73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
12-02-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
212	b2e.exe
2492	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1288-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 212	1288	batexe.exe	83
PID 1288 wrote to memory of 212	1288	batexe.exe	83
PID 1288 wrote to memory of 212	1288	batexe.exe	83
PID 212 wrote to memory of 1064	212	b2e.exe	85
PID 212 wrote to memory of 1064	212	b2e.exe	85
PID 212 wrote to memory of 1064	212	b2e.exe	85
PID 1064 wrote to memory of 2492	1064	cmd.exe	87
PID 1064 wrote to memory of 2492	1064	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\6DAE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6DAE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6DAE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7119.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6DAE.tmp\b2e.exe

Filesize
4.1MB

MD5
2324c2fa2fae7802602bf6d5588f02d0

SHA1
2277ccb16327532adf5c24805d1ce6a41c2beaf7

SHA256
72fd16ceb99f266d611074438d02e5bd7a791fd6233bcba12a9820abacf14b2f

SHA512
dbdd8deb6e3e084770471606b9f1c84aa34ab556f3aa707f7c917a411f957432d0f8e1f060bd9fc7e1420bd3557d20720d2bf7d22fce948d696151b55158d0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DAE.tmp\b2e.exe

Filesize
1.8MB

MD5
7cf2871560e3527d4c7b4a9f36f86e95

SHA1
40723999e79192055686f16d5133c65fd5b3dce5

SHA256
edc69f7b77b7d5927e8cb72dbdcb6cbd9a9db3c5cf09bf3f2f6d2e3b7b8a7612

SHA512
89031dd02a11eb7bf66c8c749387ff4545fbd535556eb46ee5609a300d679cd25ea7fad09d6456b2d06d9f32e9045fa42ccaee20b3e4066c67f4bac443dc31bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DAE.tmp\b2e.exe

Filesize
2.2MB

MD5
a1779b9504ebb6b09fae7b11db2142ce

SHA1
e346be58864a8e1222f3edea10874c04d1598bd1

SHA256
cc5c84587ec65c6d67ed9e858c4c037730af545c808c12dc35ddd52be4764de9

SHA512
2182d3db053f8c7d35ffa669d5f2a3ff046809b5809bb60199545f26440dc332925f9b293206ceca8db4130c704e01472b9320d7a5e796216ad80b9eb4312da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7119.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
65KB

MD5
6db72999a484f1c2b14feccf2ce80057

SHA1
605518133702f4df19e48e804811f50d8e65894e

SHA256
0506789218f7716fe27c15cbb94ce31e10543b2913c27d21ab9d64ee18ddb5d6

SHA512
491e89be300c3350cda12c23aa95c373df6e074b30b654046161393894407dd6284ae9d3a236fdee317a4638ceb8f28a450b0eee333991315283e4a5d847a72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
155KB

MD5
f121a2dcfbd90a139db7196313c4c74d

SHA1
6ae99c7209435b8015e8515e633fcf6f740bc97c

SHA256
02c0ff910f0c5d6510c27d27814f0e50c85a2e6d58ae142c5cc9ed1c4c244877

SHA512
47e8e9a205e92a1407911d7101b1fe74951ac55567eaac8a68913287f3dbb94185926949eed82a039d239c74083112eb3ce28cee68408c149e30524d261520c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
157KB

MD5
1d83ac2af3bf7a74deca5357a2efc17f

SHA1
7bf4c9868059ed72f3523f1df0c5e2c3ed044f92

SHA256
b4519d4d2cdf4223fab42dba1e458ad2af02d8d2995c1910d700912f2cdec29c

SHA512
6e235a045f816c700fb4a6a4dd71e524891cdcc011940a1f2338015cb08fb8676fc54edc9b19e534b4c19a0f9061c3b1f513e69e26a57e372e689d9250fb5112

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
349KB

MD5
e3a4ad84cb745604cc41f82ad21286f4

SHA1
5f89f43457975a70c059a013326702b7e0c06b50

SHA256
f6309d3daa205de90822c27b859d9740cd4c43b4ca984dc6d01598e32de77fd1

SHA512
a9dd644cafef6d5df04fddd28625c255d2778dd321d15ad054d57b3513c03a787efa8c2b3bcdb3f797b0b8c3b217416797f1af9ae05aac9bd3330a8020d6da5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
106KB

MD5
dc6fa9c3a8a5b24c95d0fc6ad4fa2995

SHA1
85500cee8a573f0c3ee3c171dce92ad9a3fa2dcf

SHA256
a700fc29ee1bbcef534d67d9d2866c1da12c1a276e2fc0987ccb28b11c5b6894

SHA512
b0ad5ca5a6fba6cddefd0dc19b9fb8aa82e30e93c10e555aa7de0a633dff6c84a300d30b98a1405a4a583d4f8768f53db21a3c4d3b85719e8ab96fb1d2b6f186

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
211KB

MD5
c2c38e5be7b3223a017772230e7a1b03

SHA1
d10034eb4b5db92a5814515ef835410a4e2fd7de

SHA256
1f5045818bbe065a327ecef47a39a4b57bfbe83165ee6258e67514d440e3215a

SHA512
dcfe88f687251dbad0c56f1edcd529d434beed99a2034018c7fc848abeb53dc1141e793eafc8b2d927f9152abeba7d53d5886d62d1f7260219258945eaa9bcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
102KB

MD5
2dbc1c502bb3460464c91d15d0250b40

SHA1
8c91392f1e78bd3f572079781cae1ffc14c7121f

SHA256
52d6ab8bccda3eabf5a969b0a18463787119973802d4ff3301291e70a868951f

SHA512
01620348236514d84a472fefc462e4b509fd92710506b57fa03867a34acb04c5fe8e25fa5023033e43811869f816e1c03bbb537eb8768330ec288d79de29b3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
57KB

MD5
4a91d8f522a86a4a67e44a7667410a6f

SHA1
7ecf2598d4da2b1b105991b2f5a49c8e14e648a4

SHA256
4ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c

SHA512
aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
282KB

MD5
09d994a37e82f2cc3b81794821bdad79

SHA1
abf0cdc12f4d958033e4846ba717a8c24ea6cd2a

SHA256
77eee3a458569399eae94aa70db3743c0fdbf1ef50cc932a4a146d4b5174b2c2

SHA512
14e8b81136e7e6c222c5188d021d3df4c670bb2dfd2f7ea84751b3882a8e0835a0b37af84f219be7426c0346e2c3944d8ccf55522716ab74783be944c1f87b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
57KB

MD5
07b59122b40ce7a866b54f68cf5b7ceb

SHA1
f95371c9234b6145bbc6ef086213c86dade22921

SHA256
c97fcebe672fa8f7703e7b627d248b9b87a51d8ffeb6ac1dab72cec31106ca7d

SHA512
9796f33345c001a51b49fce5319c0a0bfb144b37f26ba7d9c1e26a619c9e151667e2d67171be1afcdaf56b05d537a4999315d523fc98739c7f4766fb90acb0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
289KB

MD5
e113d10640285e5e5c11dafe535506dc

SHA1
4e043ea9fa8713fa2b9245fbd5e1020c3cfb0bba

SHA256
d3faa4ed0d2aed3cc54e7e82113c30fe817292822c895b681ac70ae360ff5d98

SHA512
56a5e559a6451810cbd56ec654419b8a16cdb15a9358f4f82a4ee78f680d494525fce06046851f3650e60792044a1199a513becf43a73316a8fffa42aad988fb

Download Submit
memory/212-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/212-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1288-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2492-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2492-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/2492-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-46-0x00000000691A0000-0x0000000069238000-memory.dmp

Filesize
608KB

Download
memory/2492-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2492-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download