73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3136	b2e.exe
4252	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4280-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3136	4280	batexe.exe	73
PID 4280 wrote to memory of 3136	4280	batexe.exe	73
PID 4280 wrote to memory of 3136	4280	batexe.exe	73
PID 3136 wrote to memory of 1396	3136	b2e.exe	74
PID 3136 wrote to memory of 1396	3136	b2e.exe	74
PID 3136 wrote to memory of 1396	3136	b2e.exe	74
PID 1396 wrote to memory of 4252	1396	cmd.exe	77
PID 1396 wrote to memory of 4252	1396	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B083.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\b2e.exe

Filesize
106KB

MD5
277e552fd0b1b874993ae52a42c8aad4

SHA1
7b742783f1a9b49728fea8b136dd0c4cbe255c86

SHA256
bc8dc025f956c650279f0d225e7c5312326d8ec4e2ad26b0f719c97ab4502e67

SHA512
c62b8b0a2c08e2e4f7d4937596bcc65b825e479bd41edfd30c624b75d45187493fe321a338dcd3395d191b7a0c260fad7b625d6aa754d356c331a0512c6a7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\b2e.exe

Filesize
3.3MB

MD5
a4245ceb7700b7b14b520d42064a2598

SHA1
f6752bb08c25d3a48aa0507dcde3c15f56b4cac6

SHA256
027de22e0f5ad7eec26a85add89e344d040c5a563eade822d0123bb447306d03

SHA512
d7612c7f430e4088ee08a9b0df2a3685ac2ec0b2456c960b410f409f2644cf428b72322e3413db2e3136d1632549e01bcacd704a39ab1f52d331e3b34c6d5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B083.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
587KB

MD5
5225264b803e34e8e0bb511563e43dc6

SHA1
7fcc462f7be00b140c67394d943fd40502728bc1

SHA256
a601fb971cec6961a47baca531b80d592a37137c746a2a192f45726914fdd218

SHA512
ccd26ebc502aade79f30a575cac44075ddce1f213a8ddc8a843c549fe8af5b3cab76efbed633fbb65bbd8f493ebc9b0d29581f6c5fb1354949886f6f2380c09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
312KB

MD5
d391ccfc8c2c2f17b65c56ee3d4b97aa

SHA1
ec54afde805e82e35ab2e9d856176942076ec7a3

SHA256
24b1e8749e9d34a9d9965b704cf96e28e90da0392d4b9a0cea369ced9754305a

SHA512
525de3b5c1618060e577e0774e06bd052372faf21c52ab5f9792ac1620f518391d5a6a26c0ee1feb8f5ea71c675264d5ca571345977cd6b73719004c4958ee67

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
503KB

MD5
e3900579c0ac2c73ab7638454e633c84

SHA1
821ce526a46d28e6a6c50e9978fe533d8e860ad4

SHA256
5058d13fe5b44330024373c2890b8fc6abecbe8e7dc068ba9e5b1f7f43a34ab4

SHA512
b618ffcc2269aa7cb37a13198c625e633ba0a03ada7b40dc09485e5fbd3f0c0022f517a895780a487a4feecdb5196b7a01ab2bcad3e647d3591c1ae75bbb1a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
453KB

MD5
af9edef49082afb4a440eb2d38d35e6d

SHA1
8237d131613cedc26ef708cddd79244df1ca8311

SHA256
9b3caf00cbfa00ea7826d35e636d8374007ccffb7031c23bd4f13e8774ed1364

SHA512
614dc320c99d802289e29efc5b6a5ac17aa42db08cf02c57eac801664b90918dc71db4be54bc67f2d24c8556d136e98f0d0b3dde9e75637547808b00c0444150

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
429KB

MD5
270a6bf18f68b71689781ae76c42eb24

SHA1
9656ae6332367150735f730772f17686089d07c4

SHA256
a6473d8291dd494421ae99ce734b03b2d90f4c3d47bce27e6f2c052f80d27aca

SHA512
9387c9025983d8901993cddc53b4f3e0863a48b7466390845de54ee4d114f8466d10611ac45f1cf65759ad645576d94987237de831d438469256ca6a9950eef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
437KB

MD5
d40c9e2fc0c51e5571c04019f9b40e2d

SHA1
c6120347db1e557c4611d0f6ae16a52b4dc3a544

SHA256
c02632cea5152c6f27318b22805861fe94f6aada3ebc9e2d042203820aa7ad9c

SHA512
cb61e565d1ec4340063279fe4b07ebb799d9567379c7d1525b55b9aba2081c9358254298a215b85176118c9580206497a8fb3026a9d7dc1d8b88b6aa359e7590

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
633KB

MD5
dab6480313b2cb3b5f9c3ec02d78861c

SHA1
13a7baeeca47df8570ecfd1e07fbe9fcd7ec2913

SHA256
a5f7cfe1aaf41f53ebfdaef294a85da433dfafb98286e2046577f1d80207dfca

SHA512
b8a01cdc243ab917e28ac4b5a4a5fd10a1afa112765735a3765f73ba81fcfd006b1a5c83b760483fdba50161781b3cbad68baa729702b2a22a563571d10245a0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
200KB

MD5
71f12bb72839fa580a6d1be938d7fe04

SHA1
b594cf9a613561c0642a565c44ae505b81b50ff6

SHA256
ab1c7a84befbeb093cd8abe4604a7083aa2c40bafac11b2cc60721183d6892ca

SHA512
1a690f7172d464acf4e38c42ad490ef10f8d5e5a8373d4ba7f2432b07c99fe0ad50f0cd39c99e76a3aeceec8e3fe15cc79e3e9bd02acee3a1e845ac699a02a8b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
436KB

MD5
3c77603eed0fd568f94cb909bdefda71

SHA1
6f34da2a10baa938027b4fd6dad4b1af50ebaf67

SHA256
3d2f7fa48726a5776a97240587ff9ea4ed3f5df07c353dd7dff663f9b1d3aff0

SHA512
0e2258e954157a2f19d14159bc318967897f0bbcc66b6247141c8b761254fa5bdc1f697745182e0b8181ce046bf3ae9abf28794fe2741784007e807cb43d8af3

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
279KB

MD5
ea7a33a907c001f23ec623970931a36f

SHA1
b893840c065f0d5c33acaf3546f282f68262607c

SHA256
cdd56acfb9d219b1c4a4e2a0dc3b60cb8f07482e2779e6e97fa8c588ea9d4209

SHA512
6ec11b75cdae4476915d1731bbe8de3d9600fbee14c894dc14c9731d225a254b26cef8815b458983a89a5098638b4fa886b575cb7f081367aff844ece0b9cee9

Download Submit
memory/3136-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3136-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4252-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4252-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4252-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4252-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-43-0x0000000063360000-0x00000000633F8000-memory.dmp

Filesize
608KB

Download
memory/4252-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download