73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
290s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	b2e.exe
3476	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3528-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 2156	3528	batexe.exe	84
PID 3528 wrote to memory of 2156	3528	batexe.exe	84
PID 3528 wrote to memory of 2156	3528	batexe.exe	84
PID 2156 wrote to memory of 5020	2156	b2e.exe	85
PID 2156 wrote to memory of 5020	2156	b2e.exe	85
PID 2156 wrote to memory of 5020	2156	b2e.exe	85
PID 5020 wrote to memory of 3476	5020	cmd.exe	88
PID 5020 wrote to memory of 3476	5020	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\9DC6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9DC6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9DC6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A950.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9DC6.tmp\b2e.exe

Filesize
21.0MB

MD5
4208fda12391616a94cfc62fada9d58d

SHA1
947744d74e79f69a84507bd29c79492d428e4346

SHA256
848d46d2744aad410df7eacf94815a58dc9cd0895f688a4693e6cb6df6d2b592

SHA512
c1f0dec52b760d416a1f8b9684ac65bdd1f95d97babf6bdb16ac003100f625658cd9d3f7d6f5e55bbbe6c29b5a279bcf34c3f8f5ce991d4eb2f2c2e2046a40e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DC6.tmp\b2e.exe

Filesize
5.3MB

MD5
9255c1b67784efdc893d0ddc63c8f86f

SHA1
e329cb29973c76dc4e05f77418fb50bbedba05b3

SHA256
d149627c0e6e3275a4126cace17843bea8b85ab35dd913835c27dae8c6f5fb8d

SHA512
b35f95a9e6f4bd6ac87de1fa1cbb5b272eb79c5ce55bd10a48c06a6cd0d6e92531922e912d02caa12ca7a87ad3f0e9a3d994dfb7ef0ac6d33828d297ab20bf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DC6.tmp\b2e.exe

Filesize
1.3MB

MD5
cd2e147246a8f0dc58bad676a15048ca

SHA1
0382157b28b479809d4848771f63f209292dea25

SHA256
eee07142595f07a70af1c63f13f60f8d09efd8a1f565490bf5cf7cbee1bffc1c

SHA512
196cff5a99ab1de4fd542abf69f2416c59127edefad5b875b229f1744fa9591f1ee7b3730cf7822919194ea893624c97236dbbbc5b05c3f270cc8f66c59acaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A950.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
576KB

MD5
bfba8ef054be5bee0da072ed080beac4

SHA1
090e6e60a6f0f1e351978e91b99e8dce8e63413f

SHA256
81f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4

SHA512
85a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
832KB

MD5
d33f0e6bb5e8d2b9e111a90544790dc8

SHA1
df4e81d22638d511e761744e886c33bc12096c48

SHA256
40729edf62213c039a1818c9adb9478aa0284bb26dd071bd1ac4de1da2470048

SHA512
ce4ebeae054117d4de8b3fe2403d95a6d819483269f851618958e864887e9b2f42fc9c893e1aa207dfa2d94900c8f4214a67796ddeb2a80ce655d69ec290d629

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
640KB

MD5
1bff0defeeb9f4bc5cf01e916a8d1379

SHA1
bdb668928be0a339e01e3aeeac813fd26b44b950

SHA256
d7f49e1dd346940049b753b856759608013f611624432c7ea57b0872239d35c0

SHA512
edb3e22bb4d6f3376d73ccd538a61292c5a086fc8ef9b8038b663c93d9ec991bdca297e3c6febb9d18fd16f5304e4fa532d603c68739598f4b65af320ffb3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
memory/2156-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2156-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3476-46-0x0000000059B10000-0x0000000059BA8000-memory.dmp

Filesize
608KB

Download
memory/3476-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3476-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-47-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/3476-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3476-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3528-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download