73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4044	b2e.exe
5408	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3900-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 4044	3900	batexe.exe	85
PID 3900 wrote to memory of 4044	3900	batexe.exe	85
PID 3900 wrote to memory of 4044	3900	batexe.exe	85
PID 4044 wrote to memory of 5264	4044	b2e.exe	86
PID 4044 wrote to memory of 5264	4044	b2e.exe	86
PID 4044 wrote to memory of 5264	4044	b2e.exe	86
PID 5264 wrote to memory of 5408	5264	cmd.exe	89
PID 5264 wrote to memory of 5408	5264	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E0E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5264
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe

Filesize
5.3MB

MD5
d6679a20dc67f8f2555875e02f0386eb

SHA1
dcf77fa8fb43281db28b210a845aed5e6392f652

SHA256
4cb300378d6ee460e96317c9d296e00d4197e869c202fce063077259850d5913

SHA512
4df7753a85f1c146bec6616d658c6fd16095262c84cfdbaa198c00988f5cef7ebaaacfea9ce8ab5a8fb1e30f420bc4ac6933c150c7c6f904a40517ea11213b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe

Filesize
463KB

MD5
fabb142830a860ea0bc12650e090955d

SHA1
fcdbb992ad21394690a6fba2568bdd8c7c1572d7

SHA256
bf1d9253c319b9e6bce2d723765fbbbeda41d57e1142a043aa0d4411305f77c9

SHA512
f63212f10d25fc386f33cf25c8f2ab5bec7e9584c2d1a19d3970d1de545b6bc81865595224427f7f7dedc0630122f4b4f0f9ad4a7e5549f076601f75fe7ca84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe

Filesize
404KB

MD5
114cbe40d82d472cfbe2790c818399be

SHA1
c6572cc9c580226b8acd90b7799f41f465f8d163

SHA256
0512fb36ac37486118dc9b8f0f977e92d9f54c93398873febe37aac1ddfd2356

SHA512
9011f8711f3d60bcd9de8be17a6dd8a1743d0fca5a723e1490741326d9b10e365ad05577b5e3a9be761d73acba49033f5a9361f732b8c0ccc1d65238ff36aebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E0E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
295KB

MD5
6771b4e59f261b3b206b4586c6dd4eec

SHA1
b8f1e0ca6c6215f96f208e3afba8cfbea838d6eb

SHA256
e6fa605e61fe0a3621f38c8f7aafa3982a1f262f14b3b0cc5fa588bd11a0cfb2

SHA512
2c9736268102883710a1e2b312cb183e2a9d528bd468b44ca32987de05dd830af1cf76d5016650ae94cb0c46acb479c6c2cf7f12223ac365d9d06a292db6b79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
263KB

MD5
8f024281dc841b7fc9f794b3d61a3b9a

SHA1
c901a65dd4d2e62621e24c4d6f940ec71a9a8add

SHA256
5e680f85354be081a2f39b0de2c492e7d899e16dbb942dfb40f1e5afc3c3654a

SHA512
298d225eb323496bdd6e5f16329c2e377332614e7ff34e1d5db5a6db927f6892b9f59fd8b2748418297b791446a8d35c343e6c676440cfd668c7d078baa3e7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
250KB

MD5
69074c170538ddefe4ced6addbe4b760

SHA1
c6ab95b68a74977eb5048fc763be62d03b8b123b

SHA256
d014a24165950f0ef4d1adaffce3ebca008ecd4cfc425999f53a81384fb207e3

SHA512
409f07691e753cae85e1988f0b197c4f383700d25f9659b3f68181582f37f8a28c69929911d4100c64697381dfe5666dd771a290e22e2f8eaa61b6883c6f5a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
320KB

MD5
c911df8bf8c66277e14360319b0b93b7

SHA1
598c59c0e7cbecb788ee676db218dc0faaa39bdc

SHA256
4c53941f04ddeae2179047a1c7f8c7f7f46af0f08c424ab66d61f2316f2ee77d

SHA512
13aeae87ee52f22d1c928c99c66e116254cde630c09f90b146962fa61276af13fef653b7a66184d00d614f0379750e641c2e62326ebb5588ca632e56c935d77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
303KB

MD5
67664c2110c8f46fe7c8e2e27f16d5ce

SHA1
6010ae5045ded2488f31e6f979c76c85a213d7e4

SHA256
3833d0c2e1102e9ba16938784876b7dc475a2293f2fab76bf369428ae9bb86f4

SHA512
4f73289ed9dd24424026bddbe175b9d9e300e0948fe78abbec00e3767d7a4fdd23a997d9f93d41e7d2367ab70c0cba4544f8fbe1ad64a7d6ba1bbbc8f64af79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
253KB

MD5
9eefad7b3887c45fd9416d61641840db

SHA1
4e776dc5ec57d98bd3f84cdc74f204dc6a639099

SHA256
fb77c9f6ed48f3cc6a67d76fee91dddb56845e51aa2abe9bf828bb80621dd1ab

SHA512
a3b575f7979f253b7ae7bf71118bd65f477856cc1384307eaa400619819ffebaf838c0d42afd985bebcb86d8ae4c1ce79efa39d2179fc1213221a5dcb4b0a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
450KB

MD5
dd1dde7109a040bd9a5ebf464569b61b

SHA1
ff97db26306a5d7a06e12b3ee4a428e17e3cade0

SHA256
5a91e898d17b78aa479f648d435479090ad1dfba0a91ade2467ea25607fe73aa

SHA512
33e00c7330e80ea9ab4dc31a67d61650e90112911caa87bed63aa26a08a9cca580558d9445ec2ecc4c2c2ee1e3e402aa1a21658f6efb2a3f659081a7f1fd6907

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
102KB

MD5
acd780154cfcb84f4cfa5790af66339e

SHA1
372477ed2cb8175cef399ddb4b6d6b569100710e

SHA256
2cd3ff7f51a55d780655bfd54295052da12ace2289f84df61c92c0de9dab9bee

SHA512
b72e2405031a3a627f490c85ccc31f3f507722e77ff6521cc685abbf683b96f27c16afd2bdf638b95ae69c2cbe3dba67c78c6b25ca688a4699448f5504dd3033

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
102KB

MD5
1256edfe9129599d74fda0994b3163fc

SHA1
badb785f15a3de235df8b85cf3b4f422ed025a07

SHA256
2d13814b6d2b44ea126cee34d907c12f38265ac7a1f9c9f18b7000e52169055a

SHA512
3fb158d1f60906a13bc056b34a27de357200796c879a26f18a12507518fb545fc9b58c32670f9762a8e80cfc3bb357ad1b3074fa03986e116f5eb8a9d8e0b9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
316KB

MD5
00e5cbd4dfd3608ba4d15b12d9009812

SHA1
6f7d50e102af73e262d24dd4b180db6c15603bfb

SHA256
418d7564f4c760cf49bc2d54bef567b0d8783c60c4da5a58ea5ca48604df56b1

SHA512
d2d6cec75ef9583cdad9c9388c3e202a82abb14f4e3c1f584dbdfb9ac97ae406da4dc2facbc38f47e787b01d12cc47b48623609414c56c6ada3f09079fb5d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
61KB

MD5
30df329ca85a13b3963d0a5e7769f286

SHA1
7033d3e9ba217c47fcaa10ec56b7b7524d8a0f0b

SHA256
74d2abb99acd955b9f99d832b7d3b98fc4b345779182fca5bfb212a654e4d41a

SHA512
40d281995a424802346a4876b19716b316a65dcfc72f5dd57fe08b6449d0ecc6363ce4ca0b27e38f594a3c3ab5f9baacbdc147d6ad4762b7881b759f9c494cc7

Download Submit
memory/3900-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4044-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4044-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5408-46-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5408-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5408-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5408-47-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/5408-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download