73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5680	b2e.exe
2712	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2712	cpuminer-sse2.exe
2712	cpuminer-sse2.exe
2712	cpuminer-sse2.exe
2712	cpuminer-sse2.exe
2712	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5832-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5832 wrote to memory of 5680	5832	batexe.exe	89
PID 5832 wrote to memory of 5680	5832	batexe.exe	89
PID 5832 wrote to memory of 5680	5832	batexe.exe	89
PID 5680 wrote to memory of 4288	5680	b2e.exe	90
PID 5680 wrote to memory of 4288	5680	b2e.exe	90
PID 5680 wrote to memory of 4288	5680	b2e.exe	90
PID 4288 wrote to memory of 2712	4288	cmd.exe	93
PID 4288 wrote to memory of 2712	4288	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5832
- C:\Users\Admin\AppData\Local\Temp\8731.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8731.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8731.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B96.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8731.tmp\b2e.exe

Filesize
10.3MB

MD5
7092e14ce8ad553d36532b1597aeba93

SHA1
91efdeb55911612d93ae84dc1896a88a1b462643

SHA256
95c850cbbbfdd4f78f2896aba6ce0643910308229b0bda39b5fe2b3e5059569b

SHA512
62c58bd11dd055b1a70df155d9379b88214fb64f2133398c9d7efa865758b7f8f059723a1fff83b2f93129ac183c1eeda6d9fef8e97e5ad86b05cb77c3e327af

Download Submit
C:\Users\Admin\AppData\Local\Temp\8731.tmp\b2e.exe

Filesize
2.3MB

MD5
9706b8fec0dc1e3a5cadbf78361ee35a

SHA1
08ce45dd0a4d74fb37e23ef3eca377d1f9ab8184

SHA256
6d1ca9cee2fbceded5fcfde9441e55fdf3fa7226f1365621dfc56de18771bcc1

SHA512
749bd52b5fa9cea042c2a55ab7b3139f341abe3596b799716d47ace7f7ddae79e1504453061719ee78c9282064d028c00147df1bab406c7ea929c079b0bb5928

Download Submit
C:\Users\Admin\AppData\Local\Temp\8731.tmp\b2e.exe

Filesize
2.0MB

MD5
54006bfc43f0ed806e4c955b4a67ed28

SHA1
46dab2552bb6469c17f76ebd54215486c4d3c29e

SHA256
f13ccde78c6981055d2c6894dfbe975759d8b23a749c5588c6f8921a7792fdd4

SHA512
8dc3fd0e3e0f564266557cee9b682e2cd271f8282b8ca316e81c56f0741ca78d13a2d214e986d2ee058b628cdd11edad5f6e00322907b07396bc50844434a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B96.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
23KB

MD5
233564afbecd5de5f3058be6d8825d3e

SHA1
8efc48e1412a8e2dd9d2f983bea3bc2095218747

SHA256
eba86716c7638a0171337d576cdac8c4a4abafc6a7b947969a6ea0b77b44e6c1

SHA512
ec48e690e01dd14869502ab36f21471ef259f68404e05abca6bb38384477c77d2a717f153e3283686609fd5440c5741888e4d3b6a533416ee84c9d3a2ece3c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.1MB

MD5
fdb0eac7ad0ed1cf4fd977a09564549b

SHA1
da10cc9fcca67db4cb96ab56cfb92d9ba2aaddfb

SHA256
7693c65c2c95643a64998c08ff19b44a24d1aa34b292440cf6d2c3d64d7746a2

SHA512
374ee36ca05062e2829fcbae073864045b34b966987b9ce93327b2f35b949a2b7ce1d1f86118b517ed671b4955ceccdfff9a2bd533c777a996ff03a31bfe95d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.6MB

MD5
62d514e077ccc1943ae5d10568499a4b

SHA1
58826b4dbe2b4b213683a38b4d09aa7722ce48dc

SHA256
8b851abee3e303984d63a1090384322d87bdaeec02eb4c10f17ac35192a90bb2

SHA512
5d819c69eefd724f74e9b47bfa65545299baabdf6d415be1e163f8756af5860a263e1cdba328498a2f9aa2158de4e33e18baaf4ea93372f4c631da290a9ab971

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.8MB

MD5
74dfbf488bb3af6b7717f0572957911d

SHA1
eaeee2384e76c0f3c8039835ab1901bf3ed771b8

SHA256
80eb146f49b0a184a3a634a742c9a8c565dc0b73cdacd319a1ca9635abe7c8c4

SHA512
c3fff103c8564727108b6ea2e83947d8ac0782c67bcf28af31302ec5117f43ea826503b4da2ada660e71d0e1c4cc8ba8e0966aad4cbebe54abbb40160a35a8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2712-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2712-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2712-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-46-0x000000005DD80000-0x000000005DE18000-memory.dmp

Filesize
608KB

Download
memory/2712-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/2712-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2712-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5680-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5832-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download