73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12-02-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
4452	b2e.exe
1864	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4452	2396	batexe.exe	81
PID 2396 wrote to memory of 4452	2396	batexe.exe	81
PID 2396 wrote to memory of 4452	2396	batexe.exe	81
PID 4452 wrote to memory of 5564	4452	b2e.exe	82
PID 4452 wrote to memory of 5564	4452	b2e.exe	82
PID 4452 wrote to memory of 5564	4452	b2e.exe	82
PID 5564 wrote to memory of 1864	5564	cmd.exe	85
PID 5564 wrote to memory of 1864	5564	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\88.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\88.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\88.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11FC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5564
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11FC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\88.tmp\b2e.exe

Filesize
11.1MB

MD5
a1be827801286abff9177a7e5646c423

SHA1
57673df284195b4910e85e80f224965ea727b27b

SHA256
75e4df8ff04144471f5142ca23aa53ac3989912f20b14fdfd4f6e924ad450c6f

SHA512
54965b25ef9d70062180278732b66baa757263d49017a211ddbb898ebd436ed48262527ce6f625cc838fe2acf4a84e92ca2ccff7e7e618ab47f768a74cbb020e

Download Submit
C:\Users\Admin\AppData\Local\Temp\88.tmp\b2e.exe

Filesize
1.0MB

MD5
c262246a2899de144e35307fa5b1fb78

SHA1
84b344829d5153e401a4e2d805a0677d1eb5e894

SHA256
2c0b99ff38bfc956adcc3206d77c29d9f4c584fb4999b48ceb01a5bfcd495c31

SHA512
aa40ab49de4201975de4e213932383f2a1d560a5a2f33c9e0fc318110b193d10ca5818b6a00887869e1a9a4464e14b5f00060d50d296477608a25532cb4e4175

Download Submit
C:\Users\Admin\AppData\Local\Temp\88.tmp\b2e.exe

Filesize
1.2MB

MD5
2dd5a2d68153efda99abc01e5c4033cc

SHA1
7d8792c4e5abe8b50d92d49dfe5d6d051426fec6

SHA256
f597c39638cf45d69a7d4f5eb37ac62aa957440884f6305e72f66bb937c07db6

SHA512
63dc1e1702bcef17c7999e251648ac530a2bcea441f25c2094a4d2a146d94514129ff3d3d1a37f80a6165086cd4b4ab9b98526775c3f1c8a50e700e9b3faaa33

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
335KB

MD5
0d37b70143d01ce53165ba6a0b224719

SHA1
3e0f04002c6bda87628d4929d5b1420a36e0f7d7

SHA256
80d0549a5bfa7125b8948ae0514f71f45998cc1dfb17c94cde4950ea8b0add58

SHA512
ac5b77e517e359e0c8aa591be234ba86b5db5e5b3c3a2cec11d43702a81498bc37ced11a3af767171b06158cd3feed532220a723c3aaae64438c3588d5be4c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
172KB

MD5
38cbb0c5d65fdbde3c988e347e450016

SHA1
b96d6d60163f9e956591b6ae443af1a52476facc

SHA256
cd23cd9ddceae6b87b48b5115756a2d3ffab7f6aad0543628ca6a239b69261a1

SHA512
c1c09d1ed2ac4b546ac3441ef5584bcf74e49d7832017106f723917181af14a8761f12e2d09c1658232e0741d6bc22d59cc049a7973f982e36864a700059b517

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
245KB

MD5
6acb3351f103849eb2cb485118757cde

SHA1
77e00bac483f40c6d53f1e9e106ae38c05c9e50f

SHA256
e3d21b65ba38463259353b0b35f33f35d21967f5fc8f8b34bb394067de8ff1a4

SHA512
323d2b85a7b08204a9a34b412e4747fc8104223bdc696f741eef50e5557efc5deef341b328cdd954bdd5dbe52445fc4ae99edb5a7b9a971bedbe6f0a00ada3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
190KB

MD5
4c970cdc9d19818facd374cb40f1073b

SHA1
bcad026c5b35918afb0ae051d76f713cd197bbcd

SHA256
963aa2982b6dcbe9df316c0e312d8ff80d3628867fc24534d3940c6f60bc3ec9

SHA512
eec047d1e2cde5da9d4efa646489f95150d155083364f2e98a662a8cd68a521e2b5140e156343478a664ab46a5f32f3e5ac08d914aae51d7b59d753e1db93ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
136KB

MD5
42419e5197159055df71d35f3fa92ad4

SHA1
bf7f83b66cf96cd405026360bb02246bdae50ab0

SHA256
668f642b0a7ed803b886777aad162d4dafb44358c01087ad8baff7ac42c690ae

SHA512
1d0afd1cc25c47d811d472cb20f86cd32f1fe346b8098d282b7948a347c91da4be268f1692ec7d8a9a63102e140f0e2c3e6eafb3474c9527dded917eea6011b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
109KB

MD5
fd1f526dc815b7411e022107f89c1e62

SHA1
db89fd6a359a4a6984e66be6cdb0b378425c8d1c

SHA256
b3ec7ee15235d3015b15364a5a20759f6ba847bf2e899abd5b6c5455a74079d0

SHA512
ad46a55a03270e891d31afa7847708062fcc67ba0a3313d5d003a3c37f9f4dedc21375ca0e9857d0d52796ad0598ad3687adae91cf0adfe9fe293e8d57e72dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
164KB

MD5
dcc6c8b317fe3fba4c290af6775b2507

SHA1
d6873e89fc7cdcd3bda85d3dd1e048bf941395cf

SHA256
baadfc1904df9f4e346cd25678ad70db6cd430839cc9e240e56c9b26ef2a99e4

SHA512
9a781c211c17ceb9e71c3bcd72ad159464e97dc848522f4e39aa6ff455a7dcdc30dc8c90ab3479cae8540c374ce3079d94264445ba4dd4a2f1df12634134640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
228KB

MD5
87fbad11f32ab882abcf6483b72513a2

SHA1
376498950948151d30fff9ca420792558d824721

SHA256
6f4894f399bb4cf643bd48d0f28a5916223507ebb72f18b00451d746bb5342d5

SHA512
cd37fe3e5250b4168a1f589170f521d882e361b1f72c628bb1fe6d8b077524c01dad40c09d3106e35f680a085c18a16a0f4b950703535527ad42f1249f52b4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
127KB

MD5
4f88303e75b258f802b85dcc3799a7bb

SHA1
4c64e6229f0282f2b28a384aafe60d0fc3c3ae0c

SHA256
b4991219d3fb759abde3e4a438d6d914b273a9a509d5d7b8635a1a9819eea449

SHA512
97158a929a27387cc2e575c941a3ff482c656b4bebf55adc6669c66ba4128281e8cfb2c92be9f0f11615fa694a00a31a0e4aac54fa0857b7b92251075790aef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
198KB

MD5
5bfc6e4ffbc8e7bf98bbb27506f2d32b

SHA1
6e2687dca819a1796bc48d3cdda092b6fa451b26

SHA256
667c0b5144e4b8fcd8fedf89bf4a3f52b77cf08fd9070b3d9b008c9a6023473d

SHA512
96ccf2569f95b8fbe61a628db28d5492091e8a12693bca5304e1059ebfa12948dacede22ca3308772b9d778a05232af1680dc3ca7fa4b0127636b3ce6bf39223

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
84KB

MD5
2aecdbe3ffa8894bfca476e6200917b1

SHA1
e44437bfe8ff2f1b5dba5aeef74ffd879b7bc8e1

SHA256
09f44098d8d282eaa1cade12a2771d328ae57387ac7edbc3d100e69318a4a8b4

SHA512
18a9ca13894ecec6b4e48604202a63e0a1eb58c727d4bddbe3e781ea3b0f7a1b2073200225309ba28720274e646fe44bf526d53cfb9a83f5a0972237a008b1fe

Download Submit
memory/1864-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-45-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1864-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1864-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1864-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/1864-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4452-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4452-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download