73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	b2e.exe
2228	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1480-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2328	1480	batexe.exe	85
PID 1480 wrote to memory of 2328	1480	batexe.exe	85
PID 1480 wrote to memory of 2328	1480	batexe.exe	85
PID 2328 wrote to memory of 4088	2328	b2e.exe	86
PID 2328 wrote to memory of 4088	2328	b2e.exe	86
PID 2328 wrote to memory of 4088	2328	b2e.exe	86
PID 4088 wrote to memory of 2228	4088	cmd.exe	89
PID 4088 wrote to memory of 2228	4088	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\3302.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3302.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3302.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3302.tmp\b2e.exe

Filesize
232KB

MD5
d6026b8f66753c50d520a45ef4d9bf90

SHA1
dcf5b6b5a096fff1703716dccd6aa43ac7288b75

SHA256
610bdb1a98e92e84c6fb8ab156045c8baefdf2c73df948433bf6027f59e3a145

SHA512
1304542568cf872409ed2591666350f5132765b607360b180b56a23797f303201c2f18f41bad99fcc4edd37b3bf988572612c855fd6514861891525c04be1c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\3302.tmp\b2e.exe

Filesize
1.1MB

MD5
a25b5ce40797f8983dd440580ed62612

SHA1
44f4847541fea6ce452c6d953c0be09c8e21475d

SHA256
05c6a130a2d2bfd64aae28a97035b25c0447dfd8335c877235eafe363161ce5b

SHA512
e220494dc356015266acd1b2b6f70a6b74237a949c6415e1600818783d710371d1a8b9095a9d0e09e22abfe083d91d84e4092f808ba1c61d9d4ea6b4f5616bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3302.tmp\b2e.exe

Filesize
984KB

MD5
5d70d121b8bd40939a4a0b6c329c1124

SHA1
11499dadf29826c2cbedf9329163f3645bf9f801

SHA256
5c52bdd066a6da25db23030fb734c9831c95f123cc952dcbfbc1be7c058cc4fe

SHA512
fcdb630cb5d2a74bb4007f0fe22cd066773b86d8c090a66333bd436ea934bd0d042851f85ccf17b7cabdce96aa136d073b9487d7d608c26a2e4563f47b5a146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
27KB

MD5
7d1877cca27128f735f3c667087f1a9f

SHA1
4e216225dec120873d018e7404270569ab5533b8

SHA256
efe1554fac66020eeb7ea1de864368428091a3a6411ea04f1db1f64262772081

SHA512
2c1a59ced5cf1b21494b49aaa8edd224248df7609ed3b92c6ee278efc52cdc6cd5a55be3323586bd3f48319149e7a4dc2be0a6806b43c6f33987e1836beaf90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
566KB

MD5
120e8183cf5f5460be866ffd0ee0f8cc

SHA1
9fc00d242c752f01ebf120bb6b198dcbd9c94f0a

SHA256
dd2ac16c7619d47fb6803981120064d21875a9e8b6cd410d29256152e9b59b4e

SHA512
0cca2423931ea748e91fc1dbb56a287ded9c5aa276223c68132864608c2b6bd3c8e114179e0f97b9e8b36b76a4efb48824528efcf3a60a164ab5fe97343066bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
695KB

MD5
090b6bb380a826a6034612e2ed848809

SHA1
cf8923b3cb8c73d020f8fc18dae118cb5e415667

SHA256
1135266d15ba5c0de602ddfd3002a0ff7012613f9c1c7a733db709b312acf69a

SHA512
f35a87b4c940a7aee71f42a6286c5e9c2ef5401ae58fcecc743dff115546e1acd6525334a7ffd06d50a88b707f76a1f57adece88093e05f9d072a88515e3c374

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
793KB

MD5
58efda7cce223f1de78b37908366ca50

SHA1
672c329b22e69178543b47cdcb516d0f2c954901

SHA256
d39d0859fa477fd789aa4151af70761a7537eb5bdd3dd20c5c29d97173cb2eed

SHA512
2976545d22f83deb46ba4fad3b193958265b9f5adf57002826adcfee2017c1ab4ecbb3d076458ab545cc9e55846bee11ddcc99f075aebbc2ddc232bfeefd0a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
623KB

MD5
9cad286c29bf99deb295f0c1f9869f25

SHA1
72b49924d769d8c74e9e8f445264a460253fefda

SHA256
e212119cf8980e6c5f9be9f9a288447e584c944a75e1d5fd19d52fbbb1de76c8

SHA512
c777886fb75089980d07e922d5bc68cd26a8d1d8a78c0b12a0d4085df482da28da0c74ab9f2f5adcaf661fc82a06849e142629265a3f2797f58edca1f45029b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
193KB

MD5
953cd6e458eafce4d22a9a5bfbeb8682

SHA1
70e7827a2eceedc5834edda3976e03f4e57209d7

SHA256
cfe200254ebf4a37accb553c546bb8007bcc8fd3b53ee96efd8e87c9b1a47f2a

SHA512
aa1eed390ad0744a70c1a12be25d8ae5311104b96ebd9b73b1ba56105e3cb3bf839cb54e01347d4f9ee352f0f13b882584d4cf95c92f2944830928bc93b7fcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
521KB

MD5
79b16d1252acb1eb84bac1ad9d9416d5

SHA1
db7c8d49039d5244243b1f8eaa13905d6fa9bc3f

SHA256
ab00aa8069f5e78d2271c4cdf08a7481e6baa88f3ca6d31bb59ee172da423cad

SHA512
a98f2228773f2a4b3df1b9672e563bd043b33d6c4e27fc0aaa5c5ea03bd917fe4777107740b7c40bf0a3ae49073bfc6cf0349b4a37ec49cea889c87071c71a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
3f9acecb345b2e86cdb4b5f2bf84c07a

SHA1
b80abf460de1239a823da5cbc0e003130a41af60

SHA256
78e38220d5739cefd23e9771aae21cf6864df5eca851dcb87768cc2569bc5fe5

SHA512
8009bf3476d97a1140a1a9175342f9a512eb416dde9716a3f1acc24b96fac8339f659ee4f0e1929b44261e0e8c44a72cc2266d80f2c0a41afd4e1da7e9c4a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
378KB

MD5
9475f99e6d4b605d1a52b9d74aba5fbd

SHA1
de0c711334fc364bad9232298f35a8730ab049e4

SHA256
f3d06bb558ed2e2f441db2f0b343d67d71bd0e4398897379cb350faa0c06ce5f

SHA512
9c737801435c7a7e21966733fa546cf53cd291012d32f866c8b8d27dc3bbde6855340079f392ddc923c47eb5409f95ea5a15a80e6f6e4d738443d5a11e51dbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
560KB

MD5
817c02838b97e7a4d823e0f3d11df1c9

SHA1
c1d9e97da0013fa5c3cc14f5dd591341cfee4c88

SHA256
6f1feaa3d8cbdec628e56c78f95de1afee31b745f6c345ae33ae5396f5fb2d46

SHA512
45eb9554dceb1cb3458db6a29ec3084263bd36e79db374b8e23c967dbb9b0748df72f841a9ab1992d8cf4ff2b5d49e84ab2b1a93f7d59b8304d6c3105c7f43cf

Download Submit
memory/1480-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2228-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2228-45-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/2228-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2228-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/2228-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2328-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download