73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3152	b2e.exe
1072	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe
1072	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5420-2-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5420 wrote to memory of 3152	5420	batexe.exe	81
PID 5420 wrote to memory of 3152	5420	batexe.exe	81
PID 5420 wrote to memory of 3152	5420	batexe.exe	81
PID 3152 wrote to memory of 5168	3152	b2e.exe	82
PID 3152 wrote to memory of 5168	3152	b2e.exe	82
PID 3152 wrote to memory of 5168	3152	b2e.exe	82
PID 5168 wrote to memory of 1072	5168	cmd.exe	85
PID 5168 wrote to memory of 1072	5168	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Users\Admin\AppData\Local\Temp\625.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\625.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\625.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\267E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\267E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\625.tmp\b2e.exe

Filesize
962KB

MD5
2146c1cb6b4771f3d2a58f8e6b2670de

SHA1
ddcdc626194262593c7750d3501d4aa2d3465bfc

SHA256
3c13b911455371c300c56dd78c7b61847df2263da57036489d5b34e7cf5adcd9

SHA512
e7483c55489f2a77241a67994a1c07a459e05c5b860e6f5d61aadadfea6a93f9b544ea5939999aa51aae9965e2c5ceabc73b728603bc8156909128841860b50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\625.tmp\b2e.exe

Filesize
1.3MB

MD5
b50f6c3858ae3a77ff2050942f6db7b5

SHA1
2470c083f93ae3c19d50b2a6c076463b1fc75623

SHA256
bc96231e2437f976983185f1bea68bf84a67e42e6cb4c29bcbd4fecf74d972d6

SHA512
a1eb938fdd3b4826df09b0931cec51401a6c803bf5d80b30fc909104c3bb46587bc50cbea6d717d6abf00a7d9c96eca3a4c2759247aded5baeeca42ae7ec55ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\625.tmp\b2e.exe

Filesize
1.2MB

MD5
193cb646975aa22945645e989832ace0

SHA1
48b38bb0153e94646e09dc1c8c7fd7827f7c6579

SHA256
85e32259d00d9acfad5d532f58ccdbaeaa4549f8c6a13ad59629897ffdc0a726

SHA512
59b000a311d4b7f72d36edaf2670081bc67d0ebe67bdbedecccc6183e71d665d2a5a1a808bac239b0b043023c083d4a878970828885727cf096267a932c8c9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
857KB

MD5
5104ca4cabd19dc52d7ed8c375dd5c1a

SHA1
e2583a36c0f1b560456c0891ea1914dd76427ba3

SHA256
f363813b65e005fd7b7e04b074fb9630345085d08f3d1ada01b0e36c3092080b

SHA512
c01e39f07ac99491357f80c614640b65abe8343b4b40d41fb8a0305c10599cf5f2bfa081aacaad01cedfa4b4c8f51e9492750589e1539dc9bfd965de321e25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1016KB

MD5
dd1569f3d82ba68e5274ed06ab93f5a2

SHA1
bad08d7255d022924776374e87b36c44c220bd65

SHA256
0f95093b7da97186a2bbdc0ed060bf653873f7d50c84a1bf3db60c47bcf74063

SHA512
bbaf35fd4693d1d96af9c9d47396622aae579b27148eaf1934bc53840f131be77ed5e7353c5df8df34be524f685cfb75901f8a029ce863a02c8ddf257e545e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
784KB

MD5
ea7b2e9d57f3885510b42cf6187e6f3a

SHA1
1707a4803e110c5b3e0a1d3c30c71734794b63b1

SHA256
6da02f32f4b9e4588789162e954698a26a487f52a7b39320ef0e232fcbed4e8b

SHA512
8d7182198c280102d0e8112bf4e53e025228d493e66f061a77561ed605ccde1e868f97ddfb16342765884e54b4c1f0ce475ab30b1d539e2d3d5d88755af0bf99

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
654KB

MD5
6baf23417cfed74a0c54caef4a45fb46

SHA1
6d3b1b6d450f73d3feaa5d0b0eec25bf9c17bc59

SHA256
34e8d3f549bab29f6d4255e54c4583da1dfac77840ef074e48f47b4204b0f5c8

SHA512
4c46c6dbc61d0e55c29ae9ecfdeaa73aaf0fd4ce3ca84d3d2d56436a831bda07679fb0c948413e2801ee762d264cf49765b31513b316402853b617d32560e0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
865KB

MD5
beea131e7dfae8b54e4611ba10d8983b

SHA1
857f9b68bb447ba3a110e489b1241b878ec0b6bc

SHA256
8808b1dfab965e8a57d645f21d5079df5daa766f19338cb9a3714a397bebaae9

SHA512
c7248e51cb14aecc05bdc56c3d476ca11400a8f7525186042238564549b086052fa7038fe3fdb83bd1d8a7e4cee45b0170a3d854f696409a69c6019304cdddcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
698KB

MD5
0cc371de2202c34bb1d530a5bfe23fa7

SHA1
e29745a06d539a1e71e72e1d45ff6160032ad453

SHA256
e8013bf7970695035e8ca408c36fd392abbd476688ff0fdc4b2acd86badbb47b

SHA512
562845a4001204dd266891d67224d9a3f52e59e0b67aa1151f80d9f18eb7f6e8c014b047096ed6b9dc0127bfe905cf20c959c3587b2fac1870a4446ed1ecd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
624KB

MD5
8399d2054edea386cf17e7859a405774

SHA1
75d5f3ede9be5979889a5a4b828cdfbba708cd0c

SHA256
a59afa7590cfb76bfd5e22337899f9ed0a714e2be0a4b923b9fbb41fc8512219

SHA512
ce72abf8828a2241209e98ca5d9f0ce0be8d7c394e3ba6f6d3e4ed02d56eecd06706f9cc7c202dc9b875984133e07ada2795784c3bda9d2d4ddbcedf802241e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
738KB

MD5
29d174e5306845b7a04ef26cf8322235

SHA1
12e584c1ca70d9a783ca0e1e7ce46a83dedc77be

SHA256
b0c11523f729a3d1a69a8ec2da31633d985ffd293867134e8c07e38a53ccbd65

SHA512
c44434db21d6dbb7e6591c82ddaf49ca9c39b781747a47f321613e66a80881e9888a51dc2d25157e6df9a06fef7803f00d9134df57268250ab289a976f86fd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
294KB

MD5
e70bf5bb097b8b98bea00dd620a47da2

SHA1
50809c80058c04fedf78c4269a238c82f71c16b8

SHA256
3040e0b76b9a2d7d6804a8e1c471ffb2933eebb13ffb31a46019b9022fa861bd

SHA512
8d9fee8d819b15a9ec26eab6a539669080e4df53394f34176daeed8d7e533560a1351ecac6e147604678d3c13e6145447fa05eaa7bbf985c8ab72eab645fecbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
484KB

MD5
4d3d293d0e1f92b5d2a6487c4c07afba

SHA1
6008ba020e6e380ca3cc5e724ab20b422d3129a4

SHA256
73b145a4fc8a9e4edfbff73ca6f92f33096caa83a4622ba0270eea6710a9f14c

SHA512
8f736afa50c7d06b2cff6d17269e338a86f21fe4a6abf4e642a521b6c233cb77284fa1661e5e2c0b1f8a1e154fd4cc68d1ec9c9338efcb299d130f7add7164de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
578KB

MD5
64629deb9fc39e85762bb293ea82b7dd

SHA1
a9d98efff69c3c14e5c7b27d847697a24663593e

SHA256
2ef5307c0e5c0b2287afb4ec310027e787f1e7a123fa24d28d79a4989e1d983f

SHA512
9007534b0774423543d0ccf5b083cbe7efd8db942ab82ec33641ad7ac302a895f4c4226d54a81dbd3affb398cc29714053fe91e88efbd7daefb3919451b7a6d1

Download Submit
memory/1072-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1072-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1072-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1072-48-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/1072-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-85-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1072-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3152-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5420-2-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download