73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3288	b2e.exe
4612	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4612	cpuminer-sse2.exe
4612	cpuminer-sse2.exe
4612	cpuminer-sse2.exe
4612	cpuminer-sse2.exe
4612	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5116-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 3288	5116	batexe.exe	91
PID 5116 wrote to memory of 3288	5116	batexe.exe	91
PID 5116 wrote to memory of 3288	5116	batexe.exe	91
PID 3288 wrote to memory of 4604	3288	b2e.exe	92
PID 3288 wrote to memory of 4604	3288	b2e.exe	92
PID 3288 wrote to memory of 4604	3288	b2e.exe	92
PID 4604 wrote to memory of 4612	4604	cmd.exe	95
PID 4604 wrote to memory of 4612	4604	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B9D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe

Filesize
18.8MB

MD5
c14d3706c17fdfbb9017b8706ab0869a

SHA1
e5350f74f33a1fe6e7d2580da6ec700934ea63af

SHA256
db0b4b744935bdf5a3c719a94eb01160ef19a832cff74ed4ba7d58e5db1d3f0c

SHA512
f71381d491315441ce0281f56c3e262baf04c23bf84c27ea38c95f538ae6d61834fa44c984d0851a6b5f26b1c608adbb4461a9b36e70dc1e8b1b563424b65a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe

Filesize
8.1MB

MD5
0074ed732dd43fb06aacde6b570db0f2

SHA1
54ba96d0307d98c8f2ebdd1dc6dcc82060cc89ec

SHA256
527d16c30d1cfd8d9292982d67be8cfdf8f4421bd0d5f0ac2b82668648d91a67

SHA512
5caa64cd68509e69356a987b996f06ca3228ced3e946c048a88aff2270c826ccb88b153a96a0c1b323e3facda5df387274435a259312ab2ae9a96152ad873630

Download Submit
C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe

Filesize
12.5MB

MD5
3d362fdc80611a5f07b44b04afcbb048

SHA1
e14721fdbc1046a2af803e59271d05c60d6ff722

SHA256
2d445e0b853f558bd541500fde7822c5971a83a4d23d4fcb2f393ea308f9cbe7

SHA512
c5d7f2b8e57819013c722ad7c032637b48692892783330f28068ed50db65d43391fab66b83b4e6761a9d891db13797934c88d7deab532297a3197bc6420cdbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B9D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.0MB

MD5
c3d8cd8f8528fd7e6fd62c51fd1d9058

SHA1
94047a6308f2e3bc22aaf74d5ba5b15c438757a4

SHA256
80d1ee1f1ad59a18ea733f1cb2aca8ddce62d4104d4e9346be90055b9b95cf22

SHA512
fea1e9c4ccc27b987bed71bc85988574ca7b41cbd96468ce7f62fabc96b75d4a3d34d27615e598578047b959c9b233736786c5e3cfeeffb162de991709e751cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.0MB

MD5
76ea52369bf839e9d5cb46266ede1d1a

SHA1
9bd936be139b8eef3ba7aa5816303b5364455b34

SHA256
0cb19594dc94adc2201f5102cdfb3b6de8ef04ed363256cd7c6cff8efec16424

SHA512
d69d569f2ced15eb0829529b51ef27be796eef9f056eeec002ecf29551a341ef8b375e0b034f7efec0787b1ebf3ddc7406dd1b406e06df983f5883667c6a01b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.5MB

MD5
4a145384e2285ca79d6cf96b42384fcc

SHA1
686c98429335eddeb00f45a4a173fe45f33a2815

SHA256
e53ac209bc0d3c45263c5d94c3aeb9c8a3bc68c006e1c06d9dca5d06ae7d31a3

SHA512
29dc8f0a0ea6cdfa8d20360640bffe73eee60088d4bf5942f9f0d320e588e76c6411d9a376c50d1fcf410ba7818de2eaac14e9635e9e6076cad398663e43de72

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.0MB

MD5
d7d822c31931e3de062d0ef338952c24

SHA1
9e47370641f33a2dc8bca777a5e0c2099358a449

SHA256
d3801c0b13c866ed836c5dc32c58545f31ae62d66abdf289bef9001674cc3883

SHA512
7d145c02f3386c8061afd421b5072d6221a427ad9e493d9777bc7bbf8ebe50c9fea26150a428f5ac87a747730bf6303db51d021158f48c417354e8e02f20f337

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.7MB

MD5
3974a1076a039fb1de9309cf7653570a

SHA1
567cb5037c09adb6639184976827f870052cd5fa

SHA256
a3e237bdd0bc509c33757b6ba507dbb58bec44ee184648fecdfabd04bbe20782

SHA512
bff96f5526435158af22bbc573ccf3cd02bb2d13ea2015c84a2ac16c54bc580b12f419951676bfa3cd7f0dee06431152dea8b7e95badd45e13704a032f07d708

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3288-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3288-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4612-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-45-0x0000000066260000-0x00000000662F8000-memory.dmp

Filesize
608KB

Download
memory/4612-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4612-47-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/4612-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4612-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4612-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5116-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download