73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
264	b2e.exe
4896	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4896	cpuminer-sse2.exe
4896	cpuminer-sse2.exe
4896	cpuminer-sse2.exe
4896	cpuminer-sse2.exe
4896	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/764-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 264	764	batexe.exe	85
PID 764 wrote to memory of 264	764	batexe.exe	85
PID 764 wrote to memory of 264	764	batexe.exe	85
PID 264 wrote to memory of 3972	264	b2e.exe	86
PID 264 wrote to memory of 3972	264	b2e.exe	86
PID 264 wrote to memory of 3972	264	b2e.exe	86
PID 3972 wrote to memory of 4896	3972	cmd.exe	89
PID 3972 wrote to memory of 4896	3972	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\B6AD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B6AD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B6AD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B93E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B6AD.tmp\b2e.exe

Filesize
3.4MB

MD5
cdac1921c855d188b0b0b2e36a078655

SHA1
a2593d81b8902b0559bd8d4aab2b3373afa4070a

SHA256
779ad944e44c0d205bbd86da6d07e4cc1a66a36120dc9e2111e1ec5d3789addb

SHA512
e0d6fd706e77c53212c3fd19ae25a299c8c8661aa7fa26912adfbfec15172f09cea86374343af7680920cf934fa4187d592f316a5a1f5093400180480158c6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6AD.tmp\b2e.exe

Filesize
1.3MB

MD5
bda58785189ed05013f3386b16d837b5

SHA1
437f78d09b77667064351308aec9ff10a81b0702

SHA256
56d0ae5946f40690580978f2c3b8e397fa5f6819ccba4696cd22e6d7af9d26a0

SHA512
eb68c18b446a8fe699c0f2b47078c921c493c51602bb4243edc49f9f1d65fb45568fcc5e81f9103d0df167795eba7e84638ffe92529c96ca16d093f78aab7598

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6AD.tmp\b2e.exe

Filesize
937KB

MD5
41f449c7d648b138c2dd281e0a5b7f15

SHA1
daa459a03d840bb537d74129c53cf6c63a69902a

SHA256
3f1f452d1586dd84dc8adffb8a4c848aa0664693f7c267d6581cf54eefb3c811

SHA512
d348cdcd6c192f698f3685f000966e602a504a2c57298d52dfafb7a0974b0e5b5f640a3fd6af404c0f62eff40f1314d38bfda1aa3e21cd945368818760f855a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B93E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
429KB

MD5
6dbf4d39aa71cd8b329530e505f926f9

SHA1
44b29d6b2ca28fb5346745992f79896c1793e91f

SHA256
d78d926eaaeb8ba291f18ec02a98dab41fc5ba8181458b54857f68223c6a719a

SHA512
2003d7382b2e62e5aa57b94138c6efa6903ef855602750383d8d42d18508118b7b90c58e19e1cd2c627390f7c81e740b97fe8eedc32cf664679e7e2d57b1359f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
335KB

MD5
a01d1471b4e258d1940329ea59ff8279

SHA1
2cb795d585b2bde601e36b067687ea9204e8223e

SHA256
1e1a0c86f16e990e7dc427c44711a1343987b5b20d01ec8c0b95d80ec28b4406

SHA512
88a4afc013f41e3ab56b5fbdb2e249fd160075cdaa46a0ad47cee24cfe71ce70960a2cd07d1bdfa869f9674e8cdc68c48de677921b7b52c688d7474bd3bc52dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
240KB

MD5
924b004a7ed62c8aa89aabb2cbc35bdc

SHA1
e72b37e94befdf199124b4367609a3492d7f1f17

SHA256
247455216d0dbaf7696cefc2d00aec6a640e8287d2582a0c70a6535e6f7982cd

SHA512
84688cc8b5ed4e407efe63e6bd2f3c08073d4905c1f0acb4dad6c4c0b393918f645b926b2f8157e00d89dfe3aced949f58e2784041ea026c26c8365d45a9e6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
228KB

MD5
63a6c52853929c67ec27e37b2ba3b680

SHA1
6be3f92d0f249ca7bf227f41d51407877edf4ba0

SHA256
d6034a80236b519969da265bc9cc038299fabd5be75d8a86d0fee4762d6e8140

SHA512
799b4887f4dd2d7fc7d9deeb81226a4bc734ef44016777d69b6b10ae4a57d7ba2ed1af468b8d1e9a526d828d8d9bd900d52545f24e6a261b1a38ec089ea63933

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
461KB

MD5
098544e362f08c2b1af10462499db144

SHA1
d3a780281f85323a31e2d98dc871aef7a4458966

SHA256
c03e891b1d561637687e5b38c603358eae4cd330b8b5a0a66d289a1d4a7ac495

SHA512
4a38c65a5caee0142df896702529e8405264c5c9b34838f77aba29109308c8664ca30da8dd0ee31c0011f73ad583fd0126a66a8095cb89ba60435ab4a46730c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
317KB

MD5
1186cf5ebe756a2234ef6c4425bea7c3

SHA1
82ec7e870ee3fefb0ae7569bdc0c7167f8db2f69

SHA256
748fc1200c46158d9367b045620e7c6a1d6eff6708e319ef5428c4d05a135af7

SHA512
7e346d91e015c761c7289149d64dbec87a9ad360e8e679d688a2a1ee088bc3a43ea3c210e77b75ce3c2ceb07523d9adcb7c7d7b113d2580aca5cfa02a56d7d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
415KB

MD5
6b304f61b9ed5313d26d24a2cf298149

SHA1
2fbce9de008b65b771966e701012b5bc91f0a841

SHA256
3f4b08ffd27e42adcaa9e6e88f586e1df9837ce517b5ccf4a460b94afafdda0c

SHA512
096edd982445ecba0ebe89ac01ef1fe409c80676eb736efb060fc9e6301850205da39a1da6d124d4195e6f133915163a9816232e5c4a7ab7ebce559243840977

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
335KB

MD5
7119883f1f8702f75f35b37b8e8a8890

SHA1
84f5b9219f9c979d5b600ff4ee687203082977f6

SHA256
d3e38b0514f9d7da0bd219a208bbb10a506d1e23c4699505a079af6324f63fce

SHA512
21f4da2574d306812e57aa6c4d9771fc03097d45b8c09167c2b31faf2fa90a1075b1f7f77e3f0dad6a805343e92dcadf58a648f03faedddf898b9afdf4f64e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
238KB

MD5
0dbd9ae3d08511b5a836282decca3b0a

SHA1
fd4f0f0b46e7f72912cc6c2c5734b9fa6f2630d8

SHA256
cbaaf610dd40ce20498e7121e94dc1f582472f2010362e947a05f20f1733919b

SHA512
842ac14796c8360e6bc807ad4301d6153a5e24752a20f618a139aaa2584096a0de67f87c6069d22746e42d5bba8397c6b1f18f2339c1079c9e679f44ecc24a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
357KB

MD5
9e63f2bed2ef25922e03a7ecc69627af

SHA1
cb6a4482532138d7a85f213795429bbfa91ae42b

SHA256
5737c9e90f94510952a0732593070df92a2fb9c4ec834441de3b777e68a54ee5

SHA512
57fc7f81dccecbff811c3e4400a6b40c9318e3aca95889c857a9a213882eeb90ccf6d0e920236a1128d9c772e6b61c1ff952cc36ef7351f6c912dc14113f7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
240KB

MD5
239bfd29dd5a30e086a8eced04828ba7

SHA1
e58cd0d49c4ffd3b0772512d313afd9e070411f4

SHA256
f63dc69d62a4d6b93afba90ba655c07cb150426fda44f585084951a771105f48

SHA512
37aa4eaa6b796a2855c67264c9dd8590389fd4ed73e2d3fcecbbac983078d360d552923a581559e5030b6abe234f54f786414e5769fffdadd6a9bde6fa599983

Download Submit
memory/264-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/264-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/764-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4896-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-46-0x0000000073A60000-0x0000000073AF8000-memory.dmp

Filesize
608KB

Download
memory/4896-47-0x0000000000EC0000-0x0000000002775000-memory.dmp

Filesize
24.7MB

Download
memory/4896-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4896-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4896-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4896-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download