73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12-02-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1464	b2e.exe
2268	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2268	cpuminer-sse2.exe
2268	cpuminer-sse2.exe
2268	cpuminer-sse2.exe
2268	cpuminer-sse2.exe
2268	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1788-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1464	1788	batexe.exe	85
PID 1788 wrote to memory of 1464	1788	batexe.exe	85
PID 1788 wrote to memory of 1464	1788	batexe.exe	85
PID 1464 wrote to memory of 3484	1464	b2e.exe	86
PID 1464 wrote to memory of 3484	1464	b2e.exe	86
PID 1464 wrote to memory of 3484	1464	b2e.exe	86
PID 3484 wrote to memory of 2268	3484	cmd.exe	89
PID 3484 wrote to memory of 2268	3484	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\7129.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7129.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7129.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\753F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7129.tmp\b2e.exe

Filesize
5.3MB

MD5
d6cc34a15065c512dc796617499310a1

SHA1
ce2b06bbd0e709e6a11dd4c3ae19d6b4a3361860

SHA256
2b251e9086a4b50afc42ac9fd35bfc9a79ef7a9c40a28908b74c7885dd849926

SHA512
5b4db2c2f05ef9aac5be407678e0547bfeeae250a40fa49260d208996219c7bae20cdeff6b6f49fdeeda3b68d88171ca71aaf6a0f9705368f9afd05dcf23c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7129.tmp\b2e.exe

Filesize
3.0MB

MD5
e6b6693470f0472e12780bb732c3b5ec

SHA1
9ee87ceb9e0bcdd2136114b0b809100f26bde92a

SHA256
846de204c72aa7e299a15b28ced2d4709eca9ca7f39b67df48de34c1201545bd

SHA512
25584e69884c283333febcaef7ddb15bce52a7fc088603866f140a35d712bca2a2217f6bcedb66a5319a58469e68d32239ad6f4d430063a43a0440e29c2c111f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7129.tmp\b2e.exe

Filesize
2.6MB

MD5
80039b4df6a7680959ea772f6ed2909e

SHA1
5564061171834317dba2910ed83621b78de17700

SHA256
2d897b1f95c09feacb40e703a3ef2f99339b5654152fda3dd29f8ab895eb9e68

SHA512
a501890f113b45ca254e9ef80ebe9bb13f7cb3b87a927ca48bf5ad3ed49e071f12291e96b3f48e98c103cc0ba02b9c69da613b65f4d14f50a33edc2d08f397d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\753F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
40KB

MD5
cc5d6ffbc47a90868ebb827651e0560b

SHA1
3e389000bbb21000ec1a07a3616ce9c80e69b30e

SHA256
ee9019aa39c49d77427628316a1642a153b7a6d12dc4e817dbabffaaff44d249

SHA512
9d611c6ad26d3463ef21c10143750d85fc77415598c67139d99634b9bc204d58b43e12f606bd73178e3a82203cc9dae068125e932b79997e61db33784c1ff6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
925KB

MD5
0fd6bf7fead10ee49662fb7835b62053

SHA1
0d9f8715f6306521eb9d8fbb032685177de08fec

SHA256
5649048e47c1d21076670052d83bb3c48fa5a4e18b9d7dc35215a6d393adf4a5

SHA512
927d958fac39e7415140106bded7d7f4b84278a2ae4926e320044997a2c2bf005078788f7e072e853106e9c8e13441f6f2eff5495bb3a8d3647d3d5d4309aab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
41KB

MD5
a707a2b062cd4798c71858f54257184e

SHA1
4b8630a2a29b04b243fb8c31b734d2beb357833d

SHA256
c4a426c63439fedc5bb3781c0a826a475906793ed592dfc4316fbd8c7bf791c6

SHA512
83acdab65c3af5ff5066cc5ec4734e9d870a185f230e871d2ac61aef3e2fe558c5fbf210c0f67af951f08bbbf8bcaf68b8099db495e86d765386c2b878f053f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
74KB

MD5
7b732939602ff3cc76cc50f77974ee15

SHA1
bcb4aff2f16a00fe40935ea763dc07951023e18a

SHA256
d88ec1578334daa049d02bce2f71e9672de8e6edac932cbf4587dd74a9f66740

SHA512
d60321dc01a3660932c10e4e1a251ca853554851844a0eb097345cb7b179edf31e04907bbbe22e82632f1238edc8a2ac8fdfd6c86dca50d5abe584558e2d1c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
861KB

MD5
3df60b05fc99b4eb206bc1c2b3eed691

SHA1
1896a58fc13c11e96560758437afdfe6f9262007

SHA256
71a5d79795042457101d1beeb88e34f8c3e7d949d646b374a597e4726479c811

SHA512
f9eaa8e9fa9165fb4e4ef875d542e2cd0ad88af2c8aeac0919b846f2abf2efa01fd8bdbef7cfe03db363da2ca722eed1b31fa8397e2dcd044ce6c134f733ab9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
40KB

MD5
bf7b0e0866f8e97825b182ddb288121b

SHA1
f37a5c23fcaf19d9c8bd0a5bef0729682e9948a9

SHA256
fe18be62e698dc02efab0fed913f76e08bdf0dee23a2cc6b853ec465629f3258

SHA512
b43fd7f94be623cd79ab1f26ac4b04bf4f293d6e1b63442bc2e606e378ecc4b8009275f6ce33d34a77b5a8e04aeb24a77640b263d1f947fb231cb5ed0aa06b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
965KB

MD5
1e0871290b3a7ed064ca67f3aaa54468

SHA1
ea061862dfce7a6c4552a8ab5d5e8820e42f5cc7

SHA256
19d556c06b5181e14bc75ac60d515fecc5b9f45ab78f397e3d10e431a0b8f275

SHA512
a241e1ac527af59cca51936d4ec0b05862dbc4c452762925708b4e12834b0e822114542e7f8c805dbfeb19c005f9650160e57c4bab97b3c8cf45753f381f5c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
21KB

MD5
db0c7adae630e4cd4e34ebf1f73ace71

SHA1
bd5c9486cef188bfa707f0e142322aaf1d16833d

SHA256
999a191ef76f507c90650fe73177028b4bf5b8c7e85dc26ba85a4163c4d74b79

SHA512
1dfd062d504b24d94964e1e92f9f2df9810a99ee72a31d499c3caa69fd5e473a0c8a3c8c478b56e885be2075eddbef9cfc0eb9904ba675f836ba71ed8422112f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
57KB

MD5
4a91d8f522a86a4a67e44a7667410a6f

SHA1
7ecf2598d4da2b1b105991b2f5a49c8e14e648a4

SHA256
4ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c

SHA512
aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
28KB

MD5
174ceae43b1c57e70b53140dade36ff3

SHA1
0dfc73183f423823f35ec59a1372cfe0fe11aafe

SHA256
ef06103c90c2aacfa444476070cadb924caebeb1d5c6f448908b584fa01f333f

SHA512
efc76ca416c5fae0d3ce588da133112f237364e4d008d2f0f91c9563ca3c129498731b5181776e5aa0996091cd2c7fe028a909924b1f725bba7ca1bc9c86962c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
108KB

MD5
1410591df4865186715ea8f927c6e90b

SHA1
444fd4f96d09d20994e71010a334af9d9a8f9bb2

SHA256
dd2a2bc35730887bb0a22ddaee3b9e412e946fb920098d481bfffd7878a9d1f1

SHA512
7568c9baf27c34897c9b015c90b3e8c276a5839c76e78e0623b8e6687285310de7b8f914c7bc8380dd4e70a1cf75253535dc635b105f18712552c5fedcc374e9

Download Submit
memory/1464-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1464-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1788-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2268-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2268-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2268-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-46-0x0000000065110000-0x00000000651A8000-memory.dmp

Filesize
608KB

Download
memory/2268-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2268-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2268-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download