73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-02-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
5748	b2e.exe
1072	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5848-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5848 wrote to memory of 5748	5848	batexe.exe	81
PID 5848 wrote to memory of 5748	5848	batexe.exe	81
PID 5848 wrote to memory of 5748	5848	batexe.exe	81
PID 5748 wrote to memory of 3720	5748	b2e.exe	82
PID 5748 wrote to memory of 3720	5748	b2e.exe	82
PID 5748 wrote to memory of 3720	5748	b2e.exe	82
PID 3720 wrote to memory of 1072	3720	cmd.exe	85
PID 3720 wrote to memory of 1072	3720	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5848
- C:\Users\Admin\AppData\Local\Temp\F627.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F627.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F627.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F627.tmp\b2e.exe

Filesize
11.8MB

MD5
a132b15ca428dd9af883c530355ef778

SHA1
bfb8de637f523aa2c1aa2031f5446fae8040e857

SHA256
d26d6611457d0ee7bcf19cfb11161a1dc4513e7d54a058441e12068d454507df

SHA512
cb12dd3f84aa6947015b295abdf89b65124b9217fb466ecf6441dd139289408adbb78473a007f2b4d215b46aa19df4a1dc566b087acb4b9082e5391010e8f8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F627.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\F627.tmp\b2e.exe

Filesize
704KB

MD5
2bb8bf63c7d7958f71f9307c8635131f

SHA1
2362f18b011bd1e60fa078052821edefa33b8e08

SHA256
85151a35fd2a7ef587918c4702b2adbe0c3e7eed43bc8564a662ed03a6f3ce79

SHA512
59eba9edea2b2af76f261db76b15912b20070d75db7cf498d55a1bc13f11692d016c9a70ed447a784c874f6d11582112312f3d058443606eb4b6de349a4857ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
470KB

MD5
bedd935050a41398e8cdc0d7cd485b02

SHA1
4a3fc6d98437b0fe4b3040242d866d17adfe3d80

SHA256
a4083b8520a97e4344dc1d73b15e0ff953182278b6ec63fd8897ad25e4dd1803

SHA512
f63830dca372864a6c41e6fc7a8ee6e226f1e7897c18cefe2637e49fb4c90c7561f246c5bf1b00cb4866d7daba8492ce11071c47f5cb2187d65bdfb8bb55a691

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
650KB

MD5
cb27551d104c08c7b4ded82bc405c468

SHA1
e3acaecbd05afc8c3085c00f0aea522abd2472ae

SHA256
5d9d99d0c58a2f44b54b75aba474d427306dc0d6f728e9a58f0b6fe2854e9bff

SHA512
adbe89f51d618431b7ae0080f86825e6b6c4ddf9c2cb98e01d49706b97e4ace91be69dd9b1fecfd676a57244c90fb3d7d5d271629ee948122b309b4e691f1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
530KB

MD5
1b9175b7bd745f3c3e9364fd7a5e5b2d

SHA1
6c4dbb05cd675adff909594c613de4bcc8ae0c92

SHA256
2b83c92fbf378501b7dd8e63e8f182387587d773a17259a0d645ccb36961c0fb

SHA512
eac8695eec157cb185480dc636476013792dc78067867009b1b5a3ffdecc384e39eb1447f1a5862306b755371646e1138559fe24348c910e210198a783105bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
664KB

MD5
7eedfc11c23be036032db0540872540e

SHA1
8264bd5f8df91c674a6b07c27e3b8e6ec4928058

SHA256
919973fdfe38adaaf5b3b265fb86dc24bc625aa553a1bb7fe7c8b208af0b9a8e

SHA512
4102e5c0db4d9ab3aa3f1eaadf70c4e1bed4401b3e059eb580856ef63a1d2ab8932eb662e4bf83a180190d843c55741e481e4270dcbdb4973b8ea319743a47db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
367KB

MD5
0d8b85131638018da50360c725d7997c

SHA1
022a66de68d98524b0b7353ade0aa0c127777de9

SHA256
60014d3e26a823a21d8730396ae8a397b67e571af5bc25e0b00a524499779445

SHA512
df1b6ffde658d2e6a55bfcd81e989070ab8480d2e946e97d4782fd001d0cb4d4bf5ec7dead420717f189471a06e75fe668376e202ef76c26ffd9cd8591827c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
294KB

MD5
6d9d24ee88c25f89e7bd7dc8bff85c76

SHA1
9346e497cca1f033cb6144ab321f5b65ce9c113e

SHA256
1cd3b639f75f26b942ff09b201f96c87d0b6f093f58a000204ac4bd018403dc0

SHA512
ff2c21daa552ab7487db5e61c6a24c7ad69afc0ddfbdc8dbebd9b3b0ef3748352be88495752bb6a64efe54ca060ed7edf902b00e0e7dbd5251aeb1e405d95adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
433KB

MD5
3beca0d136e65d85678d057244169f45

SHA1
58376bb2366e7bcc30b6baa2159dc0d2a1489611

SHA256
7ac00624c698a616413ef32441df479753beb8b3edfd3d7b2893c731727acaa6

SHA512
d3e15c9d9fad058cc079a9a9c73edb299cf9730b40f5e3ad798f388162f2c39582bb3e0fcb39feb90bc4e9b06c3855df0b17aa558194639df7734803ec24e6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
445KB

MD5
85ac449f8ca3ba3231c8936a1699aab9

SHA1
a0becb4d85e4d9def4b487d581fa98c01bc8c8ae

SHA256
6ee7161fe048fa48d3c06261ddade4d7cf2db24bce2c2b53f1b3919ce9f38592

SHA512
764387679eaa798ea1cbb7b5fc2f808a576b7cb767770b72b8772c03e9deb37271319091aa69cb933732a2d109d82c4d88e4c31c1bbc60935b92aa28773e2e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
251KB

MD5
33a09694c2b0417375e9d2db2d433837

SHA1
aad22de66aef337c34eca80b3ae7862f9a644f04

SHA256
dabb95f905a5e51c65ae315419e027989e44103b8a683bee4424605e984aab3b

SHA512
ce2006c36ca98c69e4af05ce3046d90d6767a775fc0f641376bc02f8703eb056a427d88d147476d864bd00037d12c8d3e2e5fe5d6e1a8eb3327d041a597ef90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
276KB

MD5
14e98cbbccb572bd06be44e9f3cafcef

SHA1
82f25f0a00c6ba5094add88b74dd7e7db1987b51

SHA256
dd7aac26e1648600323e62dd8bffeed061240d4035395793f99c8d2301188160

SHA512
0940a6af2b23cdce49eb301b9b1dd77659e1008f24cbe5c7f47a879c67fdded1a301231870e42a21bdea5c0d2b8b424cc50e893281330d077e75b11a7c779f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
242KB

MD5
144991f564f0ef73d304e6b9be7755db

SHA1
111de48c68c6c131502eb5b612631cc1889625f4

SHA256
9d2035765a422e2b7d54c9f36186661ebdfadaff0408ea81a8fd96a872d2acac

SHA512
73e612e78ede07280a64fab2f022e984f0bbb7e4c3306346027f3db8d45db7ff8b80680869ce7a75b5e77e929494cad46016a46713beee7057086a4be1e8b9e7

Download Submit
memory/1072-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1072-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1072-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1072-47-0x0000000000F60000-0x0000000002815000-memory.dmp

Filesize
24.7MB

Download
memory/1072-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5748-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5748-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5848-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download