73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 07:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2380	b2e.exe
4444	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4444	cpuminer-sse2.exe
4444	cpuminer-sse2.exe
4444	cpuminer-sse2.exe
4444	cpuminer-sse2.exe
4444	cpuminer-sse2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2380	3044	batexe.exe	75
PID 3044 wrote to memory of 2380	3044	batexe.exe	75
PID 3044 wrote to memory of 2380	3044	batexe.exe	75
PID 2380 wrote to memory of 3932	2380	b2e.exe	76
PID 2380 wrote to memory of 3932	2380	b2e.exe	76
PID 2380 wrote to memory of 3932	2380	b2e.exe	76
PID 3932 wrote to memory of 4444	3932	cmd.exe	79
PID 3932 wrote to memory of 4444	3932	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\9B75.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9B75.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9B75.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9D49.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9B75.tmp\b2e.exe

Filesize
4.2MB

MD5
a9fa1a3698f8783ba4b99e08096b654e

SHA1
42fd65fe46dee88805baf3b9b2ccfbb5cdbdc095

SHA256
77d5fc430b5ad47e745a2debf92019dd98714355e6a22ff740b946d8ee5348cc

SHA512
bd3ca56db429f4d8d1b08cb6f1acf339bcd9dcdd9a6d70a3473ee48da4e12866d48a33b73aeaf380c453bfdf982c2a3e8749091a8e7485a05f6f3f22b4a52a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B75.tmp\b2e.exe

Filesize
2.3MB

MD5
bcce99040ed50caaf2e485073719e2bf

SHA1
7f9b2f8f410150c35696a01f3239bfdd64b5985d

SHA256
e321a871a649621347ecf88c2b034ad85006f8fa15a1e6b330e8cbee197887c9

SHA512
d5e4095bcb427372e3372cf9a00a01de376a20707e96df50dcfcbe4007af515057bb178ab3a5fb58ac6d9835f1385ab7b892232b59fcb9b069d81cb9559c7b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D49.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
320KB

MD5
59d36bdd941feb6c770ec68a37e8c21b

SHA1
1191d1e478164cd720974ea1ad2bc248999a8d45

SHA256
d5227dca74d9be12116b359c9d61265b102c0986eb6196e269cc3e3b895c0293

SHA512
b1620dd0763f2f7c263ae69c71eba7cba29d89f1bb551356abb7073e4e7013347345c43f2bad3c4733300c5b98feecf2fd91db2a363c9e5dcdd87f170edbe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
409KB

MD5
811839a94b36221735b5a2ca1d855ea6

SHA1
83c3ba992b0f930a71b1912e5943439253604666

SHA256
d046ba24ed6db3e86b240f136a2c17ad009a9ee10d9d8ad3f2c24cf0cdc896dc

SHA512
b5ad49d4ad49052abfe2ea868056c16ba73bd937757ca14a873d3dabc72cff67ca2c0def9e9ddcccf8fdd936d13906d1fefc0547a82b4708083b92968cc3c408

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
154KB

MD5
3cc467131d9acb14295a42fbd5e0472a

SHA1
28abb7ae73fcbd54e75cbc3600e1dac49dce5328

SHA256
b295e78e3d7f25d89dc88dd6c673ccae4fc54fc361b0304011fbc91f284206fb

SHA512
add759735b71a4c154072e6ac79e3b60cd1569da316122a2f33f2df32bfe21b13dc73d6efa298ae58c84cd950866025a598450db242254140ae856ac791b6a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
94KB

MD5
f82c84d31d5fc20896c337e20ca7842f

SHA1
4610867766076ad119217437201819863dc1be87

SHA256
17ddc522296e58ef8f9d461d5fb56a556809dc45f90b357abe696d1ea8644780

SHA512
9d1a56602bf379a64c76349232cceb8f130f1edb3ddbfd31d81130650505b895c418803c93773b5f1b9b965d8a1defea91db22571e3646f706302fe99a4be8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
121KB

MD5
de263615c8d6e79c6d40b3b90627cc51

SHA1
e8ad7488040ec99817e80a65203d1f04fa0d1ef8

SHA256
0ee266f209f83c87fe6d86eb995dd5b7673a78545a5775fd0b21fc2245feb2c4

SHA512
e87f288d847b29a6a9e3bbd9d3f4363de008b77dab86800f7a1a8702000742f935d3e46a494c007b5bb5aa0cccdce831f682c9f44fab22b1c33921484e2179e7

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
95KB

MD5
4445596ad6eaa8744d9ba4d87eb74779

SHA1
a4798ad59916fb951817077b07cefb5496bfa6be

SHA256
2ae62d9a061fbbc606a9ef123b5a447d23ae98ce6f1eb360c226acb91bdda2db

SHA512
182aec7765dfd0fc167bbe90ce015c1e6bbacb447272e07a3637c25b38103b7f4ab4bc875d23548c32b272ead90f7a58ed82da0c00ea85315dd40db15d5386ef

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
55KB

MD5
0fd5ff983dfa2c06b19bf6337e1e10a3

SHA1
ede3c004473b0b2cef8aef0888f5dcb8e7130d40

SHA256
bb49287e7c29a3a6133b4842135e637e4130a01e954cd396cfe562bf96ff6293

SHA512
614ee06d64d6099b9a1428cfc0cd4586e0ab30bb0cd5ac8308408a37af808c8792969321fd02a9db28f07fb322972db9bc3cadee55a91a2c141b19588d69a683

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
24KB

MD5
99bd16e9ae4415b233791283c272df90

SHA1
da1afdcbbde1e576a7f288cb9307e219a61961d9

SHA256
31b319a492aa9e46758a2734142059189c167235e5bb8c4ed71556a97d5cf757

SHA512
87dcdc949087aa8befe6a85c44c40ce4d3c910c83061101e14029bc6e6e44677d87123001951beef25b1b6c0a9938c60fa9965412e8c22eec104e25991b1e76f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
90KB

MD5
316be586e4ea451607f76e5a10210e4a

SHA1
712d4a8b84eb92fa4e55f0328344b2f7028d66db

SHA256
c74d322aef4bc0ce1ba8c456f29a603b5e8be8c39d980c01c3cec58e53bbadaa

SHA512
74e58c8296e738c88fc04e16aefe361ebc8ccfc5c1600e5f541640e3c651110097616b659fca4db1a230910347d2dea43a0f8dc5700f8966661016ecfb2fb5e5

Download Submit
memory/2380-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2380-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3044-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4444-43-0x0000000068180000-0x0000000068218000-memory.dmp

Filesize
608KB

Download
memory/4444-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4444-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4444-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4444-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4444-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download