73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3100	b2e.exe
3552	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3916-18-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3100	3916	batexe.exe	93
PID 3916 wrote to memory of 3100	3916	batexe.exe	93
PID 3916 wrote to memory of 3100	3916	batexe.exe	93
PID 3100 wrote to memory of 2320	3100	b2e.exe	94
PID 3100 wrote to memory of 2320	3100	b2e.exe	94
PID 3100 wrote to memory of 2320	3100	b2e.exe	94
PID 2320 wrote to memory of 3552	2320	cmd.exe	97
PID 2320 wrote to memory of 3552	2320	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\4707.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4707.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4707.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\557E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4707.tmp\b2e.exe

Filesize
6.7MB

MD5
d03380c7f456bd9a7b22ed6f2b461602

SHA1
0a6c45e90f5b1dc5baff26e5f66a96262a104678

SHA256
0eae7af010cf58dc7baf6bc31785220566d2e0c14e96a428b89e68119cb10137

SHA512
f48a9ae9a46b4325748a0d99bec70e5cee6362d4c3b99507e7317a715357108b82f59fa7568ae5e9ef22e320041753412721c0ccfbd7698caf4323f5ed608071

Download Submit
C:\Users\Admin\AppData\Local\Temp\4707.tmp\b2e.exe

Filesize
4.1MB

MD5
92f82eefcd7223139c8f5631693aa8ad

SHA1
ad1ab00a1afe0b49ba753465bb99e6402f67ed8c

SHA256
84ebb1b835e733e0d5ed220e3ce810feba60274503a5e8240eda3cc8c686fdba

SHA512
cefaf0d280979ef998113dd905f0832a7443ada4b758bf8b414bf9f9f08921be6346ed5cb4e2ff59254b9bbbb2f0414792664ce1622b460f2d6f44f3614cc594

Download Submit
C:\Users\Admin\AppData\Local\Temp\4707.tmp\b2e.exe

Filesize
2.3MB

MD5
1f6fbe69b89241b3d19bf26d60df1bbc

SHA1
ae8dffc300262490cca2960bf164b79514b56127

SHA256
42f812660c84f67b363e3cfd7f4d157af701c10bcd74f6672ec2ec10a5b7fe6f

SHA512
362ef31c6a340e20333e1cbb31563a999f55b98c47da9a6e9ac94aab969e602945aa1e544939a1681917340a9fe06c88a310b2dc1a1d8a57edd1dd3640749108

Download Submit
C:\Users\Admin\AppData\Local\Temp\557E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
292KB

MD5
31084c2bd6f0f6b3c2dd3478a2704628

SHA1
0086d33e6a217968d20d1ea5c38275f95705b604

SHA256
af0b9e15220acd0d2908e0babae1c5e706d18eae283bddb5b4dfd6f911e978af

SHA512
2975805913873717bad76de6f9da71cbc482ef509a7d4bd611aa0688e3b79998a67f7bd97e1cce7d53a7515b19ce841926e1c035a704b9b6639c736ee61b814e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
333KB

MD5
d1fd22a87624ac88240fc9a619e34b02

SHA1
44c0817bf4950bc0a5db8cac5d457dc641d1f632

SHA256
24026397970fb677789328b95a44fd62505eb71504ceffc67bb12cf2916a79da

SHA512
bb4ada0443dc120007c812e6aecff8234c87b91ba4c65eca772b4b1bcca86846a18f661e2a94b554fac5e0fb2a3b590c6e0b81d1b4fb52b83b421cb48ad8853a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
344KB

MD5
14e7720ec89a886d3691be8cd896c99d

SHA1
519d76408858657be7a0e91244b7deb9bdb9dfa0

SHA256
d4496ac3204393571f353e3ddfb231cf214ea31e96dc3c6a26b112779a6c9853

SHA512
696fdbf75009a4a8b74a0a5a2683fefec255fb2919265ce3b6808066fe7600e2e029e3f8e69927eae79987b6499e3de968dad06a77835a18c30685f71b300bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
239KB

MD5
e9c4edad547a910d5ee533701e267cee

SHA1
b3efa372059769157e004d4d5a21c3527ec5297d

SHA256
1686ac52a361020f4d156cc0ec725139fa87f57858b23deac6250373908dd70c

SHA512
b0e528c33ae8c2a070a1a998dabcc1cb1f9f9506b6caf99329df795a51fff29609b8b52ac908862c1c3752a455ba6fde20e8ce5840046185011932a11b1a73c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
304KB

MD5
234e568eb5a6510bfaa04bdb1ed0b4ef

SHA1
9b2d58877872c7f8e7f9928bf2c75490080001bd

SHA256
951a38a2e5dd684482374fbdfc93eeda4aaf8258f6bf2562d7b4fd4f2ab223b7

SHA512
b04bb8182a3948b49c67b3cf92f84f6cefffeddd5b6814bd1b7110416a00216fb06ab1155cfc0eb33a7a9dcf98da268ec1b65d00417466d887d039ade77baede

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
233KB

MD5
e7e5e1cb434c792f2b295ff74f2274a6

SHA1
07703e97ef272b3ee7f778cff09ed8d8e8df7afc

SHA256
eadf9788ab8eb6e30892879fc25fd8f9a59ec4af2c136422c1b0611ff6d2faaf

SHA512
5eec971f1fe7cf3bf0d466c859523ea0b2b74bd39bf17fd70b838d3366fe949ef10c8e351e5757449d6577459743a8bda5f7ccf8173d0d027d732d37fde1376a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
444KB

MD5
827939f0bcf2e05e56540ef29eee3a0e

SHA1
98b5aebfc4f72f2fbad4598d94376479e66fa51f

SHA256
93af63ca221bb041f3bf87731f8c043c1a5da6d087ebc25bd8f1818a4142f03c

SHA512
fbe9debc395ef5105bfdf3a00deb6108ce6d7e2a2f2d3c43c899549c12d2104fde1b4b154029b905f3baab65c5e5dcee252480b0add7e2c9a7bf14782e497f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
184KB

MD5
6401745096c73ffa51d3d153754f1041

SHA1
a7ef58ea47c00c6f592b088e08d89c7652124e13

SHA256
70e0466efd8be0bf2d2cfa84cb488e7eff76491a41ba9bbacb9eaabf4d17c2b5

SHA512
aac8766e64e909710b5be18117d817b9f519276deb80ebec255a34c806f961caf3591574e72865ff0a7e27f0a120198f698e71e98c2e77cf5083cf8a99ee0c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
361KB

MD5
2fd43d9195b88b38c7d868b21e56d4c8

SHA1
493b24015d7ee7375e81dcf6a4606bd468aa1323

SHA256
5a6c96153e39bcd6e8c7d4d7cb1ac34422fcd5ba738211d54d7c073c7ff39cbb

SHA512
0da10a4ce3770859b3fa7a09f91b0033bd0e53cf0abb8601db4d9b20c5b8297a7e79d078dcca28b324626a825220da435196a936ffa01e7c3a31e170ce334396

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
219KB

MD5
045ece139689b808ff84ba0ef517e4a7

SHA1
6ee14e39ffec354dae1ee134020eea8e9c384936

SHA256
2ae1ba470dd270dfe02fdba8a2fafb64c7bf94b52cbffe7b76c98b8e6af21cd4

SHA512
835a3deef2ba98638115f0da85ad5f23ce0b98e5783357f7dd5a3048ef68e4e02d8412e98764055bdbdbc4be04f51f3f611cda63bde7add7b7533d8055c54c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
337KB

MD5
a5ebbbe479e6147802c72308e1cf3807

SHA1
67275451739d918ce663d2e2e6d24d311d8aba39

SHA256
14d5dcb27f7d7c8fce22c393cd1b8ec5537f3d039884440dd8da4ce183ca0309

SHA512
851328f34780cf0626b2d9a11abc17b35f926a1c61d8deff06b661ca8d3aa1e2b23538a518f432f4980178c650c21b5636f18125e3a0bbdef6a19a60613d0938

Download Submit
memory/3100-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3100-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3552-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/3552-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3552-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3552-46-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/3552-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3916-18-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download