73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13-02-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3640	b2e.exe
2652	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3128-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3640	3128	batexe.exe	74
PID 3128 wrote to memory of 3640	3128	batexe.exe	74
PID 3128 wrote to memory of 3640	3128	batexe.exe	74
PID 3640 wrote to memory of 4468	3640	b2e.exe	75
PID 3640 wrote to memory of 4468	3640	b2e.exe	75
PID 3640 wrote to memory of 4468	3640	b2e.exe	75
PID 4468 wrote to memory of 2652	4468	cmd.exe	78
PID 4468 wrote to memory of 2652	4468	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\1160.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1160.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1160.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\175B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1160.tmp\b2e.exe

Filesize
685KB

MD5
ce0008b3571e9d59e1f09f8eafbe6cf4

SHA1
f7307636a00179c1f4378e24ad477b2ca6d1964f

SHA256
baeb2135c28b5fac84d7546f2cfeb8e4e72f5673490062db949d8dbe0bf4073c

SHA512
cdd0fb105857c441e18b16dbc5ddca176e726d64b0a64e09737c6d89d3555e0ba8d2b6cae860f02484f521a16386bfa7e24485ca22eb7a61421ef26a8e9ef98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1160.tmp\b2e.exe

Filesize
64KB

MD5
3e63d8d147aec3c4d5e3e08d79395350

SHA1
633cc399218c2915b895a83bda89bce9f37e39dc

SHA256
39cc053a2dc8074a4530b02f00bd8bb723e52196224d978d9aad3b0f75740320

SHA512
545308057e5ea490e55f5bdd7fbec20fd954f847cae6f60460a4b135bf76c4c8502d922768d8e3a96d29d4c3a513b91ebc40bcaf5395de2c50d4368fd46fc536

Download Submit
C:\Users\Admin\AppData\Local\Temp\175B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
696KB

MD5
1807323d54f0b3d5b1468ff081939c81

SHA1
5832df08529c7c3ca33c6e8b5a0df67c5cd1b243

SHA256
31c825ba82907396907d10ebf2a54c33b55b49d6a37010fcd83bb1339ef388e5

SHA512
ac10949e339433c4b88ff0d0c6f4f9752cb159cfe0a4730dd6de7e2f2051ee918dc9bea254b8df1c0d9e88aded9d96c0648e7b4f5e41dc9dd2025444b47594c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
831KB

MD5
61cd94d73b773340547c2c8a794ee29b

SHA1
8205ac7bfcf991cea966ab803d553c34750727af

SHA256
53c43f2f88cffe3c863cdcc489c439c7eec85dca7dd29d1b9be6603c9a439b55

SHA512
1e4d93566e5d5392a1e16c408e5ffe0d88c3a2bc4c47470cdba808adab3ee67521d6916e3cd7bcfb828358545fafc6e81982a0a43210e81201761f3c9295c189

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
85KB

MD5
43938c077f0b4e316c0663d316d0aa17

SHA1
1618afc4c955db68bf48403a1df551681e65ccbb

SHA256
aa92ba36e5496109f1386dfd43b0f0efc9722164f42ebd3d62240a95dbc14595

SHA512
b48cbdd45aeaf5aa41ef6cff134ddea88b75ca1162c9ce23a51df34782aa7508cfadc1d38021847163485ed0005695894fbbdaeb38c8bbd03a5f1ad04aef567a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
410KB

MD5
df15a4c35a8a0cda66d15e510985699e

SHA1
21ed7ef7d978babbd1e6a592971284531cbfa75d

SHA256
5901cd65b25e4a0392ee0d290ae8faa1c84567aca077221ce3747d3aaac80e64

SHA512
854ced60c8530104fa250d29f40c9f554f82912ae6ce21a4609ad53abd73688081a37f51dc5032710b174cc2d14b548686814194f86ec0155ebadfa77c7925ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
489KB

MD5
74c0b6445111547b6df081c64f99aa18

SHA1
90de4decf9a546fba085c851b80c111a30714537

SHA256
4894bc9f2fefea600b63568291de3b60ade09335681f1e0523fe669cf0e469e9

SHA512
6e02676579ef0eca4913d341cb3bb8cb54991cd11ab8238953829df0c0e52c953804601d1726a492e792befb308b6a9ef9c596f2f695e18e8092e23414b4120c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
543KB

MD5
a0e2f7176a02f0117d11777e91344d02

SHA1
4b153bc3968430fe2b94a88ed86954beec8658cb

SHA256
11acdcb1ca2093fa30808997b6d8c701f9223f833963ecb7f8d55521f08bcc5d

SHA512
20205aa583a678859230ced687e4ed6ccfcbc160f468bbb31965a3b6c2874b82d6e9199e36caa44061cbeb9d6b27886b45378e1e75e8af13771131ea7468508c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
688KB

MD5
b036495f7ac7db4aee7aa83decaf00f5

SHA1
91fca08e0bafc2e1b0c9de4ba2e2c7e4eb60c6b6

SHA256
3f2b410f1a1aeb0a501bf9a442636530bbfbb3ffd03a417477ea6187e36a0599

SHA512
991ad06b38f8d1bf32d5cdd838a4bdd06a92bc7aa8d302f1f25fcf7421ca29d68b93d44861781cd263d5f8183fd4a9b3a328cbe5a9b6649ae8b3a7782696f8c4

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
675KB

MD5
abb720cfc8f00ff385c04ea5c9fb6f13

SHA1
fa67780b219f22f1f4078dba4bcc720cad896ae0

SHA256
9022190d280c9fdf48282c4ab67132a33d5b8c57e6a487361000523cc28c93a1

SHA512
3549fb19bb32d4cb8d4bc3f7f93f8329645a2f0c793f8bed73c73615135551c929da06fb1fd8f9583728afd3e8bd13583266c7c0aa13d30642b6cf8a37bd9a00

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
439KB

MD5
4870c6b6bb2d838d24e991acd1ce0123

SHA1
e151952f6ed996cce4cb0610902ca83355d7e920

SHA256
ca6fb133e701d506adab83eb58c4173c867c27237f26ad2687d3536fb2181081

SHA512
e822dd07542eb00eb086c81ef604c79bacc3a879f47c51c80f57e9f7f5cb2b47efb4d99655e003927d34132acd42f81e62e8a2448e010423ca03694d3fa823e3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
722KB

MD5
09c9474bd4e0c1382a95995ea59a4e60

SHA1
7276bc3335f1343a7b8d11bef72b3d119dfb838d

SHA256
e68e0bdb328dbb6f5a624a2e1848e60d4e1fc3f8a5ea58a1aaed6bc81789cd0c

SHA512
ac8dc155613164efdf7b04aa561ed07630cda8f35ea9d25b941ae159d7a1f8cd97c666bdb79e0bfb8587a44d9fcd77b6487c037bbe2e78733b3abb01cc412207

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
592KB

MD5
f9fa8f625f59521ae8840609657f0998

SHA1
6815ef536ac45ad206ba2b860106778509edfae7

SHA256
943cc344673da4de9eabd75cda6c082dd55680b182a847ea904f753e1f243249

SHA512
326c1a03215b7d585bbb63fd92a9a9d978b1a23e54b9d7d643e8c80198671a39b19aac92f1ba30b71f965849f7cb18270e843fa34306993c7c523c4176a51ac7

Download Submit
memory/2652-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2652-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2652-43-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/2652-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/2652-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3128-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3640-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3640-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download