73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 18:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4048	b2e.exe
3164	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3164	cpuminer-sse2.exe
3164	cpuminer-sse2.exe
3164	cpuminer-sse2.exe
3164	cpuminer-sse2.exe
3164	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4416-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4048	4416	batexe.exe	84
PID 4416 wrote to memory of 4048	4416	batexe.exe	84
PID 4416 wrote to memory of 4048	4416	batexe.exe	84
PID 4048 wrote to memory of 5424	4048	b2e.exe	85
PID 4048 wrote to memory of 5424	4048	b2e.exe	85
PID 4048 wrote to memory of 5424	4048	b2e.exe	85
PID 5424 wrote to memory of 3164	5424	cmd.exe	88
PID 5424 wrote to memory of 3164	5424	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5CF5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5424
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe

Filesize
2.7MB

MD5
ed4870f267375651824fa78f591bd9ed

SHA1
e8fa8ff3053cf43f6ea86122b7dea7438c814955

SHA256
9a237fffa4392d99abdafdd411842fd0a763460d47e28ebe74a4edb0deac9fc7

SHA512
72ad654a1fe3119af1c201294352d557344c58fa3be6a00d954f425b56db5f6ee218c029b13ceb1739920bf95dad692a2201bcbc88e89f2bfb2ba0486a1e055e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe

Filesize
804KB

MD5
39e110ef93af845c7443fb70fdadc4a0

SHA1
ee08834102c3362906b6bc0288eb7f0d408ce9f2

SHA256
9d9529a8bdda4b875f34b388b5f20fd3c68f256f05afd6690f71ed98b5f87111

SHA512
86298ede14059b2a4f6e74d029bde08731ee32966db82e282ca7485b78638007e3c48ff18a5f74ef2b5d566881d1373849ecb293d0d5e886cf203ce5d4253ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe

Filesize
1012KB

MD5
0024066a06806e4afdddc1fb75e04d39

SHA1
93168a7357b33c00ff536e8b7eb9c6cf8bc2c02a

SHA256
541ae13c00baa277d8450c6a2c29bd172de05f955718cb18d28091dc506ab69d

SHA512
9a6c977460912388887c1d1b7418a89eae6fd108bcbd117df76cf938c96d6d790ee9efdc175582cd7b141039166e85b0967032a6a0899107f93f8285b80e126d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CF5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
123KB

MD5
6ebf827973de429365448df8981d3138

SHA1
bac323aedfa10e37fecd1ed9084661d89ec4ab32

SHA256
2e5cd424216ef1560938ff522d317154ca24a611edf167b1dec4a9b87af61365

SHA512
f1446d5e23213c8ca45aca90a9834c94e20827e0ef8c466696c5bc586fb563bb0ce791b9961d2d4d9d2467fad8520d956ac310608cd6d328afced9da0512fe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
64KB

MD5
7ea975134fd0911cc747c59d35deaeb4

SHA1
3d507bc1878922bd096e2edbd3c6e596bc197f08

SHA256
27c63ab32d803d7442802d097d723434ef2b144c9deffda8679ab9b29c6c97e5

SHA512
e7cbcf4c69de25d9f92588ed2f80acaa2931ea911f7753364356da4f6a036b2647961adc3cc79d10723cd6b37ea7c0c6a007099169602d822dba6099c25e67f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
72KB

MD5
9b73f055be902e4d084d5beddc330fc7

SHA1
26d27753028636ce9e5e4ca5c3884228c46a1800

SHA256
30a4c6ff7488a565490d26c2139f529d7a55febc3ff2371a1e3e2e317f13d476

SHA512
5f4dadae7110a5a40ba33e8485018341b043a5fb32e394b1b04b45b413722425c7c514fed0e6a147cfaad4ee00debc4ebaf40999e6068cbdc55e0b6b5d10f76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
101KB

MD5
867ec755229d6bc3bba54fae7cc9dc7a

SHA1
feccfb91194a1347fb2c041f2eeb42d5cd20195e

SHA256
70cd02cc6beee6e2e9eb6e1719ececa37131c46bcc52d746f34f145752f39c7a

SHA512
43b46fe48ab361b3a31b5088512ed9e37c3c963eef76b248588438a3f6efdc73e6ba38e5f4193b922d6e03ccfee26a5ab0565dad450ae4576fa2c7796cf33f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
86KB

MD5
ba82cbad9cf73556784ed100a31a660f

SHA1
324e6209e7cdc617a4b7947d52beb64b3dede882

SHA256
f78c6fe1bf49d8839d56e4343faae14a5c95228b7248841f8983c450d0b3a91b

SHA512
436baf93f5e4f8c15f9e19fe3f82d5bd8f6bc6b01752d358cc11c2eccc9af1490718ed8d7690268a43ab58ce793db8502cc16ef5422cc39003f798aa488da325

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
79KB

MD5
ff73249fffb7614323c811121c576507

SHA1
5f45662db44844ae299719887ce092f26257ab57

SHA256
2f8118a0c89a825e06d71c0d4e7582c9ad0bb8d5a099bb7a2f84d55229f1dab6

SHA512
770263b3f1a5edd863e76d6135a40b1a8b293656a9580acbb136ccb9c4b0ddedf0323f4087fde1fcf831bdcdb5fe863de2385f7898b08ca976d39944caaf6178

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
69KB

MD5
0a705c1acea6dd009b8d156f3d34b614

SHA1
8f6a16c2352e34d1c1af2d3a0a72e719cfd57e23

SHA256
7c31e96810f848c18d0ed5881521b080d4e3488ef3ef64f7ad19d0d8bca15e6d

SHA512
62fc45460e9911f3e677e4de18bb6b3023198a204a0645bf0b6573bf24afb9af8faa368f2b326891261a37968cdd20f0737ffeaf99dd628786815970fda525df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
114KB

MD5
d7f589d2989ab64df8a8a5ed1ccc6375

SHA1
b58a53e951a083cf73b07e390afbc23146aad2ba

SHA256
fd31f00ee55e96d15a1814ec0b6fa87e5554999102bb295bdc91b93cdd55463c

SHA512
504d20171c324bc87bc07505787cd54f5effc310e3968802465de69118e6b26148fd2344b20e9ae6cd6f5fcde9c3e1b1d8a71b7c0569b665bb4a81d749da7d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
129KB

MD5
76cf426d038144ae4fb8349aea99dddd

SHA1
4ec28c10a8249af7b7c33b94355c088121726da5

SHA256
3a2cbe7f46f3ff70e8646fa87e2dde01a76b8fec478db75cc97e647afda61fe1

SHA512
6285fa0450ce4a087d1348c5fbb9faab0790204447cd321e4a21eb59d59834526c3c75d7fa83f7ba43b1b87c1f6d22ac83e6fd24041f96bc6e53412b5abb063c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
76KB

MD5
63a4071d78a21d97e6458f50d8549f7e

SHA1
5151d7d99625b7af11eff4da02e31ed6ea8bbae8

SHA256
d309d62e7c9028dade3e04dd2f975cb1176a3614c356382011c1f2485c0af185

SHA512
80a912664722086da2c72d792eddda815393cb4ac8465ae07c6202fe05425e4f150cee732307a95016c1472a2ce45bcb4f1ab42e0b542d2c772580a64678c3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
158KB

MD5
3c043185265e0e335fdfd9e460096596

SHA1
29a78ffe750225c5743b11aedb316d8e3ae3e3fd

SHA256
3ec008897c50ac4989e6c1e4295bca22898cd7b592963eeec6033adecd3a4704

SHA512
268efddbcf45d15dc284f20fcc0f5cd003652d2eaa93bdf80e59b19c9489eb85c0d7f03f804863d8c757654ceeef0b95cdc331cdf5034c7313c515762935131c

Download Submit
memory/3164-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3164-46-0x0000000064990000-0x0000000064A28000-memory.dmp

Filesize
608KB

Download
memory/3164-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/3164-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3164-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3164-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4048-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4048-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4416-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download