73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4704	b2e.exe
2556	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2556	cpuminer-sse2.exe
2556	cpuminer-sse2.exe
2556	cpuminer-sse2.exe
2556	cpuminer-sse2.exe
2556	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1220-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 4704	1220	batexe.exe	89
PID 1220 wrote to memory of 4704	1220	batexe.exe	89
PID 1220 wrote to memory of 4704	1220	batexe.exe	89
PID 4704 wrote to memory of 1792	4704	b2e.exe	90
PID 4704 wrote to memory of 1792	4704	b2e.exe	90
PID 4704 wrote to memory of 1792	4704	b2e.exe	90
PID 1792 wrote to memory of 2556	1792	cmd.exe	93
PID 1792 wrote to memory of 2556	1792	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6699.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe

Filesize
5.1MB

MD5
1a143072428343962ad8f4e237a5c7ef

SHA1
1db3a5d66b327865aa9f787b9317be4917707b28

SHA256
db92b311c2d1d101e3a8239328269dc80db4cfa3e62c22969c249284036ae350

SHA512
e45d1a61d3e9d18748940eebcc9aa9e596014a696e7be73b416b37b44b4ad5910e1c3fc599f3540170b33b24a55628e7a7afa5fd3de88026abe72843cf43e3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe

Filesize
4.4MB

MD5
f1e2dcebb97a85948916d3bad725bd5f

SHA1
23b710369075c10de442b55459c6bc292a47ecb0

SHA256
5290860743d90b1a9ed84a1af76d94907df48a000b511326d93cd1dbc16dcb89

SHA512
0ae204f46a4036d31f94e307a210cedf2e7a69fb664c9aece261e5d1be66620b85d4569c11a5d9cfb058aa5f1182c19c08e12015b60bc5c8da6e76610e1d363d

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A8.tmp\b2e.exe

Filesize
4.1MB

MD5
d2c419a721d788c886ebc0bada6a278f

SHA1
94d19fe33b785b89d1060ce3dc9ae4a228791210

SHA256
650228630db655f08faa08da1e0a36d140c2212db9c910251b7805de8e8c46bb

SHA512
59ee192be1b742861e60745fa7c44ea0a8ece045f6c7938ff8d83cc8d59d171a12d50fec02c3f98493bfe1a2006183e13b92063011e6e805379f31510f44eb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6699.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
128KB

MD5
87bb74a6790018700645a8310bb9a32a

SHA1
b0e3e91efa12e0df5ed4538d3b549ab5d9f6c16b

SHA256
ee6a846f1dcf082d5216bf314e65e1428af13ce54dfaaeb371d1c54f330c5298

SHA512
702e12a0858a1dd987d6a761f0ddc88fee9bce38be3d71f8c9be3fecc8cc6e88763967140f83caf4f2e10109ab95b811bb70bc70ff0b5cce8f0f32713ad3683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
287KB

MD5
372ee526d67147894a0d5fc6a4fa42b3

SHA1
b4768725161d05eff67536875db2a568b70f6d73

SHA256
23c659bb44bc14ddee0ef8756d2e135d8d7d0b169c230b8efcd68e6aedecc8c6

SHA512
47d0593a2de0e74ef30c8e9b9163c3e03d40f691b4024c3779046d672e4046cc71f64f53cdbefec3f61517d8f86f7890d6afea15dd2a89f30dd85c31a76dd3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
194KB

MD5
29063f9089b50d8de9a6048ce2962132

SHA1
0b9c5f1b6fbd533c840aab6dc1c519bb4d9bbffa

SHA256
043185b21d3d597442a7182a5f04bf39e5e45db94a99237e6c3dc1b98832537d

SHA512
693ed1b38fc7c2e83771f2f7bc7939ead55b10744c990aa34c185d10f9762dd9824611ce89f5618c6fa2fafac92f6c0cc10586ec2056fb73942a264e1a3987a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
128KB

MD5
48c422e815911804d8322f84e605438f

SHA1
b577cb4575fdf07ead63d0f9831833f4f30788e9

SHA256
3247538f008c10c405b77c7a1ff636bd7f7e72b0cf4b5990870c157958b4e6ea

SHA512
0278d1c8a8bb02bb70bac382c89481451ddd147f2b195fed3cf1105524358a04703be54186e138d0e1f1423441e694cd292eb890cfe66bc421eb160821548f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
14KB

MD5
a05dc6e0ef80d83af942731c107cba23

SHA1
0df3848ae3b6e23f76447b59f9cc6f390d693625

SHA256
89c125ce96c18bc05d47a5ab4fc0198e57b21c501483a187f1da0eddee7673c1

SHA512
c94a214ce9eec79046677fd5fd438d78323766c83cd1d6d68189b17f15842c4e8aab37cb654587d0a7d8db9d43653810813fe34a6ccefaec7f3d3e5d1328316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
42KB

MD5
8e156f809ab599c49b91b6f01e1d9a03

SHA1
0c06de264beb8ae5dc259c81d0c01e413933e68e

SHA256
373a94c1bb30ab08b6a7dc9ff1f3d603f8d90c3204856aaae6096ba35e7b1b89

SHA512
df27a7ea26a35836cfc48e70421890e762c36996983e209994dda908d71fe06ce2c39d42b5d1c4f18ab9ae9e44e5baf930db4d8ced7d40285ad4fed239811441

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
4.1MB

MD5
b1b8b8f50ca145608c7025e1715a012b

SHA1
741c3cc9a864f3f7255694270f37c53ca0649260

SHA256
8b422e49b9aa685448b89305f1b39f6aa050e1aeb8825f6660295b5ae6d94c2e

SHA512
e7458c55921b6b9accbde47e62de1a396192147a7ab48a2c5a20c79ac103d2b64de9829b504b32e1db8a069fdb44520b9802ac42acfc6ca7d0d2f90374349fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1220-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2556-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2556-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2556-46-0x0000000072660000-0x00000000726F8000-memory.dmp

Filesize
608KB

Download
memory/2556-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2556-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2556-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4704-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download