73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 12:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2400	b2e.exe
3756	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3756	cpuminer-sse2.exe
3756	cpuminer-sse2.exe
3756	cpuminer-sse2.exe
3756	cpuminer-sse2.exe
3756	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2744-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2400	2744	batexe.exe	88
PID 2744 wrote to memory of 2400	2744	batexe.exe	88
PID 2744 wrote to memory of 2400	2744	batexe.exe	88
PID 2400 wrote to memory of 4616	2400	b2e.exe	89
PID 2400 wrote to memory of 4616	2400	b2e.exe	89
PID 2400 wrote to memory of 4616	2400	b2e.exe	89
PID 4616 wrote to memory of 3756	4616	cmd.exe	92
PID 4616 wrote to memory of 3756	4616	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\5A74.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5A74.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5A74.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5D52.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5A74.tmp\b2e.exe

Filesize
12.9MB

MD5
6c1b5e25ef6772e0ea489fa666c100f1

SHA1
538f3f8fd9893bfdfb72427bd81a972e75914920

SHA256
7dac0fdc1f0babc7608d4ff25fa5c284713569a9af1d5c7f423bc6e013a08276

SHA512
2ff85a13d51865fc754d71e2132285a465fcf2ac7e9e98cbc1f7172a8e5acbc3a1eff44e23612f282370c73497a71564458f67b21cd4fb3ceafe4c273a8668df

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A74.tmp\b2e.exe

Filesize
4.4MB

MD5
8c35dfdf75ba2e4e0867b18365005ac6

SHA1
2c139681fe99e5375b2e8ee59714f0df468075b0

SHA256
3c52f1ccc1a1ad7002a6101dfbd7e33e0a7df33da28d748dad1c404bba421f20

SHA512
92188bfd60552d6ccbbc541cd726165e0f1b15a6f76de785d430803a580a7be3fb052058fcb5f915400be19ca93703de5d47ce9beb725ed863af20f765ee0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A74.tmp\b2e.exe

Filesize
3.3MB

MD5
1d343273435dc7015946848f45a937a3

SHA1
8fba05611681022dcb0a694fcd0fd1e584ac2579

SHA256
4ad9dac7f17870a0bba3bc24a076d18dfc0685eda12a008f795ce44bf540f524

SHA512
945aa4194d00aa5b36f052b57e68f5a31136e3cd98fc772aec2a1a8d5f4761ce8a49b5a95456376e85dabd271516cd95fb7452ee3cab67c0e015736b1434c3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D52.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
719KB

MD5
57c179d3500bf418c8fccf53dee4e58e

SHA1
b5802b218569d4b0d978657ccb34918ff0a66e15

SHA256
1a92f7b4bc14c7ccd1e8b03d1ee486419d5bef9ac406e6baf6cece00e0979a66

SHA512
b948e37b5f8b1cf5b6c974ce5ff7375147a062b30562fdf6db55ed321c49c13aeb570bc55d232607c5164fdfe0de6fcd76de0fbbbb59d5246b4ea524df88c4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
635KB

MD5
c1cbfc6cf03f1ce49ca33af5130e8480

SHA1
c453c208cf4b0b66e9ac8bf650655133b496e346

SHA256
afa81eb338748d1594c93e1cd72d77476d01a4031e584ba82599b7cffbbc8ae8

SHA512
79eccd7c989af8bda314042ae658bbb5f2c0528fd3be9257b5a55e68ceaad7c37a19a15b3159b7352101bc757d355a0daa8229f5a0f55c989b323c606451d5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
877KB

MD5
b6325db5c1f1de7b66e98d50de6ca963

SHA1
f1a5f53e923ff3b044aece9007c0a28ddac70fb0

SHA256
18598c23bbbb904aaab125af3f139cc1eeca59a4d3ec1c68612c71b62bf917fa

SHA512
67274fffb42fde19e02c1d688b08712086c644c657f5e47975f92f7653bb4e0999a0d101d7f93d81bf800ff902d97c359651f57304c5591588ec16ccf92aea07

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
601KB

MD5
19beec9f4546713c35e9cded84d6b1bb

SHA1
449c65b2c52838370d05c10f1f336f0bc7cb7806

SHA256
34434c19d83d8042d4af32d58811ad0c7d8a7e47d587359ad2aa870277a57b1e

SHA512
44070a1cf95cb85853b9bfd0de4ccbac4a8d982b72c3f64463aed74ba78a08630471d88e3fda01d63a6dbd919b9768de5b67e454b8a93cb950e246ad270aa462

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
519KB

MD5
ad5bcd814918e036e3db6212169a581e

SHA1
a8ba44b35cc8b741f2f52c3018fd79fcb74a7c42

SHA256
e4a700fc18ddafb8ab2a8933e16794e7b15c0d71710088a8e340e3b2ecf4fff7

SHA512
9b040cde5f7a0bb95704875e1914c61cc5578e4cf2fa737d1b46b8f245eafd4d76539973432b283e61e0b0842aaec92cc29144d530a364f63f4c9af2735a973f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
768KB

MD5
613807ad6d525aded318b643c33bc17e

SHA1
2c9a4180140838c69c20bc4047c3d2d777d3bee4

SHA256
896775bd33edafb0d219d1ae3e973e71aa29a4937d0252bd3a4cad074c004971

SHA512
d688b0f2570944898097dcc6acb56b3a4c901073f0ce22b5ea260b05a37fe2840d84b44e7aa74c7d73078b0e5a45c24994852f5c03f049982b6ddca6ead89539

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
960KB

MD5
f3707fd5b389e53285dfb3815a4785b8

SHA1
788b2ac7be4acb28e804021893e11cdd44ee0784

SHA256
f7ef0e3e60989fac5636e6e5a018b730b403b75889125b56c4d07d6279e94c94

SHA512
f11d8577758db08f597987f525b4fc4c8c3f5181255f89281300968dc90fe4b298c322e3f531f768cd5014d116bb7161365c9d3fbaa76ab835405d8a1e231f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
411KB

MD5
6dc97b129303cde40d0866b0363c4c72

SHA1
82a000437ded80e8fa8aa957e6b485a225426190

SHA256
1dae5a8deb7114c66bdf58eeb6adb72ec6095dbda21b1850d18eab9c176cea45

SHA512
fb9ca999fdc13738d930c0c78aa8dec06adaeefedcc8c83638fe88def92f5cdb6ac720ab5506916ed782d1719b1a603daf6bc6735e9fc70efe84b87e4ac97020

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
274KB

MD5
6fa74b2cdaf86641bf06155a2ee5da4a

SHA1
1bb33791f19c438be0f6916ab3f9b1856e677064

SHA256
93cd217696b736069ffcf0042728e02e400a4f96ddfaa95439e35f8c81cdb66f

SHA512
b618082b9bac01638a491437229943b05c18b910620ffe579aabdfff465e6f42b88686f21613fcdb4e2739799fb8b4325b98c9aaf815dfe96f1a4f447c2c2b6d

Download Submit
memory/2400-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2400-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2744-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3756-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/3756-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3756-46-0x000000005B4F0000-0x000000005B588000-memory.dmp

Filesize
608KB

Download
memory/3756-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3756-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3756-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download