73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4372	b2e.exe
2828	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2828	cpuminer-sse2.exe
2828	cpuminer-sse2.exe
2828	cpuminer-sse2.exe
2828	cpuminer-sse2.exe
2828	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3936-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 4372	3936	batexe.exe	75
PID 3936 wrote to memory of 4372	3936	batexe.exe	75
PID 3936 wrote to memory of 4372	3936	batexe.exe	75
PID 4372 wrote to memory of 2908	4372	b2e.exe	76
PID 4372 wrote to memory of 2908	4372	b2e.exe	76
PID 4372 wrote to memory of 2908	4372	b2e.exe	76
PID 2908 wrote to memory of 2828	2908	cmd.exe	79
PID 2908 wrote to memory of 2828	2908	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\A49C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A49C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A49C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A652.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A49C.tmp\b2e.exe

Filesize
2.4MB

MD5
b9d0ff3d1342589f1549df753073eff5

SHA1
ddcb4cb1080bd8e858ec23db136c1ea29c1ebcf0

SHA256
da83df3c7ae8a504276b01b78177487cbefb7e50fb96cb705c1823f82cd7544b

SHA512
d9ed9eca3d2f07d106fb1f0a70cce8c5a889fc23c26f143d17665139d09fd33dba59bb69465e9512a892e5afeb3c38f806c3b6082b8cf1e3613f9b27a6d24fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\A49C.tmp\b2e.exe

Filesize
2.4MB

MD5
6fba199c05df846c6ea52fba62066445

SHA1
77c76cf4501e301c540247e56c87b08c6cca4421

SHA256
b8cd67013463b33b0b9fc76f6de0eb1864d3de647f272b6f1b6d8a565d2af88a

SHA512
132e86ebe6d5ed7b829b76ff5503ce63654b94d926449ec44bb3c7e31283834b08deedbf9b6756d44ed8ba51a17250c0528088618d56d16f591693a8f8e1e63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A652.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
508f5fe6e1e924bcd3c8c70e2c5469cf

SHA1
5df1e6314634feed1401c8ee932544136c923378

SHA256
8dd6d392b75bf98f496c2ca5f077912b8295e6144a10ebccfbb65a292970a9b6

SHA512
09eb5fb3160559b2a6920f0a326613fc97943a8ed668d50688fcc6ea433422247d6cff82ded687b91492fef616dd51af8cf3cf7e71b1addf2ea9f90d3c250b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
2a46b6e813e9284cdc898ccb0231bd21

SHA1
0bc09cc81b58dde543b12adf6190a0c3bac12f2e

SHA256
39daeb7acd630ddc1b822c6590a1573fd43d503ea4a9c52be35b727da9c16385

SHA512
807be89b883bca39fbadfdb6b31b6e3a0f2ccc7a3cf0d399c0682ecda6e7c808308c4ba4c1146a1d6c6c316a04f7815bc5bce311a2ec1640c884e99564e06664

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
c6920e77d7421edfb799630df48cddb9

SHA1
597a2e34ac1389e751350ef1437f0d8a3cd52591

SHA256
1d9c5a991fbdd50bc5fc527ad2c37c5098c37151381af164baa62cc3d7d273f2

SHA512
c932517733d430e1d07012660fdeef878e81f5f9f0358186aea9b14a9849c898fe6c01583f1d3dbd2a3bc2b4fd1057499588da9dc82635e0260db0639b41ff8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
8c1768cc03f9566eadccf47751aa60c5

SHA1
4ff4aca09e7f1f6bc509cec43a1caa9ea7170367

SHA256
ba3ac59eff0c6435c80eb445a517963e4eb322e925ef05f2065d585406492a25

SHA512
5a293ee93955882a4eb31c8f1bf265080706601b6552919264e41f6ed3b6635bca966c13294b973121495cddb4d974592bccd249195af926eb16eeaeb1b71296

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
660KB

MD5
c9a8b75767f947aee4c99b8da23ee7f4

SHA1
743ada29b9e366ebe8850c8da0ac37f17af9f731

SHA256
72b63a32632cd55fee8983898f5f4cfb69aeab65e4178474a2393cb5817349c0

SHA512
fdf749cc3147a5f4fc027b2b40231fb08f8425c444c5aeaa73febb4f2e1368ee8be1c7fefe471b3a744d97aa1fde4c055c2298a3bf0d49d6463154852c3a6bf8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
867KB

MD5
960b00d4c7be9cf296f20184a240f555

SHA1
e7c8c3d63abfd124168db68a2957a7929ba6b41c

SHA256
f1fbfc02e80f416c93292ac71a1d2123be23ef9ddaa254d30102c05c55c6ba8e

SHA512
727adb358388f820fba04ad5eeff9a0a12c86581972cbdd725f11eb4c838d51c5e9800bba1929347f59292722240df8c6c240d6460aaed2993249b5ced6d3c43

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
fcfdbf496643056365145d0202c80558

SHA1
3818a99e6dfb247c14f070e7e68d87e9b41e5f41

SHA256
2a1a80959fe552fc625faed5cd6939a8ef649c971970aff87c61911e30f2b445

SHA512
2b8977d9903c40b04d3dbdf4c39ba91c4e51e94f9ba8352cfe06d6c611330ebdc22856c305dfdf883129ee96929010af6c891d29336a259de37328e3db7e5964

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
819KB

MD5
09868f1f368b7232147d1ab5e9fdbb0b

SHA1
8e09808cbc2be2c5f7cb6f085742ebb80356dda0

SHA256
32a2a1be29c6aab689f562f4d8fe54344d26bcaa03f637faf488ffde48be60af

SHA512
d6a248ddde5165e1c2131b5b07112b0f496c6cd2c4eb384441a01bd078a045f2e5de84046e5802c8818a2ad9b39e8bc37513481878ce268579c5c3cb9f4e855b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2828-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2828-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2828-43-0x000000005FC70000-0x000000005FD08000-memory.dmp

Filesize
608KB

Download
memory/2828-44-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/2828-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2828-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3936-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4372-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4372-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download