73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4740	b2e.exe
3628	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3628	cpuminer-sse2.exe
3628	cpuminer-sse2.exe
3628	cpuminer-sse2.exe
3628	cpuminer-sse2.exe
3628	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1976-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 4740	1976	batexe.exe	85
PID 1976 wrote to memory of 4740	1976	batexe.exe	85
PID 1976 wrote to memory of 4740	1976	batexe.exe	85
PID 4740 wrote to memory of 4924	4740	b2e.exe	86
PID 4740 wrote to memory of 4924	4740	b2e.exe	86
PID 4740 wrote to memory of 4924	4740	b2e.exe	86
PID 4924 wrote to memory of 3628	4924	cmd.exe	89
PID 4924 wrote to memory of 3628	4924	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\71C5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe

Filesize
36.6MB

MD5
b443bef570bf7df923527c08e94cd7b8

SHA1
0eae66ce8848fcd78d9ddf7145ace9f410557549

SHA256
6db741492d6768c352a594380b0aca933eba4e731598c86d5f06698a9553829c

SHA512
bf614292d9a48cd10c5a502278923e03527da8eb28b473b172f6004f9eb0eedf1292b8186c28a4ee1dbd7ea8020c95ae4d93ac19ede4d7a81366c2278595971f

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe

Filesize
3.1MB

MD5
96120993939f45494a2291ac005fc474

SHA1
a3cbe6f79529aebfeeb7adf91dd6b9af72029334

SHA256
238062b41bcb8369b3812623b0835fea1db60ed979c076477c0f9e4f50fbc838

SHA512
04e8b936a4401d1f0fa77d89c125aac6d30e3d56142eb91ff8f4e89f12e5c5b27b619ba4c67996833ecb4571fdd4bef315279951a67b823f64c67ec71f121615

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe

Filesize
1.9MB

MD5
033a32e0272358cd590b05071af214b2

SHA1
827a640a38909f747f59e8f2424e850d85dd7989

SHA256
72ffab0933d1a19c411d302fe2064aa305c7d1776dd3b7d9f43e4faa7e9f70e0

SHA512
0b93ced0cadeaa2c89ed8af42de8599765005886e2b9c073403fb845920cf63df24ed8def10afe301724a7bf4c52f7870ffe9c6f519ea37d9ded66cabb803261

Download Submit
C:\Users\Admin\AppData\Local\Temp\71C5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
748KB

MD5
2d686420f467f783910e92c34b9a07e0

SHA1
d5d153ecc02a1b94a7509988560599532a584228

SHA256
260b982ed31a618d2e974f14683966f3934de593cba6656035ef112d19d2b4a0

SHA512
d0779525db068a04bdadd437b5e7c7d06b75407d400d726ce3c60d35777f1cdacc09b5c06a4cec6cf019d29c5f7dd5ce3e667a4c2fe96d7724b8f843a344ea3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
977KB

MD5
60a5b75339dd505cf5cdad5b6aea2eb1

SHA1
3437991acf9b77b6babcc8f9880bc79b70c5dfa4

SHA256
a21bd5ab21620906c6b311bf83d93e469eed67d716081e83e17338c140ba12e7

SHA512
07b071022fff900efd25697c83374b7cd2b6c32092c058a31489b78849382dc7d9126c3279cc73e40d0f77c20554f7671c511c871e3bed96a25b4c2b0855ead8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
768KB

MD5
e3f15c79f945604229fa814f57c79274

SHA1
19a7015dfbe622ab86c48693ee1605b26112a3fa

SHA256
7b09ee53447ccf77a0f2d7bfe25908f963d681433d3cba5a16c7f45646c42175

SHA512
12dc1df8a947caee13a12eca5a976feffd7408402b0495e4971d4bd7181e8d353ebc17da044d2ce6d1c273bb05a0ca5ddf7492394b355786d8b14b0997de162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
789KB

MD5
e683ab372c055c9c8604997d7ffd5db7

SHA1
1d47c72c06e2500128abe219ab2e5dc55ffdee11

SHA256
0f328cb1a0d6cae81812b0e5409f9b41e3635323c347603f50d8fdad36fbb832

SHA512
14200de0e900cb3ba85e85a1fe5ebc7b0f593ae76054ac3569af041d71ef098af977fca97f409fd58f1b08a5860132b646608c5554c20b588238072ef199e86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
655KB

MD5
ae59af5241316a448dbcf72355856127

SHA1
eb8801d3430e27ed0e6e0cff4ea8d89c76643bbd

SHA256
ae3552af06636898c7f639b42e55838415ebb9ddd9e4a966c74b701617bac9fc

SHA512
d9a9c21c2b231c5817b9c7caff98cd7d662de65ab03a8587f21756a17a6cb47bf9f9dca310ca2999fc893b55192d850065bb7535c7545e89a94295693291dfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
478KB

MD5
b5efe39b44c145e81939dfcfc87c9a7d

SHA1
4f637321ff23c601fc0c48ab4d2a12e37355b1fe

SHA256
c2956b2888ab2d3a29aac6a5d6be2d869befd78522ea401dbc328d022ca4e427

SHA512
873db49ff4e8deb93d79bfd48d3c141d3ed82d6953a802c0c2d77d135d562b748f12745075a2f9fcb74d32f3d3aaa5e632ffe206e961c03b9c8ec9738c3c5d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
768KB

MD5
613807ad6d525aded318b643c33bc17e

SHA1
2c9a4180140838c69c20bc4047c3d2d777d3bee4

SHA256
896775bd33edafb0d219d1ae3e973e71aa29a4937d0252bd3a4cad074c004971

SHA512
d688b0f2570944898097dcc6acb56b3a4c901073f0ce22b5ea260b05a37fe2840d84b44e7aa74c7d73078b0e5a45c24994852f5c03f049982b6ddca6ead89539

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
524KB

MD5
a66b1fb36accd4d995088bf060cacc15

SHA1
18681314d2212000bc75e5fedef7c254eae3eede

SHA256
688f40db0b2b4c6abc80e21dc1b4111a300927c9130a7d09946d325d1306a99f

SHA512
c0d6fd55e4383feb1f0b4ed5f04e98604c7d656807efa9aac757c45da0c48475ad905ed87fb8f1afe2be7ee46d6c5448a41bde2b9bcf2bb13f5002780d71659d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
667KB

MD5
0f4c1aa30b782ec126533649f95194df

SHA1
5fef5d00e5f227edf7d123b8d474cede667ce453

SHA256
36ce422310b95f9a7429676b3931238e968841a4bb755566f134ddfd3386a037

SHA512
e55da8e485d46c08fc5967603b0b6d6c1c041c15f1d32c6cf681b6b5fa36be67300fdf69810722eaafeb8d0d108f8da94d98651437d5edcece9624b8e62c4ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1976-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3628-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3628-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3628-46-0x0000000070B30000-0x0000000070BC8000-memory.dmp

Filesize
608KB

Download
memory/3628-47-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/3628-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3628-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4740-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4740-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download