73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3264	b2e.exe
4356	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe
4356	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3264	2356	batexe.exe	74
PID 2356 wrote to memory of 3264	2356	batexe.exe	74
PID 2356 wrote to memory of 3264	2356	batexe.exe	74
PID 3264 wrote to memory of 4776	3264	b2e.exe	75
PID 3264 wrote to memory of 4776	3264	b2e.exe	75
PID 3264 wrote to memory of 4776	3264	b2e.exe	75
PID 4776 wrote to memory of 4356	4776	cmd.exe	78
PID 4776 wrote to memory of 4356	4776	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\A4DB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A4DB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A4DB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7C9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A4DB.tmp\b2e.exe

Filesize
2.5MB

MD5
0aa10e849972aaec6021f5c8a7e7f39b

SHA1
5555e8d5edcd613c315f52d621f7c19b80a9d67c

SHA256
9f6f454419d6ed1be5fe0c35b322117f65393f4fb1284ba72c7b5bc6785fb5fa

SHA512
671797626d5f07e6e270f0f020e804a40606e4cc008a9230042fca8ed792363e6fc3966ca8f582f487d13795d21a49431ad33230ede7390553b9e9eb7659dfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4DB.tmp\b2e.exe

Filesize
2.3MB

MD5
0bf5456ebdd3e01255f18c344a6f40c4

SHA1
35901af0b4b6cd3a503d1a1f1505035f7e84ce76

SHA256
24ef6d7be9f7fb47b305a442644e024cbf6e27b0d3afe096949a27744fb9b161

SHA512
36d84bc941f27418394c9e5dda14d2674f2da0121e2d5154a3a6a2eebc8b96a3af9cbbda2cd9d40a77122999f9c637fddea20d6f047794927a4075b4137054d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7C9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
213KB

MD5
d5d2efefcf927ffe6546490e2e29f6bb

SHA1
5d6d3dd117e9f90c28cef96533682a879355eeb6

SHA256
648d25a68678dd5fdd57349b468044d2b448bbd268528ee3ada420c593ab98eb

SHA512
f13d2a9ece5c3243c24eb8c0fa1f6d4cc00e82b1d656c2d7aad08899fcde7f9ffcb2ceaaed3e8a6e7e658adf395caf856eabcb95caae884ed2c2744ee6ec6b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
247KB

MD5
183cc7909722a6d8680fcb49e4d1765d

SHA1
684b0c6ba3a441c17bb7a218f389a78ef44e0db1

SHA256
ee2895fdcdb60516fd73f4a48ed787b05dee97bc87fa5bf5a25512e6bc677164

SHA512
defcbbc78b40c96742636cb524e4f563fd766cd1138f328287364470ed1cc75b8a76417ba44fcb81fa85be03da6bfd07b4f67fa9c97221b731052cd95814b020

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
185KB

MD5
c264cc59cfdd7cd7b1dcd9e40951e2ac

SHA1
01e12e0a0edd68c3db93f5cda2c3e617858176e8

SHA256
2af135023cbbf8506e490c7ee89d81a1b6cb2b7c85efcd3629b3b05e9b396284

SHA512
e6c3d5b656b1df25cc82397e8836554e10f180fb5683fb1b876f322a7969ad5ebcd9c77ab2e863f59cf8467f90bc21b50e07d860818e445d423c2729e630025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
195KB

MD5
5cdd8ef475aa6ceb671345910eaf531c

SHA1
8cc6688c21c2c76d890e13c419c8461966018a74

SHA256
b5f3642886b007b5ceddf619962cff2b79a031c92dbe848c2be08a0eea7c6446

SHA512
dcf409a1a5d344a06d8e02676af14a8ca1367981cb3acf8c846f4fe5e1a25bcf916d52236158e925f70c0545336df24b7cb6c3283bd9495625bd7330b89ed2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
270KB

MD5
b601c3b350488b71ae2a0ddbe4e61ecb

SHA1
e0e3132487d59299f1f273e7c1be3ed982b4678c

SHA256
d9b5a5f29f68d8906513fa9cefa3c6a5eb10b1ce4eff96d3a588e0c18552982e

SHA512
f6da3553b694850c0319a458e9aeb0e7775ca382e7045b89ec7b76386f6e00656ad6e840fe1fcb029737718657c63d3f692c84a002bf335ae4e54e9ac5cfce23

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
182KB

MD5
717661f4b82e243cdf69c07d1a3133c3

SHA1
1c87b5353cebaa53439293502c1e82960436ea76

SHA256
1b21a6fe4220f699acb379ec771817055222ac140115e0b424723cd4625448dc

SHA512
56e969e88642995d0f695e36d1a126fd3780d358e12ceadcf8d2059950697bcd4eb0017c1f2caaa639c9a0338313bd3174caa3b249b7c8b07ae879f22baa37d0

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
222KB

MD5
f600455a9e8ae7dff576f5948e318fbf

SHA1
ca789509631ec1c81a1f5de07ce2b6a8f0f3c232

SHA256
5110824b704a734b9f69713d8a78e52781690ff2bcf5cac9e024c45f660503e8

SHA512
5be0587a31f44b618a1e6be75d2a3214c0606a8c3d3dd64cb52161ac0a1b28c71c58757d8902e8902666e7cab88e03bb1e0705ec1d2909b1c209ea1840906a05

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
208KB

MD5
a035526905a8b1ec7a182d82caef6ef3

SHA1
ff5ceb7337b7c0881430efbda5c7d56cbb839072

SHA256
41f0af30438f8efb03498a2ba313ec07a6dcf1f4dc1686fac788cdce5872867d

SHA512
3249cf1ec4e314ff8a9953367ba9ba72c062c4d4be5d97312ee20406ca131dd7094520e5e42af2ad4b151fe7be2fa35b42020757a18d17dafe6c28114cc0ea7d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
288KB

MD5
e085d607b690848f3c380a8d1c4c87e5

SHA1
9a60bfd2158b10ca5c1dbd92151109bf78ceb52d

SHA256
5b40eb7427ec65611439dc8df76aafecea979b93974e774217279e3e1bff045c

SHA512
6246f4da9a7b7c677d73e2be6fbb78dfc0b8a3e2a8c99840dd48911ea192812fc1da7eb3c16d52505299dabf508203823f6d344037d59d15c90b010d2e414d0f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
162KB

MD5
4f3e6006fcb3eccd041266b5cb49133d

SHA1
66b23d4a5ed387546f378cd561d8eec52e38e0b6

SHA256
53a494e8aa56731334129746005cdd108de5cd4b479be2073c767b0876301f0b

SHA512
844a75db39382cf528ed86fda47491d6b63eb01fd6395c097d18d4e3d69ba3ab9ee0da4862ce3a674eb146120838480e9542a315cae80236e6b4f97fc2b41ec4

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
210KB

MD5
0b85ac176b3780fd80d4256334bb48d0

SHA1
de6c7aeff388c3ae9591f1857f036e084da398e2

SHA256
b63614da32c6f9cb70c160738cf36b6c500e9e6d9dfab10621c515c18d2ed8c3

SHA512
e2476ce48afcdfba8e7d5bfd25c25567fbbe18a38496e4dea70618bda8a412bf3eb7f669b13ccac003874c1fc536a82c165970d521fb41c97bf01dc4c81e4e57

Download Submit
memory/2356-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3264-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3264-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4356-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-42-0x00000000667F0000-0x0000000066888000-memory.dmp

Filesize
608KB

Download
memory/4356-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4356-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/4356-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4356-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4356-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download