73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3640	b2e.exe
2652	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3128-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3640	3128	batexe.exe	74
PID 3128 wrote to memory of 3640	3128	batexe.exe	74
PID 3128 wrote to memory of 3640	3128	batexe.exe	74
PID 3640 wrote to memory of 4468	3640	b2e.exe	76
PID 3640 wrote to memory of 4468	3640	b2e.exe	76
PID 3640 wrote to memory of 4468	3640	b2e.exe	76
PID 4468 wrote to memory of 2652	4468	cmd.exe	78
PID 4468 wrote to memory of 2652	4468	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\1057.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1057.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1057.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\15F4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1057.tmp\b2e.exe

Filesize
3.9MB

MD5
9a99034eda6fbfd94ee3fc215c0d3c50

SHA1
82b8652ab4e665d4a4120a912421d9e68e973970

SHA256
382dfd4d162551b0228027f4c317bd957a4d50889b27b583f42dc60be3c71098

SHA512
ec15784c8048aa377461a4743dd056aded45d125c5309823d726a7eebb7ba66ef6c0295ec98bf3d613641c89b920037f7c0a25ccd44769c126db1b62743d45a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1057.tmp\b2e.exe

Filesize
4.1MB

MD5
40048e0dca012c407e076f25f534b663

SHA1
06a4b4a240e6d89a9e17f0bb4f9dfd96cccdbac5

SHA256
c5cb809ad9c769e80a8b56758a26e9abbb718d1bb71c34e20dd3cf017236d135

SHA512
cae1986b550c725c7296018b7f898e355cca231bb3e7c3d73627e6e53b39ed1caafc2596b051347db9c3f31e594fc1bd3e690e4a1d5c7c5f88178ff2bc01b4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\15F4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
293KB

MD5
36f2cb824bff22987796ae5171175b28

SHA1
efc09fd0793675956147fbbf1840b8cc1ec5ccad

SHA256
88261efe54146bebb07c82e5a14a026d3535e938dc3a2194fac9e392b0d7eea9

SHA512
bba3a4027edfb0e8185479756ca5db6f67b7edae349bc469bf771958656ea1da07b8155cdd0c5f2002f508adc07f89c7dd2c5fa9f683dc316b8ebbe1958a1137

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
284KB

MD5
e8449bf746594288ad44cd413c8f3829

SHA1
6481608584a6bea5f5ca49365dfa7065731bacc4

SHA256
593d6cf3aa2a6528cf85e3d8f9120fa005f5024f5d7ad741e371355b11372d72

SHA512
844ec003985fc2b2e02861db8349f4487a04a3ed95a422aaed728a849ffd309e274eabd56a892eb750591d4b93a9b0d8a34043bf656868e6676b0e005076d59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
351KB

MD5
9dc8a5d441476f17d471187d926016e4

SHA1
f34f1c017f1fc1e3d8033ee6358ff32caba91bce

SHA256
6cfa76c1909113be20afb16ac76eb407e8f280c22c80828af03efdc2ba366dba

SHA512
81171aa302e20bc927779cef5c7a237ca841e84fb43f6e7dafe8550cd7522f2ee1af04a0f20f5d1356d9df7ecba153f1b953e36ab909c13fe40457b112514652

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
138KB

MD5
7d19f1ea1d10c8994603f6a4b3d1805d

SHA1
c109577ef0b17aee614e304f586cc0bf914237be

SHA256
54436d51e39bfba2ce354fc58fe7f73c449bbb927fe3a793c09416e6e13e1cd0

SHA512
e6bb15823291d0fd761a0c8b4b56c448df13836d0af261da496f7b6c7ff7fae88eb94fd271770d6e76bde10d7ed9c9252a2bce9f9b9cae39eb4a1e5bb57d7530

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
190KB

MD5
2b9e9b9a2954fd04ac30e8f3ef08b9ba

SHA1
41c6a71313ce32256d79942aba3501cf0328fe7a

SHA256
f299f6c1234c479786c71837b7ef549a3053b0217ce3b98ad788e2f3fc4d6320

SHA512
4dbfb3947ee3458ebe3fd4d6504f6ca279ccab0f0b7d49deea2e661acf586089492db5c1044436c307e53b4476c7c08d18037b0b827e8e262306a834d2278085

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
79KB

MD5
586eb9769fad8cff3e361f74c91e0285

SHA1
3ca464da4901bd79078ae1f5354fcfe91d3e5ab2

SHA256
354ca91781ee178284ea0cf091c383b2560c587b74d5106cb3a2aaa0d2828d1d

SHA512
f46379d2340bc99c762f57ca915a2ffdc17eb91993ee72bd55ef3da83cedc3b3584ccf69ee4832f58ffb4210b93c98430ac27cd45c78694fc632e141d5dfe1b9

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
222KB

MD5
e0124f9c84876211bfc12080d29f6d67

SHA1
f4b7e209a7e71fca46a4fd7e335273a82965c033

SHA256
2dd10c20bf803fe44254a11c6bfe87ec6ad8d5d3eb37791747db2e892c71b981

SHA512
8fe784fec7e63ea445ae54a1f826d87d4f13b514a7ee6de22e4cbd1914792ad9c62befd4113b07fa41f64bd1b0d2254a6ed81042082a4f5f9c4933ded4d74ea1

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
113KB

MD5
542a08e014aeb411fa8718872cf6f9a7

SHA1
c9d7bd992d4f5b1fea535e65b5b08e973a426c38

SHA256
54ca9bca69e6bd9a9455ee73c9bf53336090c13cb9b196889d18355b6ffcaed6

SHA512
ff35c93bd65b24835575e4bf6d26eb010cc497e5d4bb979ae566dc91feef6e1f619e999bf687978503a8af8b4553899490566dbd2820d93e63396fa3f501dd66

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
68KB

MD5
56d8b1c7d8ac0b2df52a9c90f1c1481c

SHA1
b714134acbf10ee4a3d19876c8b2b53bde355862

SHA256
72854391ee904bca8ebe952e2970d0aab23f555845b0a2ba4d9f291ec05a6140

SHA512
6ce6d47c9c96fd862743386c80a45798852ac2fee173644850e66b2a8fa1cfb64e975cd5b7024e4b9b4d05c2e087a27dcff2e06808fc917d32fbf4aea3997dbd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
154KB

MD5
845f17323e86e471dff6052e9af0128e

SHA1
9a434675d50f906ae4286460d4e5370c8a77e3a4

SHA256
c87f70146bf2872cfdce90c856c9efb32845b5a028fe191862b559bfcd619874

SHA512
669d3020d70fc4269205368dec3b5ef9c2d8e4be1f3ad9c7db56350e9038b277c845d4a1e8371dcdb806423de5ef293896ff6833ee56f7b7a129b4e4669e8656

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
71KB

MD5
5cd3234c0db87ef20988a8cb7bde3877

SHA1
a8ab51a14ed29b70e269ba42376c22d176731127

SHA256
09657efa767141953f92f9d4adfde483a494f2408fe4338b025bbf8cf4a56876

SHA512
c0fe2b94fa50c5503e3f331406abe9ebf9e99e0e5f3f0889752fd27e644689489513b02c0e01f2952440f9f3124048795c862c986796bbf4a0a11ad9f45ac5a9

Download Submit
memory/2652-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2652-42-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/2652-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2652-44-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/2652-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-48-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2652-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3128-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3640-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3640-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download