73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3120	b2e.exe
932	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
932	cpuminer-sse2.exe
932	cpuminer-sse2.exe
932	cpuminer-sse2.exe
932	cpuminer-sse2.exe
932	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 3120	232	batexe.exe	94
PID 232 wrote to memory of 3120	232	batexe.exe	94
PID 232 wrote to memory of 3120	232	batexe.exe	94
PID 3120 wrote to memory of 4688	3120	b2e.exe	95
PID 3120 wrote to memory of 4688	3120	b2e.exe	95
PID 3120 wrote to memory of 4688	3120	b2e.exe	95
PID 4688 wrote to memory of 932	4688	cmd.exe	98
PID 4688 wrote to memory of 932	4688	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\4A23.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4A23.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4A23.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55AD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4A23.tmp\b2e.exe

Filesize
3.6MB

MD5
a202c43df284047b4026052f2015b382

SHA1
531129cc3cff7410080574b0fd1f8404c8c343d6

SHA256
22e0189ee48633fcbb780d8ce081c027adcfd289ce6b90e0dddf506b78a59a66

SHA512
03192f196ccd2100255c1fad56bd14019876f87509f7215f1af469e93a9e4a8686d7bd18a1273d46e05711d1017a87948b4299a6d4597fa66001b29ee310cea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A23.tmp\b2e.exe

Filesize
577KB

MD5
4f11930c4f40ef370d411846b7ea2351

SHA1
6e4697b3d70f9934dfb7bff3ca6ad8715ad6f26e

SHA256
a3d1785f1e2a853f58bc60da9e1ec5574544d275be2188271dbbc8591c43d935

SHA512
a23df60d62e53c208a3c05910d8c84e3faa1b72a9a5322125ceec3e68266d0e0ecc281cce7586ae5f764cd80d4fc1398122d7b5be39b029a5686bc65f41856bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A23.tmp\b2e.exe

Filesize
418KB

MD5
f483c1ee0c0cdb6178d86941fcccc563

SHA1
41619852187160d11bd890586ee67ab458cf1f1d

SHA256
af39a50c7e7b027d087e7c6d367ad7fd24fb31cc3bb3613bf10fd2faab191ff2

SHA512
19b7725d306c74d52f1049e803a49be2f13fe4844bad82357bfbbeeb2f9eb2d22358570a1fe96fd39d59a79ee63e5e203977383751bc3a432db23d3d239c82e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\55AD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
296KB

MD5
4212582f1497c29caef18f9df2e84b07

SHA1
133951571e3e39dfc4174d90329ce6096a9a191b

SHA256
c8ae32bdd6e67f2c64912c62baf48e979c9953d44237c1490af6ec48a8a918a0

SHA512
e2570553acba50c30ff7100fac18cb582c46e426af2b939749d819b69550083eaefcd9678540d240887595b9abc4b166ce3b2b84bb28328cc7f62532ef3b9d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
387KB

MD5
94f8a4d58c798f21a7887871cd80f1a9

SHA1
e4fd0f50572b4e6c6ae992077e72657e94bd6abe

SHA256
9cab81b7744eeb11d89469898e9e29860cfecd9840c8d9c1c3c80004f15957a8

SHA512
23e1aa63851c3d9f1caaab7dffcaf3fbac0e9ad64d099a4285059954562a92da893947ee34aa4f862a86a578bf88c3197ab49a11e69a5553c2f449706f7143e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
355KB

MD5
826a6480c00af48e3d09695e42206f03

SHA1
4a27ab8729c3ce21e30395070bb2a46dc037956e

SHA256
7d7fbdc2aa7bdf78fda643ba8fa3c4f12dcd09ae9b93d9f6e2190e0a61c3cb96

SHA512
70454020ff1f08788702550228ff2c5028fd095e86794b1bc92f5da80d56886dd6291f3512cdc4011d0829b50e38b29eb9faa6b596abba1e84b87a72c9cc7b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
254KB

MD5
6d996a5b9bd78d67a461142a076189e3

SHA1
9569c9a6adb991ce23c476d3a172374ff5fdef47

SHA256
73378469169c199ef1fceebdcfa4ecc2b137dafd5b0cbe991b373d94086f0380

SHA512
7eb99658f7142d323d251f33afaeb2b670c2d1419e6173f1268e2651a9ecf46e2cec08299712ea23eb89162e228e4784111a5ce3e923b5e1ad52191e84a26c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
189KB

MD5
b12520462da25ca938707ca467ee88e0

SHA1
26fbbef7fb67c9868422d15910b2029c0c90b0b3

SHA256
f08282d159b6f452548d4e9d5844f3bd47265b7f399aa8d530a3a90699fb6fbb

SHA512
2790b569d7a27800cee7cc4dfb476db10d1af033f9ced534411fd0548fee4ab2b189a1b313c4cb1d5805dde2c6e16f8fc2ca870dde46fba49688b5dd7bcdc2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
187KB

MD5
482dcaaae4e1b937dd1625d3108af7a6

SHA1
4e02e29a43d220d5e1765027eed61fef6a08c6a1

SHA256
132839e725f1b571187e1ee3670d6f70615a0e5e4c008ee09dd0a389423f3e9b

SHA512
abf8bd28ae7d2f21a1781100f837a475ec76e5d2220f9310ab08b7a820cca2734517e3f88d637341d1c6afce256d762236dc6586f8171c95082568c5e4a0e35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
311KB

MD5
ea9bfa0aece2920eccf967e922ba6d68

SHA1
337a5a67da64ffc84334c3f1c70de727a2a6753b

SHA256
4428945ee5a30d0b64d46d23c6b1f4758c450f910bf35ebc68b1e5870906dd49

SHA512
013ce42edc87b28353d3735effd7db50c674a4a10e934511d3a4b37027aba2bbe2a3cf6652f96312521bd579a36c6fccb99072eafd0d363b702741769f5e50a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
135KB

MD5
01c60f07f1bd5972b976276c79a85f28

SHA1
169a19dff6a18a8bf4e815dafe4e8e95b0fed299

SHA256
8e4e439360b19643dcbda1d4a91e33cbd9800668d319bccffaf320d395268337

SHA512
abaa6fde5619dd36a8867658c6c157cd3808fd42bfe58a07b913e134335a0beeef29ab2915871f55653d02988ad552290b62f159b68721d73227daebee64118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
187KB

MD5
f44215d787768112b431842ab4fb09ad

SHA1
58ae06e97267286c833601694ff229b76148ecbe

SHA256
95cc0009bc9b758ab31a1ca64da8b11bbe41c8338a4ade24bd0851f1f1c0badb

SHA512
0a333ab554682ccf9b1bdb8fdee69eb0b5a406a62be6671ec8a83b10f892370890f983445d50a841d559045c83a095dc3429110710e31847ef524b9fff7c35bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
157KB

MD5
444eba2f43c1c8718c92a0436901de32

SHA1
df0e8df8abee39d3feb19119e4fb02fabc62f329

SHA256
2762a6aa2a5f252fb515795fa2edd43ba9fdd2f88ad5b0482d9cf5fdb2563d20

SHA512
171330886cbd2313ed3bf98adbb822ffebd950028a5cbba62ea5bee415bb1214c191bce7f27cd07347cd4b111b044b50fd41c4f5fca944f5644d3258a9ff9b68

Download Submit
memory/232-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/932-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/932-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/932-46-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/932-47-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/932-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/932-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3120-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download