73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5288	b2e.exe
3928	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3924-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 5288	3924	batexe.exe	85
PID 3924 wrote to memory of 5288	3924	batexe.exe	85
PID 3924 wrote to memory of 5288	3924	batexe.exe	85
PID 5288 wrote to memory of 4216	5288	b2e.exe	86
PID 5288 wrote to memory of 4216	5288	b2e.exe	86
PID 5288 wrote to memory of 4216	5288	b2e.exe	86
PID 4216 wrote to memory of 3928	4216	cmd.exe	89
PID 4216 wrote to memory of 3928	4216	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7177.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\b2e.exe

Filesize
3.3MB

MD5
3bc8b75e0ad681aaa95a62f3573cb20a

SHA1
2ccbf2b9042072b58f59b53da5278c113e0668c2

SHA256
41c14eea03b017661ecc769a39d2a9f2c2a14e9f5c5b88af0d8790833b956dd3

SHA512
b7920b51b4516c9507780d39fda8009691ec739574475a8518ffaef9bed59b5dcd040a150047f95245cc18c2ebd83cb6acb8c3cbce38daf1e696d4aecce1d94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\b2e.exe

Filesize
4.5MB

MD5
97f1032bc5cbd37ff0a9acb4b9182cb3

SHA1
0fe43292cbb3734742047845c63a6f8145edf381

SHA256
32a15997a23d6640efdef957005652c28fcd8cd2f89f8cc159f235cff00b893a

SHA512
d16a30ba437fbd0cc2bd079ca11a0c39c50ce6eb221b038e99c6c6bb647c8526ca68f2e200d6df9fef4b3b67b350e748edf03886421ba277b564e6cf9f828362

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\b2e.exe

Filesize
4.1MB

MD5
f2516d17952f3e473f43803f79ee6dac

SHA1
36b06614b652b8c8346662deb14119ddaa96c7d7

SHA256
5c17a15da9a5c4bbed56d7294f3fce067dd6a5c7c9d7b571515ceb6d6e2f15f4

SHA512
1fd9be9fb38fe35bb6a9a49ce4c47ce4469fac84ca63a479c4319e784fb81b94e274a3088121f0e92d647230191accfdc57ee882d1803f968de2443acec3492b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7177.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
656KB

MD5
2a9d9d7d97be06eef942f984c279690c

SHA1
51b25d25f422722d2b33c4d412f3ef0910796edd

SHA256
4f1bf39a6619ed0fcbfbe594547b679fde46647eebc2387c1e823e215741c0cb

SHA512
a20c7b8f8b0f2464d96cb83877074b8945148715629f52c172e3983e3c2416801bb206932fc7d5eb911987784b96870b93dcd8c14207143c2eb47d8a3c724d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
757KB

MD5
2e83a7e55c3e3d32976e458e939926a7

SHA1
e822e00659eab3bb7ac5d5b4be2dc5553b85cd5c

SHA256
ac20f836c7e3293c651ba64b1972b3b5a7baf6b6979eca459f5413496e01ac01

SHA512
77e0fc0a558e5495605a7dd5bdd789a040507f391d03c3ba8f5302a348c66f995f0af6b6d7613c358b2492fc160359b5594b295ba83e1b1ceb2ad33ee2d76128

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
808KB

MD5
277425e1a21a948224381b4024928790

SHA1
1692007d537136c6daad662be88b2d099aa95023

SHA256
0c71ce683897b9c79f3ad74f0738ab9967be9f40dd8791eb1ccaa1cdb7b6705e

SHA512
065e0f6890a3bd135016d9fe2055e2b604d2089177d1171d5378198f57f06b86ccc320cc2794b51908f50d4ef5c29ca40348dd7c37a1fa0f8639850163a1feed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
635KB

MD5
7cba81bb599879ca1739e2ad817259cf

SHA1
2efc1107e28e40402241f4d708beb8d094ab2bee

SHA256
0c83d434835828ae085fc3b66faed067dde754702914947fade8408e12357914

SHA512
a0b4d7b1f729861bd6a75b72af54ce6e592da9ccfec31eeeaf60cd99f2e3406de0ad0a8ee7edc164f85b0e0f9e033aa2ed6488e6f099f233c36befcfd061f70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
581db5cde2a25a2938ca8e56c2b01acc

SHA1
deaacda8d1a259d4ff00c817b8443ab93f9ed35d

SHA256
3bb7351da23cb05cd50233e0d32c95a24b65f7820d0e19e3fbf7f57aa23697cb

SHA512
0dd314b5bc13298669afc206dfcd266cc142f004da47f69eb32cb858c7cde8ec810aa6dc58254473acbdacb8c2311296cd60e6f3ee1c10a62a236f0c8e9c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
612KB

MD5
02c71421d5b1406027dcb7fa2a69fed9

SHA1
ec03fa01fdb2a8cfc817d55756245a0fca5f7a53

SHA256
b2a77a5895bfdd4370c03e40ba7cfdd861483766c47aedef0fae2dbcce6e4dd6

SHA512
ed569d9de3342b222593bf363965db288cd76d10f7d601d3261d7258358cf6a40076f902807b7026c8adbbaaf2ef83d3a5426eb64cf197f8c83a0250f2be6328

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
419KB

MD5
bcb9b5d5c73d1e2c3185c866ed4c221a

SHA1
20d5696ca2281e8553686b3f688ce20221b53629

SHA256
effb0c03fbda3073ada8ca8fd9b5b44c38dad386ee844c38865a665dae6ac79d

SHA512
c0b6a769abd9f9b713ce2ebd2cc9b9d9099f8cebbb729b6467df944ceb342e0a2af14e86ee26f82e3ae44da108a454328ee6e82821b7642a9e4cfb5abc954b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
547KB

MD5
78e43bd8c46dc09aab24872fe2b0f665

SHA1
c90ba699d4a7f602221c2eb47e31da87a3ff068d

SHA256
f6e1273fa5c013aaeb192af91a5b6d92e74f7a207dd584438da907e49f4717d1

SHA512
cc712b8725b6b0377cec2063309b33ac323957fe342dc99d3943d96d8d4e9220c0d1a1b8c6d311ba1fe33cf174b5296df7881383d992e6e1dfed2b9f3ee15400

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
360KB

MD5
b00bc35abec18e568bf8f9cfa14ff156

SHA1
1d147285fcdf6d7c798d28ab492eb5e4c4e0ef85

SHA256
fd682d6399df9758910a7980bd208cef95daeb9f1fb61f9bece3a9111bd45251

SHA512
4eec9835be6110d580ea295bfdd9d45358c220fd6ea0c5234e5eb4ad5bb966f228321c5dfd89ac18f88892c26f80092ec6316e8a406d093b90c2a71952f2bc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
605KB

MD5
a072fc206e1cbdc609de4759d3a7bb10

SHA1
918f0b4ef918f832be793118f09c2b99a724a209

SHA256
6ee590e5178964957e6d0354d858627c5fe1fae4767a3cd3bcfd8c2be19454b2

SHA512
1fc24f0ac5f54ee81cead164d8f133294e3148a009f240190c1fec945b5347543abef31d429a91960681e0bc729b6d6a1e682e3b1a0cba2f148ba57c9454b0df

Download Submit
memory/3924-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3928-47-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/3928-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3928-46-0x0000000054460000-0x00000000544F8000-memory.dmp

Filesize
608KB

Download
memory/3928-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3928-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5288-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5288-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download