73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
307s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 10:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
316	b2e.exe
4960	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4960	cpuminer-sse2.exe
4960	cpuminer-sse2.exe
4960	cpuminer-sse2.exe
4960	cpuminer-sse2.exe
4960	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 316	2732	batexe.exe	74
PID 2732 wrote to memory of 316	2732	batexe.exe	74
PID 2732 wrote to memory of 316	2732	batexe.exe	74
PID 316 wrote to memory of 3504	316	b2e.exe	75
PID 316 wrote to memory of 3504	316	b2e.exe	75
PID 316 wrote to memory of 3504	316	b2e.exe	75
PID 3504 wrote to memory of 4960	3504	cmd.exe	78
PID 3504 wrote to memory of 4960	3504	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\179A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe

Filesize
5.0MB

MD5
5381a1346bf72880386212653dd3b31b

SHA1
23e9e3b0130dceb93a9feddfad9907dbee33f902

SHA256
62d5b5e5dcaf2d07a803d6bb4c33872d667b8658ad9fb8bcedbbcaabf37ebf94

SHA512
bc83471a7c03c1f073efea0272c82bea1ac675acab63393e86547615cc0a9ff67952798ea5546f0a2d7629eed6b5a74a8b0def8343ffe8725b00d6af911ea359

Download Submit
C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe

Filesize
5.7MB

MD5
29d053c87a0b32fe6d780137556a9856

SHA1
2355135dc3626c61907853bc4e5a23d8fe0804cf

SHA256
74585bbff6b52fa19c071ec35a20f0b7b0c0e3dc74204097e6f89f700ca3e8cc

SHA512
c15a72bdd07fe51c0122696678076c96467a04771fe738dde8b700ebc7ba7635c598fc9fa905d53f22e36a9c002647d128147c53d8aaba8f59ce704a82fec862

Download Submit
C:\Users\Admin\AppData\Local\Temp\179A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
448KB

MD5
ca0b33f54480aa9c590d09f72e3feb31

SHA1
d50dc7dd964feb0d7516c3037e7dc7e008420ae5

SHA256
67833a9e63d8b7469a3a3415124a2426893a6174ce2bd88bea520c68319d182d

SHA512
266dcd9c5bfe2b117fda6bf7c4250a908233d8474bd0b09596a0bd0fa2e5bc75446a20b46cb7e516ef75b5661bbe16c714e8dcc5962a0f481cbaecdf6135affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
460KB

MD5
968148c50ac30aad87c3561574330086

SHA1
33c900d18debdb9338cf37ddf9a0bdff32d4c127

SHA256
d2550e55b55021500fc2efab10eb30d90425a53c29be4390038359dad9920600

SHA512
d84376ffa61717eac2bdd048142ca4b130df6fba67ec70fce6a68698779131bcf1c68f54e4570ba6a9734a3a815caf76f541eb87815de24901b6c367778e12b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
317KB

MD5
e020a282e892c07a99e9d8aa8baa611c

SHA1
0b5153f8e141f213e39fef5f865ff6b300461790

SHA256
1d99a9ea974f567fcb6ecd8b0e7cc4c0a240b5d6a0d057a4389261ed8794562f

SHA512
20adf918c93ba82af5eb300c847ec0db9cceb94921e814b536e546508b2a4f2867f939d5057d442df51d5c70e12d6c795ffe52e243c2731fe79ecc8b1142c48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
362KB

MD5
a008e2594e04048da93992d6d3543994

SHA1
ce880a6377b305b3dddc5874b2e039ae604968bb

SHA256
da7086fb583708d999171c1d0458ed3158da47e78c5d9ea757d4dcab2f8b7ba5

SHA512
865ad0b71600d46b81232b8d78fef5ec58cd800e9a26829acfeecd202d0745f7802d9754726e2853ba6d0195d7733d45925dd85f5e0683c36eedd26517c4bc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
129KB

MD5
e3c196cf4e30b67f12e01f6b317abdb3

SHA1
c76c96686c4cb60f29591a07c19c3e08bb2e8832

SHA256
6a2f69aab73e48952dda92a91fca99f97a6fc76a0be693cc67652af60d1e61f6

SHA512
9d54f28ce9e2ee97349e599cfb41eb2b3dd06efd0952c775e0acb5c68681298ea9f701bdf6857044c8ce94be19573d5b0b0f0556320ca1570f9dca4e2a796519

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
158KB

MD5
8d40967d4674d4d51a6dfb3ff03122df

SHA1
779a03789a3a85406507896c390b904f54c781e4

SHA256
b4d20d08ab1891408611905691a4fc52f6c8c8500208e10a03e9e712947d0cb1

SHA512
edc572fa76cba74eba69a2c50a765e5d7070437e8820fcce88a51524f07a0a45670a433b977730b5249a4f4569ae38d6e42ce7c2358aae8436100f6778e2e4fc

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
111KB

MD5
e0e546629fd56db949018b7a23c1fd6b

SHA1
e91bdf5cec030edf80c4446a738123e2a84d235e

SHA256
340a9b5c7511bf07b4daacde3c3833731d878a8dbf07a33ee0746ff3bc4ab7cb

SHA512
76ae60bc2961662d7523fd71877cd7c9d0cddb4547a281f2864f39c380b69987e8987fea3cf2b0fa7f332938a5a0375dd329d2fd88fc4556ec125fe6f5fef8b4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
117KB

MD5
1f8e4c53e263d90eebcc2ed702e053a7

SHA1
47bac6c8b5643d01f9093ca7afbd31b23089318d

SHA256
677a45fac210df4c40272a3044a30b64851891ad7337f385069132902529d843

SHA512
0799191bbf89e724e8bf42badc56d68067879449af54be4e5795e0814687147c5df6275c18309a59abe93c517a8150d48c6545393b1d66ac485b79c3d7618826

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
104KB

MD5
e54014e219840df5143902a23742de68

SHA1
381af5cd4a429cbe97f5b06a6ea5ad05a3406efe

SHA256
5834933d5d855e2c54b76026fff208c2f71d63fe3271be24cffd0ea1b055c5d6

SHA512
87e5305ed95e5cf4a1ac56f41c6ee94483a959c43e61e7a17f497998ed3bc65a8a596a0813a722624e8d06e58746a4172a3f6e0ac8227aef3cb5bd819a74a9d9

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
110KB

MD5
8fe1b4d432e5e067f9798405dbb8644c

SHA1
2f904839705abb065d51b3f4644a319a173d7901

SHA256
7bdd289821ca91d348a478c475d8e67f200e1f19571e5b3ef261a6b8d2b5c862

SHA512
4116cfe8645e46ab143889a00bb25b6d629e52d35c1f8983785412720c6497829a79ed123d138ec141fd7426c44c97d224033ed5029f12e41f3f2b03d7ed65d8

Download Submit
memory/316-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/316-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2732-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4960-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4960-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4960-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4960-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-42-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/4960-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4960-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download