73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4728	b2e.exe
3156	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3156	cpuminer-sse2.exe
3156	cpuminer-sse2.exe
3156	cpuminer-sse2.exe
3156	cpuminer-sse2.exe
3156	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2076-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 4728	2076	batexe.exe	84
PID 2076 wrote to memory of 4728	2076	batexe.exe	84
PID 2076 wrote to memory of 4728	2076	batexe.exe	84
PID 4728 wrote to memory of 1360	4728	b2e.exe	85
PID 4728 wrote to memory of 1360	4728	b2e.exe	85
PID 4728 wrote to memory of 1360	4728	b2e.exe	85
PID 1360 wrote to memory of 3156	1360	cmd.exe	88
PID 1360 wrote to memory of 3156	1360	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9867.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
9.0MB

MD5
5a7ba437877fbc69c5d0e46e248f081a

SHA1
e6a6f7a42b6b1dce06ce44af125f4a2dfecf3b89

SHA256
5e6527d8b657d6ccf523c558d798b55616fd8dd4f559fef4894f3c76300547eb

SHA512
c91ed903ee8fff4b90d8c245b025a46c1fe57588d5ad740fff58c6c018b77b849689953758c3ef728da6652a1237161e64a79cbfc403d6e3725ab16ce99ef5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
4.3MB

MD5
141b89b632bbfd1aafca702691113090

SHA1
d82f7002586a753f41809d004e6c10916dec53f2

SHA256
6a6c8003fd10f6370323d14f7109a206a0aa079994325cacb66361e5a36de899

SHA512
a3549caca58d50898c0410ae2389bed06bd0f891ea18d51fc3369f5dbf4dba35a39d0f0443d785dbb75b1f49b362c2f6b972e612a2aed942ef35150e43ea442f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
5.0MB

MD5
50f7d7ef9e3d5db8c163979defa1ca6e

SHA1
500666a8cb4543302432d7ba4b71e72a23cb2b05

SHA256
84e99c4aeb8cf185f2ed766fbbc03dfd90e1ee0a15da65dcb1bad2679d835c02

SHA512
604d8944a9c5444b650434b47355a9c8ab40245c21468b7e99857d87637a80dec245d976d8f63c5d0eb85fc1ef803c6e569618c53f97b38ec531b2487a7e1e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\9867.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
1409b2b08fad7ad47b04f60e8fdbb605

SHA1
744a971bc9744c3298da0f99e2e250a3c6fc66f2

SHA256
5a19b1ee32681c7579a9f6b04b3791db21207b02c7442ee10662eff17dd4798e

SHA512
c81a82bd3ed1e4de672c38756126599f8c8dd37ce100bfe2fdcb154ff6b6451eb9bdb7b21b3884046531532e070df2c9d6d6be1db0ad65f34363237000ecbbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
989KB

MD5
6efeae953f5144147ab63ea5bb3dda11

SHA1
badc02ffe5b2aad41dd13dd60fb11a776b99de8b

SHA256
e5fdca0df220e96319c1941e382fe00405556bbe460cfc9088d3799de7e0183f

SHA512
0915226ac3cfea45fd039feb0feae39478e7377ca6089e79914fedf551b68b5e28c4916b41aa1aeddc66ef63ebe39a33f22494c2ebe1443e8ff0b2c924d77844

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
570KB

MD5
cf0dc8d307594c69651b63ce4c2846e4

SHA1
0e390d59d9125a8e88f6472bdc329cc4ce579ab5

SHA256
b58cd20fcb50aa8b900010c1fd36349375009388ad3233e608b48485d1f4eb8e

SHA512
231768a76cf980a33bc4b47773265e51961bcafc4272465fe65bd400de9f850bf11989e48014bef61ea7add3aad8cda9f48b6d1a65eccecc4e26671794fbe8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
793KB

MD5
11dff6fc647fc357955879c7bf780555

SHA1
33e77a704b45f8287bc5f1b6ecbd72f01307918b

SHA256
7cfa8256e05d8d5d09efffb83b16f9ebfc4198bec31a798562094a8a32352084

SHA512
8122632b358e3b6f00958f4cb0c210ffdf3489c7a7b685d027be8d149e1843ddc937d76383940c40b01bbf125c9d527b1624e5d36ba2353e08a332d039fbde79

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
942KB

MD5
2ae63ee73504c3205f97283d95a8ebb0

SHA1
2909ab5f44bae0662ccbe478c1824f83518bc6d0

SHA256
30a8d4b7a98b9e4d5ad92863bbe07eeb0bc70ea3dfb5360ab73e4850b4bcc7f6

SHA512
9cdef40ffdd2ec4354f2b426c8408098e44b08bd9cc3903cb5e4be5ba55e2ee26967b6fea36cdcf1686b2e8f56966404cd4e46490c683802e314039afab5cf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
940KB

MD5
32e922fcff6d6299675e61d5698658d5

SHA1
00e71bba0c8efeb3ca8fb1ecc5c0b75c5b79e2fe

SHA256
09930127fc8bdaa7d9b853ef98a3ef0ea9bf980a4ab32464262e89e2adc2002f

SHA512
90aad3a1a966fe4c449a82c9aa2ca90e18665ab8f687a33f4f577ff6a72c6f1796299c1bac485d8a626be3577a7348bb644ee6e8c489df27b78c120d1f47577c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
b1cecb52e32118df3ad8bd4513384763

SHA1
af5984d99ed229f9c267de2715a0a0e5149c3e87

SHA256
aab6d21a8afecba31573f98224da6c7b21cc05fd886bf09aba96952918f2d579

SHA512
696693561982743251bf657a03d555f4640c8699f8a6adb9c48c7c4093b906842feae91fb8f794fca90bf5258dd88c8be40eacfbe75de829b53f9536cf1f2d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
8b4a21b55cb080d482a22e9b40b878e6

SHA1
9f217b43745337bc2d47cb7a77fd3a0e4411162e

SHA256
36f743ac4108cc52e16e74d20c26f1394c85f63ee612ca6c9d130c5d373291cd

SHA512
388b62d168f82fffc1d736dbe9b127ed15c768ea84faaf9884f20c41c525cdcd6e8c99050c1f56d46dd65b0fa4661c94aceb280400459e2f07d9fd556cc10661

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2076-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3156-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3156-46-0x00000000569B0000-0x0000000056A48000-memory.dmp

Filesize
608KB

Download
memory/3156-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3156-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3156-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4728-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download