73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4832	b2e.exe
5316	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5316	cpuminer-sse2.exe
5316	cpuminer-sse2.exe
5316	cpuminer-sse2.exe
5316	cpuminer-sse2.exe
5316	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4832	232	batexe.exe	84
PID 232 wrote to memory of 4832	232	batexe.exe	84
PID 232 wrote to memory of 4832	232	batexe.exe	84
PID 4832 wrote to memory of 2596	4832	b2e.exe	85
PID 4832 wrote to memory of 2596	4832	b2e.exe	85
PID 4832 wrote to memory of 2596	4832	b2e.exe	85
PID 2596 wrote to memory of 5316	2596	cmd.exe	88
PID 2596 wrote to memory of 5316	2596	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\5A93.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5A93.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5A93.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5D81.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5A93.tmp\b2e.exe

Filesize
8.3MB

MD5
b7cc01ef0f1c52c33bd8e9382611f438

SHA1
0f859d6e0920add7649b7a407a18a0cdc464e040

SHA256
3e5ab51832cf129bc54239dd927e34e4a98b498534da788d181de976356110dd

SHA512
d8df89e1a313154e33127cc52e2d5dfe09de15bf2676a1e8f32f3e0c0f5863223088ff5a6b9fab462b6d5269135f708092752386e4d88cb4cb0acd5c8fed591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A93.tmp\b2e.exe

Filesize
3.6MB

MD5
54f7524317975d09c77557cac62e6c55

SHA1
2c024460c775821f6954453679385030b8a27bce

SHA256
d57de38cd1126a37fa2f12dcfebfdab6f37ef7185f8f359de52bd67c481286d2

SHA512
6de7aaa0610243286fe5057ff9aaad9b073964ad6ce4d3630fcfbb4b3bd2dbba3144b82b3c5606452904245c3e9f2fd27095c280bd6f2508ba79016d19872c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A93.tmp\b2e.exe

Filesize
4.0MB

MD5
d00720fd4ef442733eed8c48f4104952

SHA1
9bfb4fac7e0eb96ac9a0269dc7b986bee7a5b730

SHA256
f111efb03a3b0f07de20ab67a5068e7e99fb62c7e282d18ce7732b75ef378262

SHA512
707762ad31090ae37a0b7b1ba3a59fffe3038a456f7cd6d8516001a539a6b46363a8e0f3d08e1a31cf02469d38dcfc114cddb2df58890d41efe71bd1f189c3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D81.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
c9def432a75e63911e72e6faf6ab8e5a

SHA1
7eafdfba7501bc315ef1394dff757dfb03acae7e

SHA256
d9153e60907102a35ef8df1574422740a4a4a1e070feb853864b73f8bc6ba348

SHA512
5b7e25935e646fc507061778f70bbd126c9046fb9468dea276479469046d6501f627827faacb599da8a530a34046d0965f6124e0613139c158949987a47496de

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
833KB

MD5
adfec37d60fe5cfacbee35983c999c17

SHA1
f76d7fa7ad013ba3f1708086c577847f8ba21003

SHA256
979dbd500cfaa008ea23318ef58431faf807564c7b86b70dd2e91706c705e95a

SHA512
3db0aaa07697ebe021b90441f83bf97f467c5b1562615d88a1008259a8e3e33f5637f20ba2161d228521d0d6a062c6b9ba14216cdbd1ff7465f7d61cfa20337c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
923KB

MD5
3e7276bbafd141fef51b30f5e36a3c11

SHA1
70edcbe6d8691886d6d1984a853fbabc21d2d61a

SHA256
8cb2c5a6794da3c0e0874814a81d4fcfce895664a37b3e6ec1b107ccc30d1704

SHA512
3c159f0a69e5019c0997dee31ffd572d5366214bf37e20e1f73f24a84a3ab2ffac1c64527bec94a5f831faf2ccbff5fe0933539ead1559fa6efd56d49bf36d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
b26017eddb2fb874ec0e81e1724a892a

SHA1
617812b39bd0a49b60f8578bca0ee2849d967b62

SHA256
c83240171cc3f226c5205091fbe22e99a718c7a64488301197d05f1851f95658

SHA512
8c84eeee10d10d7903ff83d073336b7cc0e1410473965ea1637d130b64086833bcba323892d3da7f53781fc1e463b73e4f1afdf693688b51694b137ea73aad45

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
690KB

MD5
422453e71ec42cb04fbeadbb9b821f6e

SHA1
19320ccac262e08ee342a3d845cb4332b85cf0cb

SHA256
8cf287564a0c49feed6f45b55aded5e168564fd3e1f49b3d71e0fb38d438e895

SHA512
c522460f8ee179577778f45c27f05b4e68971d7a78ccc4289501af1ba61bf46370173678ba62e683d90c97b27a3bb2621d0dcab5ef847370ef15c840641201ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
297b7e98aa26087ea991a9cc5212e981

SHA1
c2b98589e118c706abe01c104ae8b32a12a64f02

SHA256
88e657530243d0df7c01fc21b14aa57498d3c893cbb7dde4e0831df187b107d1

SHA512
81ddc6cb0c14ce9834623b192e9da3ed15b1b0b782e365c926000489a8632f3414029d379ee4a64902fab8ca622fee3a6f74ffc8f43d3c1ba91c3f35dc32a569

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
804KB

MD5
33400db678f65fc3d8429b4b1eeb6c0e

SHA1
91b21d355eb8bae3dff912ff94faa9d888675be3

SHA256
d48450dcdfb59dee26a59f3cfcb6ae2af6155d97fb00a1f065e3f07555686980

SHA512
03765e4bcb40d052bbd5a6f91ab672970499640e821949882620f5cb9d05d925b048125401745e7fcf21c5a5784061c0d3997e50cd71aff1c3541b6cc537753b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/232-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4832-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4832-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5316-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5316-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-46-0x0000000064990000-0x0000000064A28000-memory.dmp

Filesize
608KB

Download
memory/5316-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5316-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5316-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5316-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download