73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
289s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 16:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	b2e.exe
4488	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4488	cpuminer-sse2.exe
4488	cpuminer-sse2.exe
4488	cpuminer-sse2.exe
4488	cpuminer-sse2.exe
4488	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2344-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2760	2344	batexe.exe	83
PID 2344 wrote to memory of 2760	2344	batexe.exe	83
PID 2344 wrote to memory of 2760	2344	batexe.exe	83
PID 2760 wrote to memory of 3236	2760	b2e.exe	84
PID 2760 wrote to memory of 3236	2760	b2e.exe	84
PID 2760 wrote to memory of 3236	2760	b2e.exe	84
PID 3236 wrote to memory of 4488	3236	cmd.exe	87
PID 3236 wrote to memory of 4488	3236	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7C9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\b2e.exe

Filesize
4.0MB

MD5
dc662bbb1b2f2f4b746f70fb8b8f6e44

SHA1
ae38b930f30ccfa9ce3cadde354e4f4bcfa30281

SHA256
08d7d28b7a41bcb75be3f264a7c8ab7297fb43987e5923c8559edebcd5f41168

SHA512
46fc9aebe234a075f435b5d2a6d56709817321b5b3e5134d07720b997a00efb191ab950d9624fc346db93f59c11fa34d90a21588be0d54527247f48dfa867526

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\b2e.exe

Filesize
1.1MB

MD5
c8ddb9a1b99b955d28ce987616dc783a

SHA1
6a50a41aac042de84cbe5fe9cfa8ef171c1a15ba

SHA256
d42d045c7eaec84a0576fa2d1e67566cd65686605e6f66217c2da6ec9faa060a

SHA512
8804aa717bb5d9a88543175afd4ed3363ae6d1ff9846379f9bbfb7ff1b49cf0031fd6b1cbb0b1491a94d1158663021c8bf56c47050f3192b62a0c5bb5499d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\b2e.exe

Filesize
1.5MB

MD5
2a089e8bf6578017b5c976d0dacec1b8

SHA1
111f721c4eb9edb2555114a6c8d95d0bac6bf333

SHA256
7c38ff410d155d55353f7c8d0ccda5c2f63a97eadff37a99228b2cff8efddb50

SHA512
5efbe1daa3034284f68f7045fbbd4e26276165f60dca93d455772d5727deaf9ebc059a8b7b0763c6d00243fc8bbff9a197556837e71a1ecfd71e6919b8a7ecfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7C9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
6e18fc4eda8ed0e6aa6ed56f84803ab3

SHA1
e4a0a4432fcf3184baae1b01a8cb771ed580dbe2

SHA256
f51cf1f35d722b4af4bde30de5008d67d7256d271953eeb2ff63780978f4a53f

SHA512
25f97a3a07fd0aed4a5e6bd58e4cc3ebc2c56c0a314103536e9342ee10aa3c01baa24b459fb58d7154808594203e2b4fddc23f6c424182e2e8bb3a978b4dc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
768feb20f5c6e5a77948b45abcf73292

SHA1
54c0d33565be3c1603d96222413ed84923b34fec

SHA256
d9c9f345c0fd439281a1fe25b456f6a79b5cb96f98d7bac3b3896665b62dbb03

SHA512
18cc0c0d5b2c277aa11e29a28bdc3b03992d50c3622689f840c223265a0e4b784c1a21415a79378f36b135d76feeced9b0f7884dbafe49e7dd4d0472c5bb4710

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
c89e863ce2221a0f49b45a55100e468c

SHA1
569ede311983a53a8f23f254fe37735538cbfa5e

SHA256
5ca5fb55f2e5ddee30c893b0e78d1ad59f593c2c3e5ecc155f14a088c65cfb46

SHA512
f65476f7353ef6ca7378752551c28736b61916cbf54f0a17b211a5a14ab93ddc2830a1d9c3cc1118117a23be95d49b06fc8a174d1a87f360ae4b96a6bbde04b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.5MB

MD5
73541513dbe2388880fdfbe2d092d470

SHA1
cf554348daa6e4384aa8972607e0fb85eef1f0e4

SHA256
9442647e652eabce1a148387d4c839ac5b216081943e4a42082f119621cf1a71

SHA512
6fcf3bd2b1374b6821ca17977841a2c0aa185f5070f881ab83768c3ba6153d52ace547ece5411028ff03e0ffab62e1d30bab5637366ea4c98c1316b878cc7ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
989KB

MD5
251b967e160e9a92d339418da5fff8cd

SHA1
038245bf962e80845804a07afa6c5660485000ac

SHA256
f4d1acf29df3672334a87c1d535e3dcd6586e43fdbdb7a29dbb5204a7af8ad27

SHA512
6443fd6802e8a5fbfa1a63d6219e6762e6e5b082956f816922f5ed2d16c6e05b3bdb3ad0909c17d074feada4407e0ea04b993b3e2563c4eff8e0d87779a08efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
868KB

MD5
95cf7d711718f08d75234bcc81cc85b5

SHA1
2ec585112caa3de32ebe4577e514084066a86ffe

SHA256
7dfeee72cc434bfee56f57c9fec2ceea709cfa4cc75b2a02115631a1ca3ada10

SHA512
1a5782d65295ae7d047f1005332296d433a78343c2298920ef4e30fa955df1f3e1523f96f8466d9728187d976c0ad70c7b81cc8f1057e81e6c07255c8f356d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2344-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2760-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2760-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4488-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4488-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-46-0x000000005EC90000-0x000000005ED28000-memory.dmp

Filesize
608KB

Download
memory/4488-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/4488-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4488-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download