73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13-02-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
780	b2e.exe
2876	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2876	cpuminer-sse2.exe
2876	cpuminer-sse2.exe
2876	cpuminer-sse2.exe
2876	cpuminer-sse2.exe
2876	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 780	2676	batexe.exe	74
PID 2676 wrote to memory of 780	2676	batexe.exe	74
PID 2676 wrote to memory of 780	2676	batexe.exe	74
PID 780 wrote to memory of 2288	780	b2e.exe	76
PID 780 wrote to memory of 2288	780	b2e.exe	76
PID 780 wrote to memory of 2288	780	b2e.exe	76
PID 2288 wrote to memory of 2876	2288	cmd.exe	78
PID 2288 wrote to memory of 2876	2288	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\9C40.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9C40.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9C40.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9E05.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9C40.tmp\b2e.exe

Filesize
4.2MB

MD5
cc0e4de61fb3f1792e4e048e15b726e8

SHA1
2089add3e1c2b069951e1a0f9be61a0fa60ca498

SHA256
9da1957e09ca08b1b9cf84fa697e0fb58cf91571df8d406b132b6a97e2b2092d

SHA512
e96dc8b22e79943b4109e0a2f647d5053fbe6e6eddf3fe499f0c9079abfa17996bc64b915ca88cac21ead217c904d6a5ecb0ab28a9e4c38685c81861a1ea3ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C40.tmp\b2e.exe

Filesize
4.0MB

MD5
f379f595a07ccadc002f7e0c067bc05e

SHA1
1feca6b633332eb030373145eb8d2261b89f87ec

SHA256
fb8386cc30e7cf16994a14eefb00d9c22e3ae0a2036154985dfb935df398c543

SHA512
5a26f058294f19992023ec5ff14366695fb3d822d6d3cf2124dbbd740cd4f0a2c3ada9204105cb4a6f8aac0d2f50f09cf211bb1e78105f788a11020b0f7a4d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E05.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
c31ed0a3e41473b8054f432400ad1d6f

SHA1
e9af2660a813e60a5815ca471368af5eb60444f4

SHA256
ef20a87d3800eb7737291f64aef92629cc2c1d68a13b39b04e48989c99faea87

SHA512
712a94f2899300587477cc7754a546dfa17f89070eea3823d46c30e1a4e748a0ab59ec959e61eff2eeea9eb77f2d0043fe18d9eeddfa3b6f810a559db262e9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
917KB

MD5
1071c6287971131a970916f44dbe3b67

SHA1
a83a7562aacfc555c80ba87775c5a18433582ab8

SHA256
0ee093571354b99cc4362cd12ceb4310ba4dc34b3950ad35aea330f4dba4e19e

SHA512
95e430db25f3a167dba032a58c2b560552779c1f810dd54362f710e1165cd3fbc90bd23420d9bf11a7a8e03937598d859017bd68aac6a681915ea9c4f27a8aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
267KB

MD5
bb2ba7db92b8d10176a6bf1b79a181c9

SHA1
f22dc0960a5bc454b7981223382c5ab96c9a0465

SHA256
ae7d8469251d4f923efdae24d7069708da534c60ef0ec8d0adae943152aa6aea

SHA512
af5e13319ae4f3f8a81669ec20361385ee022b6082b8352e1a755d62eecb5a620712a785de8137d89656e0c14db560f761a3926056f86c9a64d3d3e433e4f948

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
892KB

MD5
a73120757fd4f2d0a44741147764ee45

SHA1
faa9984bde377ff3cb0bffea51754a9686239bbd

SHA256
3a307876da6d5904f523d3610ec1212a5d91ee9d5968e75ffe8c76d7dfbf2cb0

SHA512
3d813dbe879d034fffc1ade23b765051221b46bf318eec805b0990375eb5e68d0e1d48864a227664c98114a149f8df24fa2743aa511a5691cc8e3e7f48d6ecb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
803KB

MD5
628b66d3086b1554058f79a96552e400

SHA1
288e82a06a1f3834c91918d926f26ffd8a3fd101

SHA256
eee15d7322a4f1c3f2094cc9c7e4b92049115ce64db3b9189f55c89e528b82a9

SHA512
c12702ffbbbfdbf83c450ef3bd603895cc5fd9d9e982e7591ddb688528a21e59f8bf82e9f2b42f4b82c8601fb14fd663f91068f853c8f5cd1c6f072fa7ea12fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
864KB

MD5
607090c0c64376860aed539aba619149

SHA1
a686d5985d1ae0d6553f23a65e5a2b23657c36cc

SHA256
654dee26f4200f0d0e68b0e54eca21242e6a71a6d661902c14ec5d6bfd7d8e47

SHA512
082e6630d2a19aac4dc8fd2c4859270326168541f6511248fc3295f496db67f030668f5dcfbbf0d7142fcb0f03bcf4d30346ace3c6ebbdbd20de7816beb5523b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
721KB

MD5
b40c525559cc27175019580bd5d4b120

SHA1
ff61cd259fd300e3ec3c5670669e9dd9e1f8a921

SHA256
a1e61066edc7032f51731348bea969de55289c18b7bd3c7e6012e703ebe362b2

SHA512
a596012feceadb728aa73a3af9750aaedb3e164d7dda1648df5ae13ab630b21b274f299c2fe48104b7ed2e86351ab0336757bf43a36e2a6974cade4162ca6966

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
597KB

MD5
bd9873d76314f85a04b7b7c20066929f

SHA1
75d74843754c8778f31a96f3c8b04269b0410f59

SHA256
3b1c5b080216fb7dd2579f62198f5e4c7a95cbd2376e42c1622843a771e24633

SHA512
2e60665b635b9b56ef3ea296abf073638cb19bcde205d840ae608f96cd454d091211a2ab2387872f61b4582b80295d977e3a732580ed5e798e0eedd9bc73afbf

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
601KB

MD5
d345cb20dc7585915b5f59b49317e2da

SHA1
268d1e3329ddbd6e7acb13de9722c08206237115

SHA256
090841d7bc01cd7041fb395b28cd2ff38216c413bc5d9fbb4fd5372a88c5d806

SHA512
3651f47a965f9bd3ba8d85b6ad251bf5ad35a17d693c6c1bdc6f6769fcc99921f356008f70adec5a1f90895ff431bac36cc0d4fe65a9fa6ca95e9d53c6b67f01

Download Submit
memory/780-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/780-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2676-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2876-43-0x000000005DF00000-0x000000005DF98000-memory.dmp

Filesize
608KB

Download
memory/2876-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2876-44-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/2876-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2876-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download