73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2388	b2e.exe
2372	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2372	cpuminer-sse2.exe
2372	cpuminer-sse2.exe
2372	cpuminer-sse2.exe
2372	cpuminer-sse2.exe
2372	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4996-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2388	4996	batexe.exe	74
PID 4996 wrote to memory of 2388	4996	batexe.exe	74
PID 4996 wrote to memory of 2388	4996	batexe.exe	74
PID 2388 wrote to memory of 2088	2388	b2e.exe	75
PID 2388 wrote to memory of 2088	2388	b2e.exe	75
PID 2388 wrote to memory of 2088	2388	b2e.exe	75
PID 2088 wrote to memory of 2372	2088	cmd.exe	78
PID 2088 wrote to memory of 2372	2088	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\B258.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B258.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B258.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B602.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B258.tmp\b2e.exe

Filesize
1.1MB

MD5
5ac3ebfed1ca8b617341eaf09cb2b9e0

SHA1
06a93532eb7d5c40e2d08acc1965ee2e2e53845e

SHA256
09c8cfc5c123ff5a395ea82216edda7f1fd160df26eb0cada5c18f83e1891274

SHA512
61dcb358ec37b7afcf8389ff82a71444bc5268b70bae27b2f91f42d27ca938ddabe36a07815906427564291399447d9c4257bde2d7e622683b839fd5475b243c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B258.tmp\b2e.exe

Filesize
692KB

MD5
799b1f841d657270a035b939b20656d4

SHA1
ff3ff60a5ff183dc3bebdf28015dddf076fb47c7

SHA256
0be7a91c7b2fe548f6c479aafd4931e1abd533933881bef68a13a06873f24a1b

SHA512
17934808a6dd3eb95c2fc89e5cd9603dd1f63628b38598f26b052a0c33668a4ebecb9f4072fa18eda4a052501c32722e3d54e5e5d76a3555be456174be46249c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B602.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
960KB

MD5
5f088febb9167d9fa27631de416c40d9

SHA1
0e7cfc61e5cd1bb82c846c939d71388e2f9d5086

SHA256
869740b99a3d66f9e9decc133d9c3c4a2c14c3e7c62c512248da76f002387fce

SHA512
65e4cd0d550b852f50e426e53ff47bf1419a5cc1aaf07010b10b96f392148525950fd11dd3b1e8acda0916d288414629cde845cdc959ed7092e565ccb8ffa920

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
fe316f2b417e142dffa0e03efb65e1a4

SHA1
907805b2c3bc0a0791086cb5fc8e3a950bc78e6d

SHA256
aca06866767d9e0bbe1e9bef7efce1152d34243e1acefc5f7ac4f6a245456671

SHA512
8ebfa0700b00c4064d1ded11fc1b4001f01238ee0c4cf88a873e0ccf38c30a574d600649bfdef85f2e3aec5c279a43680f7a66604bc6f27bbda0219e3786774d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
576KB

MD5
bfba8ef054be5bee0da072ed080beac4

SHA1
090e6e60a6f0f1e351978e91b99e8dce8e63413f

SHA256
81f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4

SHA512
85a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
46e1c7531774dee6a7125727095ea354

SHA1
2248bc2bd821aded068d2e5e55f5e7271b50ab91

SHA256
cecc229ea9e416207638b67d03bc6846fa188a14fe1c9e75028afb48ff4e2081

SHA512
fa9dc86df3e0a8f7b2579785c03717a43eec14beab8ca3176f73d4ecb0716d047241ab30cd53518e7acd645e9f8282a20552a6fa33824c34afc5c5210cc69f2c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
a3dea3777f14f1235327b648410a9406

SHA1
9ab139a0c947962b3c471c36e8b9cca4d750c889

SHA256
ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1

SHA512
b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
memory/2372-42-0x00000000702F0000-0x0000000070388000-memory.dmp

Filesize
608KB

Download
memory/2372-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2372-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2372-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2372-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2372-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2388-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4996-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download