73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3196	b2e.exe
3572	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3572	cpuminer-sse2.exe
3572	cpuminer-sse2.exe
3572	cpuminer-sse2.exe
3572	cpuminer-sse2.exe
3572	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2664-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3196	2664	batexe.exe	90
PID 2664 wrote to memory of 3196	2664	batexe.exe	90
PID 2664 wrote to memory of 3196	2664	batexe.exe	90
PID 3196 wrote to memory of 3540	3196	b2e.exe	91
PID 3196 wrote to memory of 3540	3196	b2e.exe	91
PID 3196 wrote to memory of 3540	3196	b2e.exe	91
PID 3540 wrote to memory of 3572	3540	cmd.exe	94
PID 3540 wrote to memory of 3572	3540	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\610C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\610C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\610C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63DA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\610C.tmp\b2e.exe

Filesize
476KB

MD5
eb67adcadf1f5b4cf24fbb9d56930147

SHA1
4fa93b0aaf3ea252bb6eaf3e6a19ba28035d200d

SHA256
9bc9741c2de4ab2b0cec7222f72c63073597f858aa8c79e72fcf5684b81e957b

SHA512
72d1136cdabdec19b448410e889a4207749d1d73a2c32eef66c7d8c9d34728400b107c36ce2e0a1dd6b7c5d1b66f0bfc36b5902098d5ef336ebff40e4a88ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\610C.tmp\b2e.exe

Filesize
214KB

MD5
cf9c707eb935aada342994f689e45052

SHA1
ad296045fd4ca8d641c468df8eaa0df1f79157f1

SHA256
1098c325913ff4c2b57329b6b403461dafa2ba389f19f953fad1d0a9478dc755

SHA512
d64e0f284eb646aca398140800ee4466805d7acad9aa3429aba78a525e6647c9742ac814eea0f7e9bfeac0edb6f8d97f6d8a66bb37623aace5b1d898fc60e1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\610C.tmp\b2e.exe

Filesize
231KB

MD5
0f77d6e2dac334fc7756cdc1e89a5a8c

SHA1
a0efb5758313fea34dc28b885fcdcb1d1d6817c4

SHA256
421f1a0319b17d25572587496c56569600b1deee8e91abc777b5cc4c32ea1e0c

SHA512
4822891151fb25a52200735fed7ccb1df514c1d2486e60fb5582927fd880347c43d258b0d46ffb58ea997743789abb25a2a9d9f43ec648408104988572661887

Download Submit
C:\Users\Admin\AppData\Local\Temp\63DA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
661KB

MD5
d8f986fb19b388ff333b9b02e6d2ddcb

SHA1
0f7062e7d104404015bf2f36d1d57bceb656068d

SHA256
beb69dfe224c8e39e1e1425197025ae119d9d6bbf12abe65754c8181c8293dbf

SHA512
258e3e234f700f72afbec7a8c449c29494b18e23c298e1cf1c411fdbece8d1c437b6d29d0a4522b8d3cc3d11e1d24399047d3559d5cccee3da772cfa00739749

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
782KB

MD5
bb2f375dc6a80e5a12c5a9eb0b7cc89f

SHA1
b3c19f036e6ec13ba5194bb32b8735636c0124d3

SHA256
f370132c2045efbdd1192766cba0acd699529fd40c9376846af80a21600c54e2

SHA512
36bfba44d5b5934d978d7fc6ecc3fc4b7066989f3e93c562ebd2f0d5412f6c331d8da212b237287247d2931781171fe884e55ca27492d585920acc8746994f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
762KB

MD5
ad9b6ec79df4d76b0970b8976050d86c

SHA1
19967af269da2125a274c89375d0a5e8f84fa4e8

SHA256
d41787b00ef020613403479f32a3eef7b660f08289f9ebe7b3f4d0cadecfbd71

SHA512
9426010f79447b23e0ebcd293459158a22ba46d89e6d642d00a6230dc5998229b7657bc2d699221a5e3cff6c917a7299eb56df9d0e9b35178b0e56184e9b185a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
967KB

MD5
4df71ffe42fb9e75196be60bdcf4857a

SHA1
884dd9c9ae6b9931bdb46022bf720be29a5b903d

SHA256
372ae4600df2232d9b46b70811345c3871ab4b1bf628ffef10b6a5e4f2786bba

SHA512
1516b1d278730a7c73087ecc1883f6f268c9e196db7bba81435266d0b4e962302ff5b74418625caafd92caa8aef71b8620bb8e75696d54afc108f81ff54ea905

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
942KB

MD5
77197b5c8faf471c7b157262b4ab2eaa

SHA1
456744dd931e4e8828ba7fcc5d2cf0bab3724442

SHA256
9cd9b47d6eb76b8e057a39ac639abfac46a983e0b2c6a91bdba1ead14280040a

SHA512
78012c3e281068d0943e5fc4e2b6584e83e59f8e924974a8619e02dbeda265cee70a3c46482d5e69dda2292f32801693d1801984faca8ec63cbed0db05052ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
929KB

MD5
238e76d1ef75de80d89337d9a6c588ab

SHA1
91ce42cd77ca3e5a5f1a3f2d9d1cab5a13608e46

SHA256
0d69add6834a94cb65bd108e931b174b64449a64e7c8a310380939456e8eb9e0

SHA512
a3a501bb04c405bbaf04e608badc3987986ff6f222a85324460b8b6cc1ec0ce93374470e59d7aa6433b9728b478f9a0f31fd9a8d96b83e7977e9fd385f844c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
732a4862588184c602fb10b80707f7a0

SHA1
859a314a7ab70e13dbcfb20d36c20ef3f1fbcfbe

SHA256
47c32ee0c97490c764e5471dce1f4e0eaf8045490816f52b8d4f18120fb8f4d7

SHA512
b44702bd600bf71b9f7bb07aae646c24dcd70cc54767dd80e9d8c5750a5b4f0f36ab768d9a427fb7039e725890154bf66aedafdf19d3d9fdbeaaef0a326fb1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
980KB

MD5
a175d3353c6c8f3d806975bf9b5f427e

SHA1
03193a74115bb270618a5116798d8714a2db213f

SHA256
349b5af6622c9eb0eeea079ad3b5994cdb434ed8067fc6a0de69d632b2d5eb7e

SHA512
cd65335a2d4948efce831b5bd72225f1106aa9e0df4fe0374a14360fee04a13cdc76f5b5edc8e912267eaa7460eaecb8de16a452c0857d0bc7d7cae91f660b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2664-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3196-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3196-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3572-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3572-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3572-46-0x000000005EB80000-0x000000005EC18000-memory.dmp

Filesize
608KB

Download
memory/3572-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3572-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3572-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3572-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3572-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3572-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3572-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3572-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download