73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2888	b2e.exe
1664	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1780-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2888	1780	batexe.exe	91
PID 1780 wrote to memory of 2888	1780	batexe.exe	91
PID 1780 wrote to memory of 2888	1780	batexe.exe	91
PID 2888 wrote to memory of 2080	2888	b2e.exe	92
PID 2888 wrote to memory of 2080	2888	b2e.exe	92
PID 2888 wrote to memory of 2080	2888	b2e.exe	92
PID 2080 wrote to memory of 1664	2080	cmd.exe	95
PID 2080 wrote to memory of 1664	2080	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\56B6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe

Filesize
4.1MB

MD5
55075aad2654558e78c79389d328bd6c

SHA1
3c49741995c4eedb25ab33cc269abeed7e5a00b8

SHA256
778ee0f65897dd81fdfe44499a01fd879b1c237acb9015a4b8afe1020809e440

SHA512
0060002f1ddd8ba3d108c627afb31818998a107e866db7bf1de6ce534e4974c520e8a4a34a0925c1ecac868c5f85543afd169b1ad77b81521b88049bf784ec5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe

Filesize
2.7MB

MD5
eebbf065d482f2087b904f453811ed76

SHA1
7603db0c808af110d3dbba7f90f9970e9a8e11f9

SHA256
1b923434280fd542723847e832e0e58777c735991faa1b4dbb92aaadb38707a9

SHA512
64d1fda800700affe1a68ba52c5ac7f6c3e175f1e3a4f53987f6e2564be6949f95417893761965b85dc1a01b084bc8e5f9c7e9b3365eead4f1b9d1d6455fa17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe

Filesize
2.0MB

MD5
8e4f2a51b657b698277b2e15085ec43f

SHA1
b7556d2c620406c96eb60d89b5b2d3c8f88152d9

SHA256
e03c0aa0aa4289d5e3f2f0b2fd1724d4a149e99fec824bb0ea8df6adbeb26b1c

SHA512
301ba17108675997b2bd779de833c04e9b8cd6af2206abeced33c8046900f7ade89c7cdaeeb4a3e5cdaf4fe58a0d2bf983bbb976adef92f56a0eae38d9b0f644

Download Submit
C:\Users\Admin\AppData\Local\Temp\56B6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
f52f187c6b73446c6e98dec1fd8b799b

SHA1
df79a5dab9878479bfbf4bcaaf26a2749c709556

SHA256
564872f8a53dcba1be6f827b7b563614f51cc2017e310aca30485d5027425f61

SHA512
7cada9329afcd8957635828c480d5a503e6c60a463a7eff3e8ba8312364cdb41df41b8836ffc0044d49176723382bfdb98056fe9fc689cf4ca6fcd8058be8577

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
486402038875ea421bf4801fe2e52dde

SHA1
f924eb951e437c75097c2dbb6a78101626c01658

SHA256
bf260dd9208020d8c9d257b0eeda498c0dcbdf59363440f4a31392a85d9ca6c5

SHA512
a3e04a1fa3d8f9d2f9cd27c6a4850a3490accf279f076586e0a15976bb1c3f601857c83f78c9af0af16256e61c82bb8fb4dd95e72680059cadc6c624bb72c82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
09d9314ff832e0641a912fe3c57d419b

SHA1
fdffc0b4ee0593d4fff35a12c26d20ac366e5ad0

SHA256
5186c17b0bbb70315d4e237b2a84bc2728ca012ee824d257fd5255c4fe570201

SHA512
540d6765c5afba7f086d88a18889600038c93664f8ffeafee2ddda46878482a33e5fdd69a875b07c9ffe526579983af7b9f3cf21b790b7911596b30ba182b56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
732KB

MD5
a78e793d2e8bd25cc984a27423d151a4

SHA1
a891962969d65f0b7bf5cc269aedd3b571d325ed

SHA256
34f9a7cd2bb03c969ec81b72cf01ed4317b336e1e9c0fa0df77a818e2eed35d9

SHA512
c41e71b75bb0d91ec952f102767f12de1dfca67aa59a6ad890d6d73d671ce539162d73132cbd755bf456ebf069402a902fa427aef2a72edbaac6e04770f3f9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
85791ed41b539db665edab5a0314cef3

SHA1
f323fe19f0cd99d03006575e7ce5b890056a75b5

SHA256
278fb6591d6ccafe2b91c21411859bb641e76dde5f62b151246e5d36fcc1af1f

SHA512
8f0d546c0b9a186b872179c5b56196ba9e708eec37759a29718c157ebd9ca6514414807a5cc2b0fc12c417ff71ba3e8a886f934ac95b46d0b568955eb0c7bec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1664-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-46-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/1664-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1664-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1664-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-47-0x0000000000ED0000-0x0000000002785000-memory.dmp

Filesize
24.7MB

Download
memory/1664-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1780-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2888-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2888-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download