73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2320	b2e.exe
2180	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2180	cpuminer-sse2.exe
2180	cpuminer-sse2.exe
2180	cpuminer-sse2.exe
2180	cpuminer-sse2.exe
2180	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1108-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2320	1108	batexe.exe	89
PID 1108 wrote to memory of 2320	1108	batexe.exe	89
PID 1108 wrote to memory of 2320	1108	batexe.exe	89
PID 2320 wrote to memory of 1148	2320	b2e.exe	90
PID 2320 wrote to memory of 1148	2320	b2e.exe	90
PID 2320 wrote to memory of 1148	2320	b2e.exe	90
PID 1148 wrote to memory of 2180	1148	cmd.exe	93
PID 1148 wrote to memory of 2180	1148	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\87AE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\87AE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\87AE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B67.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\87AE.tmp\b2e.exe

Filesize
4.3MB

MD5
225ad63ae4285536842ee1ca4b56e051

SHA1
73d1fcf4006c841ffcfa1269566d8543a5aaf7d2

SHA256
23c4e0cec42cfccabe7c01b688e5d50a0d271897860bb8b395ca6e8e6e6fbc13

SHA512
2dbceb2eab4bb328a2f5569013574eb7bb07f0c3539cab08a00e383124a4d08bf414739cc50380b10c8a1079cabc410323d4b1fbe99e61361d3a52372c46d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\87AE.tmp\b2e.exe

Filesize
1.2MB

MD5
69a31df625e00373b29f5200c14a6045

SHA1
d90311d2b5a0918bcb336a7316e469171f9e0c1c

SHA256
ff4c528e87fb9ce04f4fd2995ed46e2e6c7c6c6638b812f93f4cf72b211b4651

SHA512
d6babc54198de36e12f62df60413569869568bebcd595a675d785423d9540351694b6a78491781cea86e972973b3619000e0a4c405e8bd38c5e7ce52f5f0a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\87AE.tmp\b2e.exe

Filesize
1.1MB

MD5
a714eaca0bfdd23df35baa70c9ba147d

SHA1
bb76048964b8d4f61a8b368d6dd7afd4bd998205

SHA256
d763b26b8230daa66a16390f51f2baf81e5b85dba1a034f981e5fbc2d8302208

SHA512
143e6c28ecac9839e0ed3b716fabf63fbbb9a0683e340bcb7b90b39d57026d42c59ea1a9b6750e35b93e8713545602c31be2b5eeca08c793c954fe4c4eefaa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B67.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
889KB

MD5
8b6454bfed24a20f79feeac6dd3aa1ae

SHA1
03bc0e0197e8ca1a7d534f00ff2b8a886a7d3c63

SHA256
e248b7a8ac00d167e984892adf00bceb166efda19371b9db35010fc92691a59c

SHA512
cf7cb25503166043e1c8099f40e4035addfe84c71871797dafa4e4acfbf650106a1a2a55744849503a2e422d6e0cc4949bba14e6e22f567dd1e3e4e186035a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
2686941e1729821982d26801f99a7526

SHA1
3b8f1900f35da9904fbbf5a62771f0da28a67946

SHA256
313b8f237728226934f76d66eb2b8e6b0353cb86db31a02e57d72aab58ca5edb

SHA512
5bfcde787ae0f6e12725d22aac92fe8d979615a922c9f7266340bba5e242f34f405acbb3d9c004bc229748fb875c030fc7607f821520e7ef5be52c3198206aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
747KB

MD5
c25ec6a1d88ff289c6d6cdb52373f64c

SHA1
f83cd1d341914eaa04c336a88d0d7cfa13d06c77

SHA256
3aafdb642126ea4f091ec590cb8ff2876c2cb45416c081f8e8d535fbd1dd1ae3

SHA512
59ae01c74c629f74298fc4576bd07420eca8e1cc4c5578b994129e0cb5f90880d7f22a8a99b37c9035b768fa61101bad7e40de522dd412412e387f25f6bb3345

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
791KB

MD5
537ab00fa009dc0285e78fd20ec00ade

SHA1
5ad14060a2a7d2b54de2c9fafdb39b8ca0e958df

SHA256
656e49c551680592421549557edf16a9ccb1ee55b91de97fbba400cb3aa7ac2e

SHA512
7558ee395933ad4ba8e20c359c4a0d77398a38e3cb82e1168952ef26c8a9dac72724a5ae48d6a31822ffa9ddd8fddf9404782f9dacffc5afab8ecb7086fca46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
822KB

MD5
06ae8daffaf651b2baaeb8b32744c25d

SHA1
b1fc4ff96821c93be9890c3d7b5cc40c30fa179a

SHA256
82a998100f9f4e75aaab1882851a9a9f5f315ef2e69ea4ce72336d8ae5b27d2a

SHA512
aaf6b077816571a3098f98e6b32c5ef80ed76c090be29663e412d06fec9339a9a29b299a04e8abb5a1d19d8827175e5fb7b2afb5c09cc6df6978df67f7c11a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
48e38941d601c5f3006d7a943db05411

SHA1
8daabe8b14e672327969e2efd34264810e4ce538

SHA256
7a9148dc27edaa1a481374ae7846a2ba43a369f87f56f731a00bdc1cfd64c92c

SHA512
0e9ae1503ff20a8267a3833040bfb3b13a451a50d7ed4ea656dd6a4a8cd3c4934d30cc4cc222615a35c7efda052ada528136b7e74c09d7cfd50d58383da2500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
755KB

MD5
191ad9831c7b424aefd63499766ae44b

SHA1
c27890f160438bc4673a5c5754451a2f32784e39

SHA256
e1c18503ee26785772acca17b2488914b662e1b343466ef2e2c4c56e161f12a1

SHA512
e3e8f37e868c4e28004148d755099025ff6d86f302a1ef964807f0a7bdffbc200d2c2842e2f780b3e8d9545807ad4d1c79181fe5d20bae7a1b62c7975e5fc097

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
891KB

MD5
4250c553d142263302366c3b6e6c758e

SHA1
5f0458e60bf09dd153d46640a2cc8d7c2f4a1845

SHA256
880d55887b0720c4596b4379c1e20398e79e17a46d044f7305bc0676abab1236

SHA512
4a7a15dc352c3ac898160269b452d9c9b1c7ed43ddc664675bc3532fff9d34b2b9a40b4599d03f8deb057b801970be52545d982c896cef83388d88a064908142

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
634KB

MD5
ddda0135431abc75dc2fa8fa8990a140

SHA1
05508a6bfb5dc461e0cb5e3ddd8071f5465f3bf3

SHA256
044f94ab98ee03ffc0fefc1252d795e9aa45d48ba2cb259b83b2aa24dfe717b7

SHA512
4dfc26d468a5639c5742431839faf0494a8425b8ea3b49e950d5a0af70c922c44fb52d230ed7176f8177ad52d69a1957011e550e59db19776a9f997a7e361c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1108-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2180-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2180-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2180-45-0x0000000053A80000-0x0000000053B18000-memory.dmp

Filesize
608KB

Download
memory/2180-47-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/2180-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2320-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download