73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 04:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4272	b2e.exe
3516	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3516	cpuminer-sse2.exe
3516	cpuminer-sse2.exe
3516	cpuminer-sse2.exe
3516	cpuminer-sse2.exe
3516	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3464-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 4272	3464	batexe.exe	91
PID 3464 wrote to memory of 4272	3464	batexe.exe	91
PID 3464 wrote to memory of 4272	3464	batexe.exe	91
PID 4272 wrote to memory of 3104	4272	b2e.exe	92
PID 4272 wrote to memory of 3104	4272	b2e.exe	92
PID 4272 wrote to memory of 3104	4272	b2e.exe	92
PID 3104 wrote to memory of 3516	3104	cmd.exe	95
PID 3104 wrote to memory of 3516	3104	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\8D9A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8D9A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8D9A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9134.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8D9A.tmp\b2e.exe

Filesize
306KB

MD5
ba8bfb26cc15007ccc6253e8fbfa41fb

SHA1
86182348ed841ead30fd236fc7b968e0a3b22fac

SHA256
f5f21b8091966754211209444b2709ff93e28f107703a024d429f3095d13dc3c

SHA512
b48b94303127877f837c83f9dc361e44b8de27d4e0ce8571b484b89aa468d1aa0404abea4ccd14e689da7ba724bf7a2e13e737613a5759d8739eecdbda5c9622

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D9A.tmp\b2e.exe

Filesize
2.2MB

MD5
f66fbd1c33a6523684d2790beedd10f0

SHA1
6a365887163895fd13bcca2ab93462f99c770396

SHA256
16ebb4f9901d5ac164a4663bbde3b8e98b3804a1ee4a398a578abb4e0a6af580

SHA512
ad85adc0e67339efec888fd24ee858d1d7757abb446ad1580721f4654194e520e3127a73d6e3d7c57ab2458585033684dd5d39b6bdd7d160dbd5fa6ca716359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D9A.tmp\b2e.exe

Filesize
2.4MB

MD5
4f2c8f7c7e35b999e6f348f6721c0186

SHA1
c6f0b6303eaf116221d2a6c59703335a7881adbe

SHA256
a0abd0348411268fc10217338a0157c9578c85d8f356c1f60106c3d5c293f12d

SHA512
01ee6ac1a0e3666178ca58d817ad00ebd1c449c7d47be9d3840618ab99d2a4478771d6e8863f7b1db6e57e78824503d0b9f6552ca83b117f29ec8355c1410356

Download Submit
C:\Users\Admin\AppData\Local\Temp\9134.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
950KB

MD5
475d7b3975333f31d35c2901204eab6f

SHA1
862528f59219a5898525b24b10755fc2e66ad43e

SHA256
4115f718684b420147c6d46d170f6a9c071cffcae58fdde5b53ded68a891cc9a

SHA512
da32e22fc29afc687426b51991802e004a6ca2f043fd889bdffd188b82b2ed4ff1661bf8048d42822958e383bd22ed4a89697ebb0f689b84dfe2ea119ce5f70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
896KB

MD5
9f9a8fea08bacf3a1d155567fead5940

SHA1
9d9ba8746c585446f53f442b800e1eb28a0df86a

SHA256
a22f9d8fb953e4f6bc93cdcc8aa650a5a093f1dd400fdc501d5aa7b00bee0289

SHA512
d41a048619373832c616d48f919595ac50dfbbd68095aec008b30adde91ceeeb86326c7d412ab20d937bab7096fb8165d3da8b4fdc40a03cc32da9ee3e9dc2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
21890f7c455953fcb6fad031f9e33388

SHA1
556d6d98a0f6dcec582942864aece2c733d79a1b

SHA256
2a44d05476cbff0302c98ab3815942cbefff5516cf4c31ef4260e2fc9693164e

SHA512
8c7e70b0dd157c7d497269cfa4ec18f81e9292187eca0365a6515506a6492c8b982ea83fb350b8a0b97d5340e1a73325cf74d37125c128cc28915876d544e225

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
960KB

MD5
c04202d27a40019b6a699c65c9a0ca4d

SHA1
9af641c8b836c4523ba780e09954369085e73e28

SHA256
e8acfe0c4452c40ff32ba0fa7dac6b8374e9e895be2af35dde5d59e72945a35b

SHA512
79c5716eaad6d216871478ee40adce25a762bffbaf0771a9057cad2e54a4df025035cb7d67f010026eba564790812c4659a261506caf361441d31661cf9aa71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
639285c2d1762fbee683b503c0dbe979

SHA1
c5e5215727f9e12bcec51e87f9c06b804891d68e

SHA256
be6000d1c7f5c67050ea09f47a890f82bddd23105c20be0c1fe3c8c7fc9cf2ba

SHA512
756f7e2f5c7642e163ee0d9646f03f0e95720f0ec7b22ce36309e4bd49962f5bd1964d484f39014756a501910e6400d37fe7709d3f689a57775fd6b2c5a0d694

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
604KB

MD5
a5530a5a063176fe2f01d1c9d26cb4d2

SHA1
1e54dabcfc480e49cf9cd1c6dd59b154f967d21e

SHA256
bfda1518378f4c5da27d498e394cf09d26f507f9abd6c1429825433f5ebc3d32

SHA512
184c73a416db6bda5a016bea493b148f51652fca839400e9c0ebecc8f56543d9faf8cce1010ef6f49b0dd64fbe9e79479af7bbbd804ecb267888fbaae83262c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
767KB

MD5
6905dca53b26c7efe1c03b0bba85852e

SHA1
afa4b5561c333c3fd8cbf5941b84dc9d1d18f8df

SHA256
19723461f86cf275cd9f6eee0ecdcaa508b7cf151ca5853ba333246f52f86c43

SHA512
b0a79ba247bbbe962575c1d1c76fda052ffb1b5d4c9f30e1be8890d1166e3743572d5b928244b95b6ddef5a9ce13fe08d5bd47a6d06fbcd1d2590def81f4e42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
memory/3464-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3516-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3516-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3516-46-0x000000005DD80000-0x000000005DE18000-memory.dmp

Filesize
608KB

Download
memory/3516-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/3516-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3516-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4272-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4272-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download