73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
307s
max time network
316s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 13:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	b2e.exe
4696	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3624-0-0x0000000000400000-0x000000000393A000-memory.dmp	upx
behavioral2/memory/3624-10-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 2828	3624	batexe.exe	83
PID 3624 wrote to memory of 2828	3624	batexe.exe	83
PID 3624 wrote to memory of 2828	3624	batexe.exe	83
PID 2828 wrote to memory of 1608	2828	b2e.exe	84
PID 2828 wrote to memory of 1608	2828	b2e.exe	84
PID 2828 wrote to memory of 1608	2828	b2e.exe	84
PID 1608 wrote to memory of 4696	1608	cmd.exe	88
PID 1608 wrote to memory of 4696	1608	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\B83F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B83F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B83F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C87B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4696

Network

DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

Remote address:

8.8.8.8:53

Request

yespower.sea.mine.zpool.ca

IN A

Response

yespower.sea.mine.zpool.ca

IN A

198.50.168.213
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR

Response

213.168.50.198.in-addr.arpa

IN PTR

minezpoolca
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom

10.127.0.1:12000

46 B
40 B
1
1
198.50.168.213:6234

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

5.1kB
8.0kB
60
60
127.0.0.1:60200

cpuminer-sse2.exe
127.0.0.1:60202

cpuminer-sse2.exe

8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

yespower.sea.mine.zpool.ca

dns

cpuminer-sse2.exe

72 B
88 B
1
1

DNS Request

yespower.sea.mine.zpool.ca

DNS Response

198.50.168.213
8.8.8.8:53

213.168.50.198.in-addr.arpa

dns

146 B
100 B
2
1

DNS Request

213.168.50.198.in-addr.arpa

DNS Request

213.168.50.198.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

56.126.166.20.in-addr.arpa

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B83F.tmp\b2e.exe

Filesize
1.1MB

MD5
28b0bdc24d3cf3b2a525d4aeadc53ee7

SHA1
1a623aefa807f12f6146fd3be55b80861ef536f7

SHA256
486a6874afdf375a90a55a0727e8de8022747106da22d9bd03779b5013c88a32

SHA512
e255381ee221afe8361f7a6f212c7f6c7a4bfbeaa9e0c41d4a75260f64a4f486cd9d5d115247094d6a377d289599c94c8538bec50c4599063ad445ca3bd67bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B83F.tmp\b2e.exe

Filesize
520KB

MD5
48b0566f3b4b59f3183056563a4992c2

SHA1
ebc1cc7ebcb5abf73c6e5f33aad564b1d8594e22

SHA256
6d286e1818b8b9adeadfc01285dfdb2f64a50dc81d263d0da667558bb3804a04

SHA512
28336314a538e82cff81079b58a2ad9f3f2cda625763d7d819ed0b08d9b09c3fd3ee807a30ade11a3e605951965c5c3c77712cac696d140636b60bfe6c537fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B83F.tmp\b2e.exe

Filesize
323KB

MD5
d64052cb7adfcfad3ed48e158b5d766a

SHA1
517a48924d1d2b4e573d6dbbb5cb35349499a388

SHA256
b74aff9d5b59b1cdcdd789198b61e841925ae2bdfe76cb52e9bf3625e3fe2622

SHA512
a2e6e73537101b21833998e6fffeca47709ac0a80a7cb8d47bc13693a7ec6ff9e1a458c30a3bc2eadf8e531d96b461fbe6826d879a3a9ed117a4660ae7aeff75

Download Submit
C:\Users\Admin\AppData\Local\Temp\C87B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
216KB

MD5
d3e8fb6bc23bd88469ad67ed2aafcb47

SHA1
24b5bd8edf476b4774def73f06252489cdb369e8

SHA256
7004f5de6b3f68832a9aa17bbd8635d423181db5c0e600b92eee692725022065

SHA512
884028e8aa24ece7de98e2015ef66e3e30d56a9bb050e95207236617bb0114be9bdd8e4a1c8448bb601c60cb8ef955add9b5c9d3d9fd293e0b2c1e844b19caa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
331KB

MD5
8ad5cc96d800431fac1db2e80786e1b3

SHA1
90b011b47d5459c3a61388121585d975e9e80f73

SHA256
23e37d36da558fe3cba25199d20a01e1b44f03d711282e94e4dbf5f0b3327d88

SHA512
2c5b5faf3d4777ceadae3e234152745339fb9698661c9681e71728b4094a6beb329a1c37c344301371c9ae83a541d02bf9ede91c1748f8203c4cb67f9b555410

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
350KB

MD5
f624a7addcd406872354728727d56591

SHA1
92792db0b24807d68783450db9ae6ee97de093b8

SHA256
3b5ecdf94c6acfbc51d6f15692a1500460c17a18ba1b2d349139f1ea10ac7457

SHA512
e3f4bfa8ee0f2a404c2f6c25920d28dde16ac44031675bd0829cd97cab8d94629cf491981614f53fe77cac7fb14b5fee9343692401294aaf4c40aa29f8cac706

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
188KB

MD5
4cdd66cce61eba26da1c372494ab8c27

SHA1
87874641ea4beca1850b8b6ab2797228b6fd3861

SHA256
16d21214e5f1d6179ab5068dbaace81d741f3472dfdda7a2f28f92163917f479

SHA512
37d123798540d7b8ce06066a1ee142b3cc372060764c1664b22af0e3b223633cf7764733b68e4693cca29fa9179bd7da1dcc2e1f3a3a9e4b2a7b1370d8412d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
433KB

MD5
3d6e20e7699cd844b94fc3ac6d69355f

SHA1
2929926d8d75e83595b96e1f14f5670b297d1323

SHA256
2624a5404b7b8efd632dfdbb8890d9b5662e9ad8b4c72b9e315cd6d964ac9b0a

SHA512
da76a9918a1c7c0db135781d9a3ee20ed6d09b6b7587432a7a13f09dacc6581de6c9ecb9c77df1d439d940ce9ed131e52d816f09b305932049a8e5ad6ddde12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
162KB

MD5
6997dcffe0bc76c4f23fe11e930d874f

SHA1
ee973cffedc5551bc3e42e640a35b9e2890c151a

SHA256
a6bbb6b5b7a6761c487f73956c22c69ba04bcfedaca3744018dd1afcebc47061

SHA512
85ba563fa2a12c6b390b41cc14187048d6d46e0f2659518a60151ef27ff8468d1ca74232dfc88abf688b68a98af240f96082374af27a7544cdb6442ce85c35bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
443KB

MD5
6fa96fe746835b5ea093b1c860ecf296

SHA1
d1901efbb003ed2ed134cfce471a41fd2aaa2146

SHA256
4d8ba0a2497280a84e975c4ad24935a51d90af580d5adba2f81313d1b408e150

SHA512
649fecdfbf60a5323f96995fc9ffd96e55f1b554200f0a4bfdf446f2df7014adbe6a1328ef3a120c61e3959f1c8b9fb35fe417f8e0b7675c907b39c7db81ec39

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
277KB

MD5
cda5a767249ddcc4cd59658a1c4b511d

SHA1
fd09c2a96a9077309668abd78f658eb79a072491

SHA256
c2def42f3cc1aad73da23c6a54af5c8720dadd979ddfb1cbf6c7858d30eade4e

SHA512
fd36e1841eef9cfe42a29466cb93bfc9f374cdb38e04094c3fec51af3fa60f6dcb00c22b86b96f33d190eaea0adc0fa25f68485b43bbb7db843596b20028680e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
364KB

MD5
942bab8c0a7c4508f826efb9f63c850d

SHA1
d7345ec7d8c96698f94248be2a99442d966eed93

SHA256
6d97ff09621aedd34b6e6a947fd97adc85d50f6974f5d33312920ce010a60dd1

SHA512
eea2af49e7d49486466012e034705be6ae067cca453d1eca68fb4244deb712b3d9684659d45fd2f73a3f30d5e6485f1fbd9722d442172ebfbc2f5d3cec8876ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
209KB

MD5
20f5bc00062ec4b15c9695240f7cbf6c

SHA1
77bb956356d043903ef50dbbf36782f0787c38dc

SHA256
cf0f9af951a1b3140703d2aa85f13f709c0211d73ac2bb902d1e20840b1052a6

SHA512
d40634e8055428b821a67c9b89ce3a21f0a96f8d69330d5fd89791e55fc8df488f99d2e0c6dedf0e2bff357a7480d1ae2d92a90431be27ef5e58ecf3e9f521ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
144KB

MD5
1ad0640cc0e457b77146fa085110725e

SHA1
c6e36c5d126b8f50d4c91e6df8882c9099f47222

SHA256
a055141e4959ff6b80c4cac47c0570c28ae5d9928e0e04b75a068112765d1476

SHA512
0476dd343463e704a4b6818d04c55c9ad0288d10a98191f833e3fbd7d998a1c8b74abac23cd3d8e3d5f3a28e01c16d543f95e08d5796653979153d162a5517e6

Download Submit
memory/2828-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2828-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3624-0-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3624-10-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4696-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4696-46-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/4696-48-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/4696-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4696-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.