73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1228	b2e.exe
3608	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3608	cpuminer-sse2.exe
3608	cpuminer-sse2.exe
3608	cpuminer-sse2.exe
3608	cpuminer-sse2.exe
3608	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4692-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1228	4692	batexe.exe	88
PID 4692 wrote to memory of 1228	4692	batexe.exe	88
PID 4692 wrote to memory of 1228	4692	batexe.exe	88
PID 1228 wrote to memory of 2288	1228	b2e.exe	89
PID 1228 wrote to memory of 2288	1228	b2e.exe	89
PID 1228 wrote to memory of 2288	1228	b2e.exe	89
PID 2288 wrote to memory of 3608	2288	cmd.exe	92
PID 2288 wrote to memory of 3608	2288	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\487E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\487E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\487E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5704.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\487E.tmp\b2e.exe

Filesize
2.5MB

MD5
ba41ebbd19690895b00288ce1a21d231

SHA1
8b276bff5964dd82148b77def75e3772ffe42465

SHA256
fb21bf70cdc7bea0d6117c926e0ded1a630b6c34ca6e58ea3e4b3f61574dedce

SHA512
b7970e0c7d5fda195e9054c8969e52eb998965ff3d16c8122022d2b3d6922cced80cf80ef3f81a460e329207e7710610d1ee0712c4c674d9af201edb39f19a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\487E.tmp\b2e.exe

Filesize
3.1MB

MD5
03fbe488e90292750d70168f6f50dba2

SHA1
cd3eb668a0b8ea196c1bb61e8c4b18c95feb1866

SHA256
f81d27a74a8911d57d52584cf025f711657d69107aa82606564c1619730993c7

SHA512
3f867d9f57b004664f12b2cfdf54f938d57667c7540d87c320564f084c8358b09ea9bc8839eb37ce22405d5d0e9e02f77383d7d8548fe242a58a8ee4937d78ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\487E.tmp\b2e.exe

Filesize
3.2MB

MD5
6363f8515a1bf2213dcb7991798e9d9e

SHA1
643d5481cad3709881a11f8a0792bbfc9ee33240

SHA256
1159f6be226fff282ccb1b0fafd0ec026265fb0dac34343d1bf8b47cb73a22fa

SHA512
186242c296034fdbab1391b486c9cf8b479e3212e07bf4e71067ca65d818f61a9eb5c3729f55cce49641b0bd2700ae1fed1e4427760f30485183518870622d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5704.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
671KB

MD5
eef9437394eef789084f219de6ce21d6

SHA1
bdf47d654b1fe2cd093bd24a9f1988764efbd44e

SHA256
0c964c8cf28dad51a404aa671143f9a32165269ce09ca9279c3eb9cda869e501

SHA512
d6b008b8c2e870fb791359c3f9af57e5925bc14511ec479cf689804a2a9c7feec211102ab32be00e74c98def8cc1625f749163f07045fecce61f8ccdc9a9071d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
568KB

MD5
53547c258414854fa771461853403e44

SHA1
a2982a08e9489c30909ce2e40924396fc5d4e16a

SHA256
24a1b84c0f54114b0a1bc3817f60ea5ba9f3373a6e7d2bdc5ed121d3db00a09e

SHA512
7b2fe4353e99ce29fe087f177635e947986a1ec1ac0cc8c66fca716677572bfacfc09ad81acf4451ce4e98583c9d34ec077226d10d97461abb31ffdd79224be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
445KB

MD5
6ee664c25d0135125405be1233c55b9e

SHA1
a7da734b65dbcdf1d3829e4f005293d600c5e74e

SHA256
db84e5461b5602509de760187b27cd7c2d579e24d974297332aab2613fa0fa4e

SHA512
2b3b9b040522ad0735769ec4dc0b9a04c43d7d93ddf670d35f5e6a512a90ffa99be6b3e5728afc325946bdc7c4ea3b3563a4c02bc9594147d905b637301503ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
322KB

MD5
0d47e0ece70d9cba8e9d74c37f22ac06

SHA1
13a345cc49178e7cc840f2628f19b6c082a23ab3

SHA256
0c8f4aa9374a0634224e4d1820494086805d7a0663d3db96cb5e11ffa6973f27

SHA512
9fe8a34735663c407193a57056ca1c32a07444518cade73103d12edc4c22ba73bb3d97226de9e214ac00d48ad735a533c53996d8e7d0b64c9d14afa20bcd0325

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
547KB

MD5
37ed36efb5325fa8be7d540e25e2813f

SHA1
b89e1841dfbfdd57a7d08948ad8a2338669d6ea7

SHA256
2a3cf110097cc74ccdb426017f6fc6bedc3d62837422384b570f6e4b1a22d615

SHA512
f438f009c56058105938810ff7efb9843e4e5b65baf7aaa7fe4cb0eba9682b32a91a44cab5cd864f997b006c802f29acd359a30f035f50801cf5ee114818f20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
346KB

MD5
4f68de3792efb487889743125fd62b14

SHA1
132830d3e89c1c2364a1e1fad369f17b99e37c59

SHA256
29d7c520880acd020befc239d869300d33c500db3b29aa1b188dbfb30d84cad5

SHA512
2030e6844b82b662a16dde9c58fb47711ead25d09c52a7d81e79ff9e951fb721c7650846aac5badd933c7a34eb9e44971eb0db04447cd83b8557afa7e600e2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
486KB

MD5
2c45fea223291c9ebdbd3aec1c729bbd

SHA1
c0b4116e550745b572190661ac2315fb67dfc223

SHA256
5aa463b99b0d5666ed52eb73db0b731a7f336b7964ca11809780244f4f9ad672

SHA512
465062068cea99445984458a9870788cae275a960b4cafc4c7731646adef898b0582c2991a573f2d19e2fb89a0e60243880d69c82571aac7ef56d7d660563d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
124KB

MD5
ae578751044edc43065799069805b36a

SHA1
b9dfbcf80f03695ce454e9ba8ee642c300f5123b

SHA256
e472804a6d02e361422b51c627b026bc20a5e6af7a20f29387f242a97058bc3a

SHA512
b93411a58a96f84d8aad4afac4dfa701dd22a03793fd1ca25b4bc13813a565acc5afffc29f35cc502716d61cf722ac076d3050a93f6e7428f9db95a845e3480d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
99d07bed333da7b46a08e2c5b235271f

SHA1
cd9aa4732431da378eafc0b0f12fe32174e821b4

SHA256
0246989cbd6ea5aef4a7fd08becfa4e716fe37804c74d225dcae4953b83848eb

SHA512
a31add68a89a2d02f59f51b17d2ce18703b2a29bbc17a0910f7db18e4e6f9823bb8a1e2ac1079f4bc6db47f42d0abc8fae093c4df7db299f16a1881766e2159b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
314KB

MD5
60ad29c92f4eb90c37fdb468da9c4b16

SHA1
a26f9fe2f4ffcee3105f9d6327cc5834d9b6d0a8

SHA256
2795777a8cbb945386f87d10dcad51e9d9864a5bc412cf32d67b1a2a877ba151

SHA512
ef62e4bfa1b9b3b12229c79612d495fa3e1dbdb7978653ab077e9a5d53c8a9846814be9c62beb682a51d21a0456e44b7361799ea9ba63b1038f7fda798bd88fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
298KB

MD5
83bdae70416b92cf0e45568db9b7d333

SHA1
d2effbe2e160cd0feeabbc07088cd15a9c3b7b91

SHA256
1df5f53da9f07c5492254ace4c28599c401aa044aad0ff56d2ea224b5f80cdc0

SHA512
7c24745b2349b9437858eea080b52bb84fdd09829f4542d19d536e7b880181bbe2b11650f88de0d12c0950110936ff8b1668d52f2a4d60aed4ee29167826ed66

Download Submit
memory/1228-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1228-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3608-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-46-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/3608-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/3608-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3608-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3608-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download