73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	b2e.exe
4332	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5116-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 2928	5116	batexe.exe	91
PID 5116 wrote to memory of 2928	5116	batexe.exe	91
PID 5116 wrote to memory of 2928	5116	batexe.exe	91
PID 2928 wrote to memory of 4604	2928	b2e.exe	92
PID 2928 wrote to memory of 4604	2928	b2e.exe	92
PID 2928 wrote to memory of 4604	2928	b2e.exe	92
PID 4604 wrote to memory of 4332	4604	cmd.exe	95
PID 4604 wrote to memory of 4332	4604	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\5813.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5813.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5813.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5BCC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5813.tmp\b2e.exe

Filesize
24.9MB

MD5
3ca26f4653211b275f739b9544228ccf

SHA1
04ecceb43d18594a8ef2a6205e7fc27946c343ab

SHA256
b6e97f3485b860344c1f4acaea2e748619ef630fae338ba63b656ecf077f21ed

SHA512
4d49129ef75d2016e7d8d266e61fcaaf631bfa20612fedd4bbd567a0c9243d189b419ce50dcef159c8428e98bb4ef4dfad4ae4ba9d307b19869e1de8776a9c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5813.tmp\b2e.exe

Filesize
8.8MB

MD5
ebacd64b82781134afeedf308a5240a1

SHA1
60ea28cfa3168383495effdc3fd4529fdaa6a99d

SHA256
cd42447350391fcd6b0127e161fe70bc9c8999b1960f9fc0be8e4c2958208545

SHA512
021f76d95602c5b9dbb6835264a2ae74636b4f73c8185435f67850633be883cebe3170e1c5fa39ad7d9a35a76c99da450c5a68ee99f4401f14c30762b7c8b375

Download Submit
C:\Users\Admin\AppData\Local\Temp\5813.tmp\b2e.exe

Filesize
8.7MB

MD5
f3b9320f487c166f601b2776768a58dd

SHA1
865e7a82adbb4ab01fda8067814a1b2d3671529c

SHA256
7810852b746e9779c63222bbfef6e30f494f7da3aa6f1ef3c7503e4e6a985041

SHA512
8b5e214cc52f407fe8d06ac649e03be1e850dc32ab29e39e799e4c26c0590bc0cb3b90319555e5a4b56836aa9df82a606ca2c3fdf54b3b3da4f4ad41c55da6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BCC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
8c720b68755b4ba6821a4c9dfc36659b

SHA1
de6e326d535db8d1a2aa969db4633cc8d23ea218

SHA256
670cd628a866d827683bff2dbe1b4cf34cb18c9ac467ea6f555846f688bf11b7

SHA512
388d93d5769265c994d470bd7fdbe8863641a83a688b7c64cb681225ebe16286da94f53d2769bdffb8e93dc2eecf761b10f3751cd30947ff4f2b1a19936e4d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
14879cc84d7b9dad689810e032052ccd

SHA1
6409a2c4df53e5236a08795d59e2ccf370884ffc

SHA256
7e81da9e8c67bf9c93c1d83fc3e8aecde7b9ecf09d8c30f89c0824705a96e5ce

SHA512
c00a595b4eb838adae6aa70395e25da19a7393afe4f63213ed2e95584b8443f379c0dace3c8c9405d10778efaaca37042796999246f8b81b6b8cd2201d076503

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.5MB

MD5
f75221b4fe2fb9f150f706c1810a3c96

SHA1
24f397d214f920725834193f08e432faf1f1615f

SHA256
012a9ad8f285ae5032fe0c16eb4d8c39665cb4d19af3b10f6155d6613dd1db9a

SHA512
0d25b15e308cc7da26bb57dcf3a6060106b3a8b1685783b53e3fb6966b18062367db0c4fe2469bb77bc6ba4b15e557e04dc466d907714f1c7de72a7dbaf48e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.8MB

MD5
e996171118851ae5747b946f8eecd2b0

SHA1
2ca1dc32df7a1262b535137ad236f120c74ec54e

SHA256
ba435bc42e48b6b6c81d13a3fdaa8fbeac07cfe402ce328698ff07ec847e156e

SHA512
15d5f5fe70d349d14c81b1f618b8b7672b53c377a0af90e6221aab6fa5f7badd0ef0709400050e65c7ae0ddaf90bad06f22ffdd3f10815bf60290f2d6983eb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.8MB

MD5
940ef3b1277ab3735cf726f5fab9168f

SHA1
f982b43b2af494d080076844c2a6de39b72ab788

SHA256
9175daf154f9cf0f8acce74821fed7a6838058d920c841b44d35be17571a1004

SHA512
429a5c89abea52c09a80c4b92a0246aea5083057bad315865c13bb2526a375faf7a435f01d0dfe05f128ceb9d02e6ab8db1eb499907c8100b951cf397a990291

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2928-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2928-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4332-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4332-46-0x0000000066260000-0x00000000662F8000-memory.dmp

Filesize
608KB

Download
memory/4332-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4332-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4332-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5116-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download