73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
508	b2e.exe
1656	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe
1656	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5112-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 508	5112	batexe.exe	75
PID 5112 wrote to memory of 508	5112	batexe.exe	75
PID 5112 wrote to memory of 508	5112	batexe.exe	75
PID 508 wrote to memory of 1744	508	b2e.exe	76
PID 508 wrote to memory of 1744	508	b2e.exe	76
PID 508 wrote to memory of 1744	508	b2e.exe	76
PID 1744 wrote to memory of 1656	1744	cmd.exe	79
PID 1744 wrote to memory of 1656	1744	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\877F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\877F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\877F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8983.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\877F.tmp\b2e.exe

Filesize
3.1MB

MD5
b096fe9631fc1942824f886ebf2d054d

SHA1
da931b74ea111de0fc1832394e0d06f4f0602fbc

SHA256
01fd26e62d5d6c23d02105c0410f626438a06ad47a37962dd52044fb9fd21389

SHA512
e76fc3efe98c1eaaee0da2b87ba37fb14fd61a4d4c44ede0c004eda95004359d59ad16f6159e5871adbf6dabc45e698aaffd3aeec387e471beeb3cc2d6066b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\877F.tmp\b2e.exe

Filesize
3.6MB

MD5
b19d41cf562496aac05ee75eae584895

SHA1
8ea975d0f088829db4de3eef6986e250e94ea860

SHA256
c36951c4db491ad46c7f4a73fb93ea1792f55501ac93246938f1792bdd818d6c

SHA512
16b673a59cd3e2e9d86003bf613269d2c19ead5868d72afd8136273949ce81203ea8d15d873f5e0ec5e9de774eae45658e4e68b9f911cbfbdb37ea4829922274

Download Submit
C:\Users\Admin\AppData\Local\Temp\8983.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
791KB

MD5
4e50cc5d8d432e8ed5232e2a520d48ad

SHA1
99b844fdcb051f098b2268fd8db4125fcb2c97d0

SHA256
c05dd48e3a1972365bbcc65a639490579536d1258a6b3788226d74b7a5ddbad5

SHA512
23892f498e460de7e8361f4672574fe099071b3ab6aaa2be3c30dc7af84eb5a3e4672b031284bec230a65dd40b8e67c0887a3c9d715d9f5692b69ac7c1d060f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
607KB

MD5
8de4d10ad4f61110e059b36f31d0e6a6

SHA1
562826f959c9d156507cea53de658663ec260664

SHA256
db5072d79e9a391ccb6cfa9850d345091e60e9b266dfac0382bd0b3724731d79

SHA512
3276e4dc90b891423b60d42652491f590e0f18f26ec28c5f8ceb62afeff00b4916aa339d2701a006963386a8f163d981a2dec691e9aeed67114a07ef02ae76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
763KB

MD5
2a5dff2db3ac4073a590e3a6075d504e

SHA1
5ae55cec87e64ca3fefece96523ab617516baeaa

SHA256
01f8a7e78bce5105326a4fa168cebfe4f2f89d8f69f5a99e15ca5e6abd73a23c

SHA512
bba1486828a38c8a00c39a05d24442a6a109ffd18547adda2cfd3f2e95d0c722fb661bc0cef086217f5861b1ecf5c6de10523214f6e33642fe4eb8ba6b53f52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
777KB

MD5
768c51c0382f887540fa411efe64d623

SHA1
8c73f0a49a13f394078e49fccec16b1b2a6d52c3

SHA256
cb37b7e455f36db522c65321776ec6617067a5b7cbd3aab7577fd0a5737983b0

SHA512
6221dd98a26116241eccdb65b913f436e4670f432feef25727b18f90fa6ae94975c95f1d7561773078cb6808ebea14af1bf55b4251b67594ba82099120925ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
240KB

MD5
e3cb582a123d183e0ab43cd15b37f427

SHA1
c91b1634ff1bb55c95ec04bb5b80f0105bb00c3b

SHA256
7a590ac6e28677880e798ff1e10867a728edff1a918a33119f836b170bc175d7

SHA512
30644d7cf8ff4040be6d95151ecfee7cade46c97d1b8a0f5200bae09611e1f24b77ea125ad31af3eaee56a2f6506ffad796e251c0e27d653ced69c3e47760b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
389KB

MD5
effd5445d14394ad4cf132c8ff6ff6ee

SHA1
5dce8d4518df926799483492e8089fbabbe545f3

SHA256
099c20c9fb4f3dd10f376fe3d007529016a118c249d823c410e7c1676d571b7a

SHA512
9b876ab38b370388db0a5708782d4ee248d75873f23203bbf3fcfae715455cf6da46e32a7febca0ddf08c8921011dd83f556b9bb6057b626d8692bb3ed52f7ad

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
435KB

MD5
6dcb5749252f776e38e7503075c23013

SHA1
4193590bc78f752f362bd7167cd325d7246563c1

SHA256
9037d4994432a8510839fd07e11bd732406592c47c1dc0cb19cf06d062dea167

SHA512
46edb602bfdac3db7c8e58ed2b7d8c132e1c22224b6eea85daa0eb7e2af1561294f6eee795766755fdd32cc41a466eeef312a606a23a44614ba5ee4155e8f45b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
317KB

MD5
0574e5d38fe1e2ed1242dcd50234448f

SHA1
41928c5b6507d8d07dd0592be54e30e4d7d04fcc

SHA256
c35a799d4ad2a4d626cf3750485cb91d9ae43207d84fdfe06dcf6979752d818e

SHA512
c3060564de3b3774fa533b91ccf36e1ddf41bdce4f7407ea3a3fe566b223f66d5bf4f77f80c02c9e606e11eefe7696f8d5ba622ce7e8a7d88a02377f3d607bf0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
427KB

MD5
2284c18e24dbcfe5c8e3b1cf6d516eaf

SHA1
dfe7ccd37303f747c956e078e72f33cb6082daa1

SHA256
1e3335882e4e18b281442103d3cbbc6f6dd622c959c59f5bc092a94489ba24c0

SHA512
5f8bf923f143573e65aa2d579e6be18b329de691a247b20201cf57f3e1c1fcfa5420643a618b0d2a7e5a507bc55a811c97556929fe57a2fa84506b7253d76b3a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
533KB

MD5
18dc63ca80e8bc18c5c8dd5cf38b9ae5

SHA1
359515e082a0a16fa9cd7db3540cbcfe3d649e80

SHA256
1de9187f74ec0520edc8c40944e020d9843266e4b898d1c85940a8af3de56a71

SHA512
2a724bb1385223a8d92adaa67aaba88196588ac6166fb7c6ecf6506ca2d1c0225e498009b13887e959c1648388ae6c44f94c0c19a5870e50394501a699876398

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
535KB

MD5
40cfbcecca0b917aadabcc1d920170c4

SHA1
aab2c98d10b2eb7377f0ae661b50e5ecefdf33a9

SHA256
d7aa1ac1809a8d7e65c8362468e0712c2c5b0de2f818eec0b35a277b06f250bc

SHA512
62041e74676007403ce1a3e8dffcdb7576bf209d1093146c99ebed5d9e74bab1759148c403e433610dc5672fa06ad6666e6dff2fab7b90aeb50d082e12b614a1

Download Submit
memory/508-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/508-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1656-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1656-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1656-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/1656-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-43-0x0000000058FB0000-0x0000000059048000-memory.dmp

Filesize
608KB

Download
memory/1656-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1656-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5112-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download