73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 04:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4192	b2e.exe
2276	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2276	cpuminer-sse2.exe
2276	cpuminer-sse2.exe
2276	cpuminer-sse2.exe
2276	cpuminer-sse2.exe
2276	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4896-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4192	4896	batexe.exe	87
PID 4896 wrote to memory of 4192	4896	batexe.exe	87
PID 4896 wrote to memory of 4192	4896	batexe.exe	87
PID 4192 wrote to memory of 2672	4192	b2e.exe	88
PID 4192 wrote to memory of 2672	4192	b2e.exe	88
PID 4192 wrote to memory of 2672	4192	b2e.exe	88
PID 2672 wrote to memory of 2276	2672	cmd.exe	91
PID 2672 wrote to memory of 2276	2672	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\632E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\632E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\632E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65DE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\632E.tmp\b2e.exe

Filesize
12.0MB

MD5
b7ecfb8b8cbb9a2959f0606367658b09

SHA1
203d18b3054f370f73723e2aa59f4327ecd46583

SHA256
b39f277154390772f6b7451a8d3decc14e49f8cebc2ef404a08373cfc6b1e6eb

SHA512
236aff078f9382c71dc0ddfa9707f82f43b6c76397f3e49611cc656575d847106e752185dfa7f75470db604cf7fa1b5b4048313a0bb50797fba939a6f9ba1123

Download Submit
C:\Users\Admin\AppData\Local\Temp\632E.tmp\b2e.exe

Filesize
6.3MB

MD5
de293a8f52f298ac5bc53637131f1c81

SHA1
3bc93d6c6a553d6bb1dfdbf45396254c16d24154

SHA256
75f283285183206e1466568aa622e07749f514ba3480ff31370578d9deca7cd5

SHA512
6f7b51867dc48990e94cfd7f68639a4d0d3046f50e8ad6323b8de49e702023e7a1a727e5f6a3eb230744845bdf215e0490b574915f7d402d594ecffec91690f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\632E.tmp\b2e.exe

Filesize
5.4MB

MD5
5bd4fe55193086b712731e6799e1c1c4

SHA1
a283dd141a35cb62eb905734644a109b16b8ba14

SHA256
48b1aa0e1f25b45e3067445203e06a7741cb402a34c59a26464d4fe14b1185ed

SHA512
1d4b9604fc6829a18f29a659ad350114dba879266b9eab17ad5e297b56916470d5c1467523be657f7ca7514c1ebb536b73448712532c8555c24b18fb41650441

Download Submit
C:\Users\Admin\AppData\Local\Temp\65DE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
be8487f465364890a7832c1faa1a92b6

SHA1
ed7e3bf108bf83ae84a86ebae26920709aaf8927

SHA256
adbe2c8c73291da843e44964db504522790a90ed660273af3ae73ccd39a0ca94

SHA512
0e0708f5cd95fa509ea0c26291cdbdf6003121e6010d41b49496877ca0880f1db50c7d83dbf7567cac6c7a7048057ad730e2be327a5f244360e6f1937b166f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
4ff74831f154773ce0f6437abfd0ba4f

SHA1
b9ac1e63975ff7494e0f0ffb5146be8ed86d6e2c

SHA256
df9b335bb9a475519b633674179aa216bf844b371df7b3c5823bae50d892e7ec

SHA512
b972dda46990ebe84c68988a927ce74d57c0d75ba297d5ef1f938cd10eb8135a74e0dd5f97e0eea7a8301e6376ca90cab6782a8c8f3c7ef4abfef1eb3a08a524

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
d692cdb8bc89546dffa01dde5cf25cc0

SHA1
571a6eb3c290580ee75758bd6a35d3a0140a9d34

SHA256
a00eaa0e3900127e4f1458841a0bae8824dcd4cecf346330aabd2fad44900771

SHA512
fa88f7b77dda8a44b9d22cffeee5db1ad4423ff9d3ed534ce97c13b6868cb089c84c18857949bbd81f68ce003e342609dbbc70c27dd643c1882a65faa3b69621

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
7b4c0d23ffbc739c4259f80f18d43631

SHA1
544b6a82fe4cfe4bf85ff5eeaa28c13f99565d47

SHA256
024185feb16b0092727f415f16743c78ddf1c64301d4960672372b6c215c1834

SHA512
1dfcc32b6f5a6c6754fccc9e54d192412633e8d2eaa08e2bf8f2d13ae999f88eddcaac228bb4e1688c420c92afc37bedd51195e70f22e1e7fd683fe61ceb08e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
cd83b44dcb4f4e5e461a8c3961e2dc5a

SHA1
d33a40bb5622b3a42dbc773902af1031c6046b00

SHA256
2a0c0c83b2529fbe13c05e0d6c073d333db129e880524087652c01675bbcb365

SHA512
dd324a77c6bf9535b371d08d2293f1c218608b1365531690a8aeb1ce412ba29807f5d9b198ebcb66d282014220ebc0b0f5c537622467664e50c9f61d4ef2c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2276-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2276-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2276-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-46-0x0000000053720000-0x00000000537B8000-memory.dmp

Filesize
608KB

Download
memory/2276-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/2276-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2276-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4192-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4192-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4896-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download