73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 00:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1764	b2e.exe
4512	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4512	cpuminer-sse2.exe
4512	cpuminer-sse2.exe
4512	cpuminer-sse2.exe
4512	cpuminer-sse2.exe
4512	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5104-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1764	5104	batexe.exe	85
PID 5104 wrote to memory of 1764	5104	batexe.exe	85
PID 5104 wrote to memory of 1764	5104	batexe.exe	85
PID 1764 wrote to memory of 2508	1764	b2e.exe	87
PID 1764 wrote to memory of 2508	1764	b2e.exe	87
PID 1764 wrote to memory of 2508	1764	b2e.exe	87
PID 2508 wrote to memory of 4512	2508	cmd.exe	89
PID 2508 wrote to memory of 4512	2508	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\6EA8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6EA8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6EA8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7138.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6EA8.tmp\b2e.exe

Filesize
10.2MB

MD5
18179f43b9b9ea7189a01a55fec4d95a

SHA1
d61f2ddc12b135b0bf211627012aef0070cd0a59

SHA256
ee9b9c2c952301f4f277edcabefd7ddf73e6a44cb84d20f548750e417025ec86

SHA512
bbb91e97a3880b1847fcbacd72f01afd801242c458bd3f93fd0595c4c1b2cb30b894879840b1ead88a71cebe74dd251b43d19740096b9e187fbd772366db4f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp\b2e.exe

Filesize
3.1MB

MD5
96120993939f45494a2291ac005fc474

SHA1
a3cbe6f79529aebfeeb7adf91dd6b9af72029334

SHA256
238062b41bcb8369b3812623b0835fea1db60ed979c076477c0f9e4f50fbc838

SHA512
04e8b936a4401d1f0fa77d89c125aac6d30e3d56142eb91ff8f4e89f12e5c5b27b619ba4c67996833ecb4571fdd4bef315279951a67b823f64c67ec71f121615

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EA8.tmp\b2e.exe

Filesize
3.0MB

MD5
2ae892bd30e21c4b00088fece7632fea

SHA1
b171eede01c7640cd8033b8ebcd750ce0ab61187

SHA256
efbcaaac6485480585ecdc6b70dd594eeb8c9b3c26e173c397f46d377e848e10

SHA512
ce27f5af12875fc3601334e49b6d5ea8fa8241569dd015bd77f56a59104c02a8f3481b41de11e261db96291e0a156cd981fefdcffe4f46a447c075fc899c8b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7138.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
987KB

MD5
07109eff8c9cf6dc446735b4db43acb5

SHA1
8edb8154b259e950852199512be28e5c06d3c019

SHA256
5cc26f76147be9eeff0106ffb124f6ad1c7792e498d3810a8d60c7583c7a57c3

SHA512
90e802035b684894c4f1b070b37fded78d200317c9936972a5b91de058d575620f1795b345163ef0cf6a0f3578f478c3e9f31cae453246dfb8d861744ae8dab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
487KB

MD5
f9df4cf8758b576872dee7decdade891

SHA1
20b5354ac7e324afe0e51f08bb66fd3ca36fa4fb

SHA256
f57ca36c4d4f7f3dc0b3d5071879beb244ef0041a6b550de13176b8ca3afda32

SHA512
48dcada57c1b97ffe10f13e0d5e0f126fb5bdba385927c931466bef77da19fc5984781a2ea5b73656edaa76e84ac23b4ac2ec006e823baafbe8c664f704b1abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
934KB

MD5
efe6e8b60cbda31ca0529233e973b6bc

SHA1
8ce5a0bf178a5e94b0910083dc47e8906c9ac7b6

SHA256
5c0ea63e252e3da9a37cd3d3d444a515ea676aa0564f85600bbd035c360533f8

SHA512
f2850cd5ac9922be090f5a8921b5e94c597faf492c7bf5d996748ebf8320da0ec39ce27795d38d1a784b19096353593d26a8bfc9f851fe55ed35137508411b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
768KB

MD5
613807ad6d525aded318b643c33bc17e

SHA1
2c9a4180140838c69c20bc4047c3d2d777d3bee4

SHA256
896775bd33edafb0d219d1ae3e973e71aa29a4937d0252bd3a4cad074c004971

SHA512
d688b0f2570944898097dcc6acb56b3a4c901073f0ce22b5ea260b05a37fe2840d84b44e7aa74c7d73078b0e5a45c24994852f5c03f049982b6ddca6ead89539

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
343KB

MD5
7a017ac2710956411066ce01ebd7f7fd

SHA1
69793538e54b4e4df3e01a6d3370d93cbc2050ef

SHA256
e013a1c987a24225fb231168964843cb449323cac98d8d38628ea8a0e9734c68

SHA512
e323c75a0358df33b11aab9b8efd192ea5428b6858cc15acb56eb99ce1893cb507134abfc9eebc6340d86d1259e00eebff9d2e1a28494b443adf4a0c522d0f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
463KB

MD5
06f62bf1c7667fc355f68b717155e177

SHA1
bec37b02892e37a799b0995366f2e106dc31a283

SHA256
e221149b693cc534e2e7375196cdc2edc8ea9a62540cb0c3b097497dcbfc17ce

SHA512
d702dd0b5e5cb4384f8e6f2e3bfdeff85c0e98de9912dd3e43baaabc6e5fff67b73e8015a45bf0bf183188af415105841a42d6138982ba4cc590074b516caad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
memory/1764-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1764-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4512-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4512-47-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/4512-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4512-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-46-0x0000000065110000-0x00000000651A8000-memory.dmp

Filesize
608KB

Download
memory/4512-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4512-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download