73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
5036	b2e.exe
2960	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4452-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 5036	4452	batexe.exe	85
PID 4452 wrote to memory of 5036	4452	batexe.exe	85
PID 4452 wrote to memory of 5036	4452	batexe.exe	85
PID 5036 wrote to memory of 4180	5036	b2e.exe	86
PID 5036 wrote to memory of 4180	5036	b2e.exe	86
PID 5036 wrote to memory of 4180	5036	b2e.exe	86
PID 4180 wrote to memory of 2960	4180	cmd.exe	89
PID 4180 wrote to memory of 2960	4180	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\566D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\566D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\566D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5999.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\566D.tmp\b2e.exe

Filesize
5.6MB

MD5
c276587b541315387cfd4ca84d11d84f

SHA1
b327bba7d67176cdb43016fddc5b5c24bf0fec74

SHA256
d20b4abc86e71e946ed8683ba0ceb0076f305f7e2be303c02f5311dad24cb00e

SHA512
94bb2507fc2391c7377ce92f2575efc08d078a9d45990f23c43b426031dfd95a1ed00fa412d56aa2dbc3319325605f640df6c6d71e8c94845b0f64d9cade94a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\566D.tmp\b2e.exe

Filesize
2.1MB

MD5
5331180740bb63a3f6893ade80835fd0

SHA1
53bb923022e04380bb081f0da71e569335c3c287

SHA256
9a96f7d0363c784ca1eef7223891403cc6aaa71451120c77f87916edfd902294

SHA512
a806eb13fdcd39220fa1da7ef93693043e29dcba544cfe78ee7beb4702674d1a2c547a62d3b2ecb8ad515e2b2a0bfc9f3f077ec5472587d61438e501b863a21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\566D.tmp\b2e.exe

Filesize
1.3MB

MD5
0b1f667f745e9a2bc2d7cee15e8576eb

SHA1
fcbf5aa80aa82c00de10ca2a4ac4a4cee0861b3a

SHA256
cd6250a9bf1357a8f686d73a5008c4c200c6ed17ebe65c20ed961fe358b52b13

SHA512
dc0e06b218b37b2aaea3b961e9b6aa110e5eac465e553c5d44cbedc8e8df6a7c7d5d1b37eec947a612655003df459ccd810c7fe2e32b528c83d753f02267a634

Download Submit
C:\Users\Admin\AppData\Local\Temp\5999.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
163KB

MD5
a9b19268853f90dbe3ad8837ece5da88

SHA1
17466df59641006f6236e1de2dda043c12a02a85

SHA256
8d0e121da858f4a3235585a8298d803f49c14917499bedc5bf995972988a4255

SHA512
dac699c9a7914a8c37a490790b62a62dd101518d2e5caa7ff9f0383eda136febc3fbdc2166c4c307c7fd5802e7ee3a60bdab4adc6928975cc66bfb1093af0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
208KB

MD5
4380b882436a32c1be43186c50f536a8

SHA1
d9a61d64f13fb2a43b14153178fe061db0d7a3de

SHA256
462d8a747065751bc4df3331f8366f3f73a4656d8c6d6c028b35cf0b613a9799

SHA512
10f63529ea72103e9292a6e5de471f69c8af809bbf429990d7f5b4f178931b6dfa8e5b140668d715d211748e9cefc7587fe37b1b03bdd7438ed2a29a2d4196fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
313KB

MD5
4ccbb14b96b0e93e8495a1c70a72386d

SHA1
0fd66b6efcb61a31a1bc30e52daebc9a713c2cd0

SHA256
27b5a1aa0f638c075bd0f21c5eb6a8c689614db37c39d1047591bffbd13c215e

SHA512
121537bc73db1809a40c1f5709ad9f045b7f24a8967bb486bc159b585615e7bcb40969ad5bff9f74f5b7587b878bf2c8a928a4479d4c086144781109a461ef8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
128KB

MD5
0cfc533c46d2f160fc8d8483706228cf

SHA1
0d13ced09eeed5fc3879f418bda0410a742ab6a1

SHA256
510a6af4547083718b32dc00d4711cfff2aec0e7b936d4199feaaf32a7d5d3a6

SHA512
11e35867688e7814881981298b6f6948fceaf254d154f5429e5a82c43397b1894bd35fe7fb586b26e4272d8371c3b8e96c20c71ab05b9df3e851291444702a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
211KB

MD5
92903f2c7cdd70d814e63d703ae5281d

SHA1
fc835a29bf8755cea28566a5d25b1a0de53b0066

SHA256
915cf5ae2262f8f63c328e8c5f6caca812f205e6e89a51896aa91b5120378537

SHA512
92eb08523ad9e2a8efe3440c5b86a69fb2697dc4c012d32edf0b01c9e18f818c86800f802b0ffbad546062d3a0a3c5f80d98b42f76db8c13cfaaa862eded239c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
191KB

MD5
073dd0f64a17b7809f9b851fe485d7df

SHA1
53e6179d6b69f4f736d58636ece15311d3dda488

SHA256
66369a4e9069f103a8a4914535132abe51bd85bd7d4ff53c6a3042799cecc403

SHA512
04cd468e4a93999e204a391474f51a17a579cd903a6d4ea4937d8353b7fe4f15ab5a5f328239d0b271c7c79e8449dd10f9a86d581f318e5b1dbe89be72d886ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
214KB

MD5
16d2567141d43dabbfefb13ceed42fe7

SHA1
221ff02c96822a7478dfa9e0d1d6fdadef0059b6

SHA256
eed9615f8a57f0b5d63943067d678b009aa5d1e823e7465b71e6f1398eeacb06

SHA512
2b8ddc9c5b6edf7fb80c1d81f75451ce0b6a348892eeca0738c3be59ad1e60b3218232542a46713732c75d4c3d1e4dcccd3de2d5a093ba120930bc4bc4cef3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
155KB

MD5
732eba5da33e443da4e7f749768e04d8

SHA1
e83176f3c2a721195cebd67e4a98e0a081158356

SHA256
fa70712ef23b398b71707d6714c9f6ddf6631beb053a163cf429ebd596f02c9c

SHA512
4841db346b363699a0fb08b9c434966598f93dbee96e6cb77041b77cea1da92604e510915b3d11c3bc5421c41c887178a5deecadb3cc7ea7ff5155374fdec99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
161KB

MD5
201b0c295a47b90a6a31469eecf7f1e3

SHA1
d1970fb91008bc30565129519621f6351f19e452

SHA256
68e80cb0e59602deb010060ec5281e1a139a38d6b054227f8946053eddb1f0b9

SHA512
2364eace5cc610c6831bf589a2a94f7064d3475b5a21cb91cb458e2b3628f5e4d5ede8678fb8e94f8b36575206323afc5887831694fda4335934d7655bf1bbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
161KB

MD5
6c669411485c422b6810d39e398f6e15

SHA1
6507aaebd35511516f263d8fcd95ef7cfea0cb13

SHA256
975e1eb4f7365229ad7759152deba13e1a442b6626f4f1c69bc26451133b3f97

SHA512
07247cb6d8906577fa89f40a19d20f08864f98d89279cb56b01ba12d6f4deaa9d6dafac223084fc2b90678af88a78bfab6ec0f5209c804af1bf54622e33712f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
119KB

MD5
8c2e24dc46ff7de8f501db6ef1a87dcb

SHA1
af63576c98287e49f6e6b8893cce080b66cfe7a0

SHA256
6abd01cb62097bd6be17bcc1fef7bcefeadab79005cdea51f7ddda3c480f6c5d

SHA512
99fc89bd8ca0777088c8c1e250ce2c122a74d8afca4a86127110337d0dc5ec6d03ed5e1da3759db8951a6f8b61ea0c4e5bfa1c03d1af11ae2f8e968543b3cd87

Download Submit
memory/2960-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2960-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-46-0x0000000072210000-0x00000000722A8000-memory.dmp

Filesize
608KB

Download
memory/2960-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2960-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2960-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4452-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5036-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5036-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download