73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1312	b2e.exe
2524	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5596-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5596 wrote to memory of 1312	5596	batexe.exe	81
PID 5596 wrote to memory of 1312	5596	batexe.exe	81
PID 5596 wrote to memory of 1312	5596	batexe.exe	81
PID 1312 wrote to memory of 5168	1312	b2e.exe	82
PID 1312 wrote to memory of 5168	1312	b2e.exe	82
PID 1312 wrote to memory of 5168	1312	b2e.exe	82
PID 5168 wrote to memory of 2524	5168	cmd.exe	85
PID 5168 wrote to memory of 2524	5168	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5596
- C:\Users\Admin\AppData\Local\Temp\F666.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F666.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F666.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1C0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1C0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F666.tmp\b2e.exe

Filesize
4.6MB

MD5
dab67399a2e30b9d32fb142f059357a5

SHA1
32d311ab5deea6cbd3f8b38d2a0785946cc93811

SHA256
d0fd5d22ee66b9ad1dcf637e0d2271b446fd659aadf095bde6848376fad4fdce

SHA512
c01326cd0b09176496551f9caad916b614fae973dd194c024098229feadbaf33ae29afa4407477f55f04156b666f04cba45365f90263edcde75bae4c1b01fabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F666.tmp\b2e.exe

Filesize
1.7MB

MD5
b00bf6a30bafe76c72a251122130b23e

SHA1
08a51cfee409c9e6c0f4e66060d6dc2ef60c8d1e

SHA256
bf6efd0510848b86e49731ed5addc88af7f11d026f865b549a19048eac8195c4

SHA512
631bcb48809fe35701f85bffca7b3c6d7c847c4c10cfea6f8367ae7c1370c2538b12e88e64c77d35145165e3050c0d1d37a83322a7493a9e250e85dfd5357106

Download Submit
C:\Users\Admin\AppData\Local\Temp\F666.tmp\b2e.exe

Filesize
1.6MB

MD5
7982f2d37e73a8c210637297c840110a

SHA1
b2b05b9afd7f4cc41efcc8958ab849663ab3cfbf

SHA256
3ff25218e2b318b16b3d2e4d80d7b33ceb97cc8309ee0a347fce21fcaa9ead0e

SHA512
75fac772b7adab24e2a1a556f0830da4c187798d3d3afa5e2d9446cdba6e3e6322d14be316c33b9f4336f07dcd879b12d3689e359db3e18d79106904758a34df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
392KB

MD5
1ba6835dc34d89e88c93ffcf7cc7cb9c

SHA1
904d278cd69ef15c6459947c5714b03bdb4a8c22

SHA256
e15c77985743afe9208533db810ac57506a15d562dc8b9d69da6119be8921270

SHA512
07e94c3dfe3316167dd66e825896f07fdbe9d7d02186ca2f6356728bc8ba7d269e4a3376a927960907333633db42af49d6efdf309e4f3e9813ad7e55b9c09962

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
442KB

MD5
a0f7f4ca8e2996e9d6d862532abd1033

SHA1
306a7d42db3456985648f3d916efadf7ff50e3ad

SHA256
de640c98270215b62eadeb1e3ca3bd01b9efa981472f85c4bd1e3e89c33a0c1c

SHA512
894efdcaf2003d1e4f3e25353cf3cf2a3010f91234478519b9b02dcc62050ef592d7c66f5c74740cb7f0c64c94f2cea92f9b261be67a17d91d5f45e737aab339

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
560KB

MD5
33ad817b726d11cd16193d5d2668baef

SHA1
36b9758f383036d6858318cc056abf7cb50c5326

SHA256
971fcd66d639a4c6862560bd4b6cd63af30e40d0c3186f0f5da64db5b6ba4835

SHA512
b5bc845b39209feee9a3890a1877526636184cff008dcccdeff805e1b0151c42b13a17836ecaa459f848d4e0f295f9a760d77e5488b68186aa86e16f494aa753

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
398KB

MD5
8904d0023f94a0680d28435e53fd34ec

SHA1
8f13eb53372ad79d835071bf86e28fc0428c8c0a

SHA256
9398fe5b3d57cf644a7b83e98a67f5b4fd06645cf01f50400ba71c0e3d009b68

SHA512
7abcd8f3715591757f30dd6e1b11d2630123e0ba3f6e118a25b5a98729a09db9539059f76374a7e63326467bbfded2c1551aba71c8663953b68ffe6da621a540

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
220KB

MD5
f97a04081aa7ee2e4094953c80382d02

SHA1
37531d90a225ac776f6e23c4ab6c36a1670c1d9c

SHA256
916b3c2969c8ba31660c89c6669a98cdcd3a570207020676844e39feb9434a37

SHA512
1bcde11bbb0e778cbff5d33f6707add63cd59a8f915450b8f6637faa25a7b8a119a56dfdb0c7facc83f4aad24022acb7d536e1f7c27e2e84b9c44160bccdffe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
270KB

MD5
964518560a605e719a5421c1564eaee5

SHA1
2b87c37f2365c3eb2cf7f1455b8ab3bc2706ef21

SHA256
99d94d0924ae8785c638e5fa6bbade8678751559e2f6aa733b4d47f4d1157469

SHA512
79d393aa0e1b4a3e67504049b3fa7bb1b60a009e47972911433fa9bcf58033e389503e6d6b76cf29b676ec200aa27222a6ae56d098e53eb1dacb042284075519

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
398KB

MD5
a9e6fde8be74288abe13562cf26082d8

SHA1
4f4f52b441acebe0d7d3d597637152fda2f1aa1d

SHA256
eb4379627517c4e1d48e0b21e834bb4cdd6d6b3c760744d0f1f5cc8edc77eff8

SHA512
edfae046258f584c4a22ae00e02266c060010c2b2e15c04b994755976fc1b1c49c5caaba2445bba45948cf81ccabb9b81ab5a417abd866d50453a538b2bf3dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
241KB

MD5
eae6827c1c521119b03ebde6c3ad25db

SHA1
9e1157209d0654f87784fc02fd10e75928328101

SHA256
c5798d1a2a2146d54bab70c4ac456bbf65cec6a21191c68e052dbdacc542d68d

SHA512
293834160ace424ca18dd68bc139cea5c849e5d361799a344d4416623093562f017da292f7df8cbea73aed32cfcea76b6edb1348339af813aea4803b07b6ed3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
141KB

MD5
57a55bec49e03b9d3f168b922f636582

SHA1
740f98516d843e347019128f8a1bf82d1b82fa12

SHA256
6bb8c450bfa48c51d85f096f985e9ef2e29496d6f59a645375e8a77d2e11c7c2

SHA512
26ff88de9467cf8818df3ba9b7c75405a875737dfb283b7b7805dd894876934766b9acfb721c4a222f3227bd4cd42d6cb5fd74eafbf2a47944a62b5f98a58551

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
372KB

MD5
940287f0104922f937a862f827e8e0ec

SHA1
4dea78437ce958474b881942dd2912a8f0e41291

SHA256
058d574b57c9245a1d81b31b535b7df5ecb0f81e97e02ad9d1a70e184de90965

SHA512
33fe10c58a25550e4dc9d3b0824743b8d01902608969c08dbaf50c909b273ef339ac933016fdf8ac46c088f55e1db75ab6174ba1dc0b736369f29f45fcf6e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
327KB

MD5
3fed48bba0c8af9245f6938b320e8ee3

SHA1
a5d063598232ec363b0b3a23d135d6cef4f3442c

SHA256
04179ede1888a701e743437459d6949fedacd5db33c5462a8c646222fe34d1a7

SHA512
232a6601a9b34f60b0a11e7305150f6e4c4e41c85722b4ff229898d5c52c3cda25f33a8eefa5129ef91b4e8fe71fcdb2d38a487e5d34a85a34351c2603b27f1b

Download Submit
memory/1312-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1312-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2524-45-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/2524-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2524-47-0x0000000000F30000-0x00000000027E5000-memory.dmp

Filesize
24.7MB

Download
memory/2524-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2524-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5596-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download