.tmp\b2e.exe

Filesize
4.0MB

MD5
29180c75574123a99fff0de6cc7040c8

SHA1
23a3df178db96162693fef68aa00f042b6ab7850

SHA256
ce6a41526fb62c2b606ae97e27e66003eef86bad931fd9de54f46e113b7652a8

SHA512
ab05a976a028392cf32952132779cee808533c72281e12d83008e43e8a8623b6a7b7969c865ae3db2c52db974171326f9763bec132a08d8f4f82e167aea49ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\830B.tmp\b2e.exe

Filesize
704KB

MD5
2bb8bf63c7d7958f71f9307c8635131f

SHA1
2362f18b011bd1e60fa078052821edefa33b8e08

SHA256
85151a35fd2a7ef587918c4702b2adbe0c3e7eed43bc8564a662ed03a6f3ce79

SHA512
59eba9edea2b2af76f261db76b15912b20070d75db7cf498d55a1bc13f11692d016c9a70ed447a784c874f6d11582112312f3d058443606eb4b6de349a4857ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\830B.tmp\b2e.exe

Filesize
7.4MB

MD5
d1a23c525cadfa5c6ab9f27f0135d7c4

SHA1
25afca5be8691a6e83454cb611e5c2a8f7ea61eb

SHA256
a9049353b2a7d703222156baa1cdf3d3a2f00d0c7eacc30ea538049fa0e79268

SHA512
18f951fb9da9aeccda2878dd3cdc85d10bd25b866d0cfc1a36bdec4346a37fd12bcd585bef45a52a9b5b43761a71127ce9744e2872a3c772ad19ba1e8fec02ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
3adca8ad197ff52dab48043a8ccef18b

SHA1
c95cf5c2cec6561d8d59f9c9b5194b0ff5725f75

SHA256
d760a27a07b95508c74fbdf1cb82f8a433620cb71c15fbb16c911f0d8a64aa4e

SHA512
d07481f6fe3e503f72134d3df0cc907bf7a39b7b9eff773d2cf9d78aed070d6e54335ac338aa1d12fa5f5cb1a25d204d3b62de0739a125a8a5dc1f5aa7e2b59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1024KB

MD5
1ad6167569badab73bb51c7109b56693

SHA1
85c80eff3810728aeb4af1cdfc6984facaeeb6c0

SHA256
2a0237405f10841de2c9a5d337e1ae7ef626e562194dc6d096d92ae81e88aea6

SHA512
e219d97f0dc3b5f94798dc75f5328b4e7282c420fbb4ed1b44fb1e17941486f244fa28ccd73f55fcaa299a9b2526395a6a81d20a7ff26d9fe02bad77fec68648

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1024KB

MD5
c6151ba2a5a47dc2053b8becbd8a0b68

SHA1
1f6d6821cc72fdc279db6c9ac0a4fbeec236f2f3

SHA256
1e2b0b487fca221e8095a470e0aeadf8151b008c54ec5f4c7a5b30582d88b90e

SHA512
c4ad99b39c67ce00f245da976fbddf54d6171b8fc33a60fc2fdaeedbf7b8615085de99069dc087c6b1890ad7a7486f559a2412dac7ab0cd301fe24867ebc1d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
896KB

MD5
f83929cce536e71a3a11e2236c2c6c5f

SHA1
bd0065486a784f1c91e08ada0c3a8f383e23c874

SHA256
f3c7a692875dec174d83dd723c63661fc9de1c0b6548fe3a3f8f8f2015507798

SHA512
815083437ad5659626fba85fa9e31a33ba418d3e1d5f1ec1c7ba77ff5214618493b37821aae3b5b52838ad47f4a7e8c4a3594ee0f970025bc3ee425e9eb50152

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
896KB

MD5
4ece07a08273d0d0db84220926c3d32f

SHA1
d90712e2e643311a963676e87f6afad0c421d895

SHA256
d82c02350e5ca5ebe35d4349a16c3c9986aaecd8be71c05a00b1af09039a4cf3

SHA512
fa010b4c3c0e6d38bb281b4541c0e8b124e05d2feaa6dc11cb6e9c1d85145d5885a5cd61c1bca283f2d9f30295b197343311306acc9d5393aef64793067cdcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
ceb1ee23d68e973e400b41e7324c71b6

SHA1
0ad5540864cf9bcbf52870ba72566625ca54e67a

SHA256
66f2f5bd30986e28a4c43ed44264cc56f63bd7a3ecd6aeb5845ac7bcd724aeee

SHA512
51ce4a101517339cb1f5c23fc953dde73f871cec2bde8ea5c9fad9376366d7b8aadaa8668ef2f7bf9d873e8817345e4e337a7a94c42c3ddf6a168377af060e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1816-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1816-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1816-46-0x000000005CF90000-0x000000005D028000-memory.dmp

Filesize
608KB

Download
memory/1816-47-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/1816-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1816-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4924-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4924-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download