73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3228	b2e.exe
4684	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4528-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3228	4528	batexe.exe	74
PID 4528 wrote to memory of 3228	4528	batexe.exe	74
PID 4528 wrote to memory of 3228	4528	batexe.exe	74
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 372 wrote to memory of 4684	372	cmd.exe	78
PID 372 wrote to memory of 4684	372	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\1325.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1325.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1325.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1930.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1325.tmp\b2e.exe

Filesize
708KB

MD5
dddb1ab70a2db360a4e1f5b2adfdf277

SHA1
5617ad09aa1d08e527c571a1146ec376c034225e

SHA256
69a7e791730759e234dcdc4538cf5ccffcf68cdffe61792654f4f53bc9302c15

SHA512
b1695670ca735630fd38113a4349af6ec081958cf45fb8bb6f06d7ac9597bc3d57cc24b5c857f10f24acd1c581e36c3fcb3a4028848bd7d5ca842b0137f15fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1325.tmp\b2e.exe

Filesize
6.1MB

MD5
23098a0ca869d16ba5af0f7e83f4b68e

SHA1
fdf1abe82a1120dabc8b37b9c4d4ab21b2550a2c

SHA256
de117264591cf9603759a4434958cd48490cad31a8391bb5ed9a14f1eeda0151

SHA512
fd6e101fbc708dcbbc5a41763195f24e3cdd2747709d13f43f18f9b566577f22256a15f61bf85d2a5244a8650ec147a890b8609057b340180848a2c0de234a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\1930.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
566KB

MD5
ae94b7559614ba37d5934ae96cf14ccf

SHA1
53f1849b393d19a56d33f1b013fd02deec0228ae

SHA256
9f574cc961dda88ec7d50cd34c054c665341bc3135af22c2919052be8c02352f

SHA512
3a1a66ebece9cc60b39f10402c0004363832e7b087015b639ec0d102fd0f0c784f23f97e8c19a107097d26e4ac21af899f0816a8e4fa943d459d7e5a711d4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
555KB

MD5
cb545033b290dcb0c456d7c28aa2843c

SHA1
a0516bc042b41e68624d7c27558bfe99b0723770

SHA256
300a0b19fd409600a2ccd162066a9d42e4edd840026da879b78696cf574d7cf7

SHA512
a284d85f61d375c71ee2c03001eb3d8278862de661e433342fe49a261d1776a477b20fbc35d25e0cb230c5c2f4cb391dde1cafd711d412b5b220d7f04e78e806

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
420KB

MD5
c458e9cfe51590d4b0133227c1ff1738

SHA1
4c7abfa606297af237274639d189e9666e58a002

SHA256
9c9989048a22a92a27bac5ab9e776c0bd4212ed5b3e06de5d17388e525935ce3

SHA512
9b10eb92ea976bbf49a229586b99922c6e701e902bd42fe4d0a4a4b0b615d7b89e5cdfef625534e90a08a9f2dc33a268f8f5b5019c7e9eee34c16bb00d2edf23

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
519KB

MD5
9c3a2610123fa5701546e3f797b32dd6

SHA1
6e107774d86262441db4dd79dfef78cee10854ac

SHA256
dfbc6bd1c1a1ed3e2b2146df2d0c2b43a9567acc3b40b9a23d832263347e690f

SHA512
e1df6af14383e3d7de4edd2393b858d71e4e95eb9e610220857f62f081d4df364ee6c0dee8e2008437e2d314d74a838b3976e890aeb925110d21afaf8a1d855b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
447KB

MD5
efc49b832fc09c88af7e4d3606789c40

SHA1
2f865a5ede3439d197c70c4bfb7499b7c7a2abc2

SHA256
b23aaad7099e2259f89d5c3ffc1ae2da5e818631a6f6251e842a9572b4c35cab

SHA512
d95745d072d00f21358b5bc9fb816b9ff20ee8646ba730294634dcd5e42da71e27ef99b2730797c3e5f88f730453b86f8214ba5ad86d7336aa39eec81232b4fd

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
607KB

MD5
99d2902f0840a24fcb921152fb965b69

SHA1
a30f3f596fd58147bab42264a8b8827e49b248ba

SHA256
517166c6c83cf12800b28b8dd15f0e58b7283e1b578730e2aaeeb1bbb525d321

SHA512
416d223d04547c35a53d3ec434cb94bfa92cc90089ef3be632c9317407a9118820583396dfafa8d6d7a1934aa8c09df7683d055ee7701521ee856b89605db8a8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
796KB

MD5
f0edd789ed245244595ce8c359bb46e4

SHA1
a1e2bb7e5bf9f95699b12c9704e633b31077cdf7

SHA256
e32ce6ce386eddd46e262348b3153b3a12604e8c98b7da83f41798626583d332

SHA512
c9f98683d0f3e61301fdf067402208a42c9620679b303703c1590809f180fd43137adea41521f8c6e81a6ab5aec482cb0453b2020e549747d476b90afaf02256

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
375KB

MD5
832ff8defb74d7e64482300a691bfb53

SHA1
58b05f60dd8bdeea339fc735ba411b17eba99861

SHA256
266316f5212ce4e56be4b69459c2ea9f6a12d5dd363215e7cc4a748cca5530f9

SHA512
a6ba9325a7bd0e0dc6844af990722b4812a35eee554b769a6d195b23f7bc563ab77e0fe836b3b69cfa39665a521123236db9d7ffa9840db8bb79e31f729a25f1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
318KB

MD5
1675788d12d7ef750ddb73509a5eb9fe

SHA1
c5e04a6d533dcbc87bfe48c0a84bf511471a8d77

SHA256
daef8d262ad5cb3e4aef601ca6af0863a425abc3987f5f4da29efc63872abf63

SHA512
61fc33170bba9d9267e745cdac1da6821587a8d1dee3485f36be40ba04166226a10ee7cfc02dae4aeea1266c4c324c924b4d1207aefba68d8f1b42e18c2a4790

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
535KB

MD5
5b5dcff25605a4134cb04d3800094129

SHA1
6151523eaa033777c2ee0f36ef31eff29c1f5722

SHA256
dc57594c67355f6a6dbcb7f74f29d3f86d3ae72fa0aad1777790011285fb43df

SHA512
00ca9b00388104d5427e7faf329b843196f1ba3b119b31f41b1034ecec0a6230829f94a7c8159586ad8cf7e704c23f5c3a242b46b738ae8607dcaecd61b31dcf

Download Submit
memory/3228-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3228-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4528-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4684-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-43-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/4684-44-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/4684-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4684-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4684-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download