73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12-02-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	b2e.exe
4880	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4704-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 3052	4704	batexe.exe	85
PID 4704 wrote to memory of 3052	4704	batexe.exe	85
PID 4704 wrote to memory of 3052	4704	batexe.exe	85
PID 3052 wrote to memory of 3244	3052	b2e.exe	86
PID 3052 wrote to memory of 3244	3052	b2e.exe	86
PID 3052 wrote to memory of 3244	3052	b2e.exe	86
PID 3244 wrote to memory of 4880	3244	cmd.exe	89
PID 3244 wrote to memory of 4880	3244	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6EB8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
5.4MB

MD5
4ab21f76303be2c14344032ab7b3d532

SHA1
a8b3ac1652a62f73430d668b951b38569624ad48

SHA256
bfd18350faac5977bb098c09a49c285b2c9fbc9a8f151f0ada660466bc0b2f61

SHA512
06b87be675824d57b5729026d751e3f25a421f6154b694f71a05a30336310cfd7f9689445d7702b03f31ef0a3158860b8544ca2acdc290d1228ba2896093d66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
2.8MB

MD5
7f69cc9f05b6a6eb6b01a9ff99ec25bc

SHA1
e4ca9ce5494b7a6ae6c74d5c4c48f139a1869846

SHA256
c32012160a28ed2bb3b08159f3905de6469a2e5d16d35e809e0f3d4c3900405b

SHA512
b06f05f4c141cb46d3673f37ffb6499dd51fa7b432263ea190bcafb42903c1886c8eca320ba90cfab329ee0cf7266bc3878a89aa3769893e28306ab1b125a755

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
2.4MB

MD5
c7db65be095838aeed7ddbc6f4965a81

SHA1
df9416897c20948f2bdb2f710e0684a23b557922

SHA256
f678d9f8824c1688f23153e0d51cd32b4aab504a65c29e45c59840125c7073e3

SHA512
6dd400aa0be6c5baf18a6e9da92a6fd466bdd6203c164e3ed19764f0414c70b4b188819929bbd112ff5008452a3e374bd32fc0863707ad639eb6fc3a7bc3cf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EB8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
39e421993daa9a1d200309916d7ea59a

SHA1
91cefddad4e0a51d16c3ff027d2276488abdd24e

SHA256
4c39372af6808b996b2ed5a2732f4fbb71b99bd21d57776c6194a77bb50fcf2b

SHA512
ee45e0b5921a7230a944c24bdb4900a437fc09d0f734d628c2ba1073cb5491564f64b4a03209a22c6bd41a3e0fd179d3d9c15150b6c6b8e4f213c3c028d56aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
710KB

MD5
5839b1fc3e81bb672b47a2681f216b12

SHA1
11f2ade28f1e04ac57d8d5e0384abc6e7a237da6

SHA256
6190e7e767b789de2c2cb5a936248e93a92d7696e5a5e1eb3fce77062b0ff206

SHA512
87f1599c5d5a407b44ba578391461e1a08be61711d10a5261fce10ec75f3ce0408ada45044780a9c3b315a3fe89a3852a82a4e1c6ace709c00ac1b4984e9abc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
359KB

MD5
0f98c671446d113b3599c81abc02b418

SHA1
13f06b8891318de5c0e02a0e69893cdb0ba7de7a

SHA256
ed47982eba34210f89c3dcd3eb0652c0c98ec2b1cde7eaeb8b9b56a084e148c4

SHA512
ba15a96d84d1269e75719114a21a2b45f615dda74feb34485c2f2c1a2ed85dfc60d20294c855dc7c407c370459a2947c4a3d388636e6608ba472f2042e502083

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
815KB

MD5
8d3bbd695be120deb4ddaac79e0daba3

SHA1
56525a902e91ecb6db55a5b1fa6a156813a57c75

SHA256
5f8d2400ec0847a2cf221e6b94d1938acc06354f17ca69d5c0777d15b08a49da

SHA512
f5467f1385b589d635e398bd8b91ae5e61dbb7422032bb5f3ff42899c554b56ab4c24ead40562ec4d3f979ea6f0e3d6174ca68a32a4f308a7d51e6a492e870ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
553KB

MD5
065a46817faa91b2a07a2087f12b96bc

SHA1
b3e4a7d4b9420c2125db66aa3bcb4b53307dd089

SHA256
3db06fb59a6f256b5a32e936532c2f3b1e9b3b02f1a3b5b973a4ad62918450e8

SHA512
c6cf1c707d707033fc1ce060832bc20229e9cd9aa58124e333f8c00d3128234fd27e5c50d1ea2762a10df040b48ece8bd17e2a5925c9d565581e8774b56b39e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
42eee9ec8bf12fee271ff092f5d29946

SHA1
e0d7254cc915306420cb000fbc1d35bcaf1727bf

SHA256
1431ae61659eabb1e220b5fe8839557ea4e7a9438599207572ac0ebd1af9f278

SHA512
b576ed3884e0f50653e162195ecd64711cbeb753eb815842743143c53734f71f5b500c43866df37c5cc45a79a10b8c23444b8b25cf34d6a137a4e6b4399bbd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
451KB

MD5
478864f3f08541457be025d4ffc2a9bf

SHA1
0340b157e34de71e8c2150a02746886532178b88

SHA256
844734c3d3ab7873db795de0d2536290f2c05667fa3fee9a5a253f0cdd738bbb

SHA512
aec4167801a588246f683156685df378a4b9d3bca7a75833bc65c52a7406c5dc33c23b8e3aa2c905dc6584424e11fd9b573d9cb8c8e0cc0636ce7cc16250e09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
500KB

MD5
827938d517c71f7758621d1679a54fe4

SHA1
c84ca265622e39ac7c06648db522a456ed473930

SHA256
ee8d9e4e2d3e305051165b310a712a6097bc88534f558b8717188a4d1a77cfc3

SHA512
ea4ce108e2e2bc215b8470b71242e6246594208109bbdf651acac28d2222b68396c7160acfcba8b669712c7b2b6e7a17aa99afb7b45efbda63ca734c3b2f58ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3052-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3052-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4704-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4880-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4880-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4880-46-0x0000000067D60000-0x0000000067DF8000-memory.dmp

Filesize
608KB

Download
memory/4880-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4880-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download