73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
116	b2e.exe
5408	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2112-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 116	2112	batexe.exe	85
PID 2112 wrote to memory of 116	2112	batexe.exe	85
PID 2112 wrote to memory of 116	2112	batexe.exe	85
PID 116 wrote to memory of 5468	116	b2e.exe	86
PID 116 wrote to memory of 5468	116	b2e.exe	86
PID 116 wrote to memory of 5468	116	b2e.exe	86
PID 5468 wrote to memory of 5408	5468	cmd.exe	89
PID 5468 wrote to memory of 5408	5468	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\6F25.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6F25.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6F25.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\730D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F25.tmp\b2e.exe

Filesize
1KB

MD5
644ea7db8b958910e328b058644334e0

SHA1
953cc5ea66440ec9edf01d0fc3f89f5e6ff77160

SHA256
c2929d87c46da88cfcaa62cfa6ca6abfaee335048da449728a08b4281dc318c4

SHA512
e81fa2b83f892d21b482b496e7dc911bccba5a281639d303f29299b744369672cb05f3dd22eacea3b8b28cfe8ed021a63a00079bdd79d5f7e6ff1dac2e8655be

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F25.tmp\b2e.exe

Filesize
3.0MB

MD5
42e52d2aa6e0aa4e0a6cb435f3e72e32

SHA1
904d518be9644114eda76add80ccf585ee238731

SHA256
4f8c614822cb12e7405d484d8ef1c5796fe1002f4e20867e761623d6108bd5ed

SHA512
c5bdbe9278322b817f6744ed51e93d2a5a32b7285a5d8506bd7d6578fd432f43caec54c5ae81074a06b8c2b4a36ad5ee4bb6e817698252ec8df1406ee68916e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F25.tmp\b2e.exe

Filesize
4.0MB

MD5
651edf28d85db524cf06d45b1ef02a97

SHA1
d2c9b9148c75cc1cfcfcdc1b696c9e3d26951f16

SHA256
25342c3afa22b660dd0e61b5f4a84cb010b45fdd175441a57ae9f44242e2acc9

SHA512
d27dc8044737cb807e8366f0644680178c639b51941008263eebb6cf2a6275c2495bf2e1d2bccf5a401df53af52e13c2216dd5c3416e0dea897723e51a327262

Download Submit
C:\Users\Admin\AppData\Local\Temp\730D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
5KB

MD5
0dedd078cf0b2421a894ce2cd52fd93c

SHA1
d1ad1a7cd859dbe435a4c93664c6d870a815d712

SHA256
56c1447b571e2d7ef463b93970456b2849f179b418fe0fe248c3a09eae70ee54

SHA512
c5b182c6c0982a11e01b56e5bebdd142a2cb29a383d85c44756adfbe178a377f7b2f7e1cdfe528d17a7d44d017ead41ffb9eeb67f4359a51556a35005001fc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
68KB

MD5
2da98c871e436c33a698a5b9283c14bb

SHA1
e0f46c99de6777b02174055c3abacc1101e58dc9

SHA256
a93df6b38f2bf1d5c566fd0f08aeddb8ac82dcff97fa44534f2c442a289a9459

SHA512
8a8d78c4d183819210e140ee416cccc6b410f431473e7ca67405b2b968fba64c6b38de90eaccbbe85034a6cb0675b2ff6af696f399a6739ca8a069da2ab761a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
1KB

MD5
d27bb4786bd7510db4a0a909181e1253

SHA1
ee39176b6998f20d072ed95b88e0e9e5c0476abe

SHA256
f82b8ec71b49c257046f0f7f09b026eb9a4a8879d2125cb3a5fe8722de2c8740

SHA512
9dc4bf61c7b5fb76a33ccb2fed698b9509dca2584b7b265724535f93c1a9c06eb5547e7575b0c4ec05c804c0fb104dd4ccc4bc59a932dd05840d971b45258fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1KB

MD5
0c379337a4b2f31244e1ae54499e83c4

SHA1
37dfa19ac4cf7f59fcc631d6e4aab88ef571651b

SHA256
a936fc37f5f987ae446a403c61a064835e7c759dd50c68c8a60530f83cc77580

SHA512
79945f6de4f2bc64933ec2bfb8afee1a1e88d0688a10a4a3c3e517ffeeb7d756f25478083b44bac46f35b0ec5c16f26bc4bd4820deaa3f2d4fb4654b9c21b9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
10KB

MD5
b8a6506eacb458c47b397d9afd8c7d09

SHA1
0a799f798edf6feb0bc5f05723972c22b2ea099b

SHA256
462c2659ad7e3e051c8f8cea02101adcaf46b781f1d62acebd26245fe8ada55f

SHA512
3136e62938c84c3430ee8a4e1a65579120b873cdbfa8cbfd3abdd94f03d75673d1005ab3c59d5aded96fed91dc7938e0295b75057882fab1280f460f770c0508

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
29KB

MD5
2ab238145858214a92dd614e0b22f0e5

SHA1
41b5b6eb06bb7271d2faba02b22ead247f711927

SHA256
8bc9e5ad5effd2debb8f80a30d7e3109615f4530a25bfba35ca372b9643755ff

SHA512
f709c1ab3ab47a392964140da3d1d5ede0dafec73e900b81f3d953a728e6fd4beec12e7c91ce07d3756ca39dd8c7e3a8c942c2f8399f961589d04ff5fdb2502d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1KB

MD5
7afca165eb598c56e10ab965bb8846ac

SHA1
ec4f2164d7fd2e3a9ef14f6de528a322173a9453

SHA256
555ac9bea13abc8011c591542b66c78024aa8f18c80f5a0114d5200a8b17730f

SHA512
d747e3aae86c96e7821538575d6d5a810125f584f80d4404b3dae3aea0afae5ddfd3b353b6cc7cc4bf40e30c1c2b2f88eacce19cab10e142ff9998a910f179cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
13KB

MD5
68c4dc2d3829b8a099196d402b0fefc0

SHA1
3aee48496e2c9102791d86e323f4388d592906d7

SHA256
1ad552d155d96a42a576efda35f85cf436a9a803eb7089ae02c2dbc53ed10c94

SHA512
e7a6fddc30d62bdea6893ba0d7e61cdcebd070438b5103a1740b8f418e669d676862ebc6eb4a4f78b79abc9f228740030df0be0a1d0bfd03ed9254014324f71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
1KB

MD5
d7c75b973084fc64536bef84775773ef

SHA1
4ba97a231c651cf0bb9f21c833d0e15d2c1057d3

SHA256
de7e877c905b61a5c6c6d5a60040ee125a9222cc4dabc1398393785bcdb82983

SHA512
e8c5afaa40f10c983ec4470ca3ebfcddd9d5ef4dcc61a4dee165ddfb63d878f9a9e56f74a447feb9337fa332fd94f057ec6de16622b030764aa78137e8a5a808

Download Submit
memory/116-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/116-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2112-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5408-46-0x0000000058AD0000-0x0000000058B68000-memory.dmp

Filesize
608KB

Download
memory/5408-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5408-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-47-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/5408-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5408-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download