73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
293s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4796	b2e.exe
5016	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4796	2112	batexe.exe	74
PID 2112 wrote to memory of 4796	2112	batexe.exe	74
PID 2112 wrote to memory of 4796	2112	batexe.exe	74
PID 4796 wrote to memory of 3768	4796	b2e.exe	75
PID 4796 wrote to memory of 3768	4796	b2e.exe	75
PID 4796 wrote to memory of 3768	4796	b2e.exe	75
PID 3768 wrote to memory of 5016	3768	cmd.exe	78
PID 3768 wrote to memory of 5016	3768	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\9412.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9412.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9412.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96B2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9412.tmp\b2e.exe

Filesize
4.9MB

MD5
be87d8c6f2a9c419d36dd6ae9836aff5

SHA1
e9b639a0fc287564647bd688d4600295258f402e

SHA256
977e785cd3b742611b551d94e8a51e875091254bc5afe3b9abda1f28d83329d3

SHA512
be1087aa9581db3f1af10dabec117b717e35e29e9793e007b4f1adaa81d2df2a7349081505b5aaba37fd12c3ca92f13e348a1b9bad7cab365dbc1122c5b9096d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9412.tmp\b2e.exe

Filesize
2.9MB

MD5
9317cafb85becd9011ca213e7be3a2bc

SHA1
1c84c389734da0532809700191b96dc61527e382

SHA256
644eb7fd5f540a11f942d00b2233e715a40b8548294924fc054db1e08b293090

SHA512
65120a9f1410f4b9350788c5898557be3d3b195f03b3425895748764fc052048f38998bb455cef4f25f748c696821a9a4622c8f09f6ae4603dcd6882be451684

Download Submit
C:\Users\Admin\AppData\Local\Temp\96B2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
92KB

MD5
2208e21083a086a2713adcf7fc93dca1

SHA1
b2bdc35d1c35a51aeaa7c283907747c55176fefa

SHA256
bf0848324025b28d8126e68bc887b98f2bd5dbeb0757d9be1c1b0ecbe1dfd9a5

SHA512
6c3ba4bb86574f0424986fec5cf3b5ba17914906e490b4ab4ce183bac555c8b0fa4d77a46e8d9804cab2a6970b1f0fc7b98dbbcd0caa7d1d5f598f4133f82347

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
810KB

MD5
6eedd1466589790e5aa6b05cff1acdcf

SHA1
c9014f3aa8d89910ac3b4406a683dfd763e66038

SHA256
2f6d44b96fa09f044c039264f200a34869d618813d64f533aa81c9ecdd212ca4

SHA512
a52721568550118cecb9e82669c35ec6e041dc721e9071d5c4c8ad8b369b29fa3e3aa59e1e75324fcad0c2dc8a885faf2cb3a26828de7d6804e4dd86391d56d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
852KB

MD5
9f0ff80a8d0702278b782bd4a9766a9b

SHA1
0d8e775ddb3ba0f42759bcc1f24f7e14f30941ce

SHA256
b6a0d6e2e35b689227960c796f47c382cf361c52c382aab9df38731387ab44c0

SHA512
dcc58330427a101a46112822966a92cc312356bfb6afff93adf6f7ce546fb8e8e1ba7f2152fe744b538f72ca3feb6ff88c70838f4f5f1552018f95df0d08f44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
809KB

MD5
a49340ef9a4b94fb26e183553861838a

SHA1
5140aa17255e16cc5966f54890992b020941b69a

SHA256
adc7e3f0069acd54e5a090ad10604228b5fff99a9024e04cda0df5d7d681b975

SHA512
e98a4ca203848809a458e10a65797b3b3c8b224f09c42d87a5d2e11e2fb201d49c2007215170cea4544566e6d6e809168eec02b1b45e63529e5d2d3100c8999d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
576KB

MD5
bfba8ef054be5bee0da072ed080beac4

SHA1
090e6e60a6f0f1e351978e91b99e8dce8e63413f

SHA256
81f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4

SHA512
85a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
640KB

MD5
1bff0defeeb9f4bc5cf01e916a8d1379

SHA1
bdb668928be0a339e01e3aeeac813fd26b44b950

SHA256
d7f49e1dd346940049b753b856759608013f611624432c7ea57b0872239d35c0

SHA512
edb3e22bb4d6f3376d73ccd538a61292c5a086fc8ef9b8038b663c93d9ec991bdca297e3c6febb9d18fd16f5304e4fa532d603c68739598f4b65af320ffb3878

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
466KB

MD5
76ab6a3b626a167b721ab8fb168c9a6e

SHA1
f3baf0cf085df5a66a5f179156384575d08cf6d1

SHA256
7425de0a4e3bf771b3e3914936350f981c418179267f6aec3b223b9c156c10c9

SHA512
242c24234563de6e40a4e3852ef6d605c1f3a24b5798ecf8a55729f4b74f06979e797e86f55856c3e6747f973872343cc43835cd0be96c881cd62a60eda33d07

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
memory/2112-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4796-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4796-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5016-43-0x000000005EAE0000-0x000000005EB78000-memory.dmp

Filesize
608KB

Download
memory/5016-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5016-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5016-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/5016-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download