73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 10:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
532	b2e.exe
4168	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/980-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 532	980	batexe.exe	74
PID 980 wrote to memory of 532	980	batexe.exe	74
PID 980 wrote to memory of 532	980	batexe.exe	74
PID 532 wrote to memory of 4688	532	b2e.exe	75
PID 532 wrote to memory of 4688	532	b2e.exe	75
PID 532 wrote to memory of 4688	532	b2e.exe	75
PID 4688 wrote to memory of 4168	4688	cmd.exe	78
PID 4688 wrote to memory of 4168	4688	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\15B6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe

Filesize
3.7MB

MD5
e5329e3a504f945b223fc395ac6221b1

SHA1
a3aa37266c9a9e8045958257109136118ecf3fc7

SHA256
91b641dc626cbaabb38bd06344196c6091635d71bc2a70bf307af7054cc03fec

SHA512
e3ba8a1c60ead2b91ff572662d749c3b1051f1bc94623a064239482e8fed6fac0e130b932df4afde9c57545749e3267a869ea3bb99c914dad05b96bc8dda3c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe

Filesize
4.5MB

MD5
c31a1f44a8bdb2377036821d5aa71dc8

SHA1
c0e6cace938c4172953fb4f6125136f2450dc1da

SHA256
1ef1ede2fd76277061f71d96d4b42ee27e38dee163074c5b7f548e2b9890f10d

SHA512
c31dca07ef5f5c09df7646e69d4f9259e96c992c897b0ae36ef94cb02c8524cd0f0aa652acd5b345b19bbc49500d11f31f530de90631341bb47f0ea19ab10004

Download Submit
C:\Users\Admin\AppData\Local\Temp\15B6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
281KB

MD5
e61df8d582d02bc962e2c6049d816bed

SHA1
afb00360dfdd4c1106a32b202ff786fe62ace7ca

SHA256
41b5747cc6aee33292f6e89bb06177b2a11e811a96674bba7ea9861512aa5842

SHA512
98ec1917194460add8b5fc154c2ad32658c12756d2116764a5c0d22990864bb6bb6795b0b32ee77d02b784b6a1297e4948aac7e1053b7ecf67f3c3c1d573f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
376KB

MD5
cf9ea88d83ccb988be4451716c1f6607

SHA1
74c98dbc1bc58a51d0b911e3b88a51f77da8bcaf

SHA256
36e65445e36160eb723f9561ee73b5bc415ed4a1923661218705c96687603aa9

SHA512
14d27d424a46284774f08cb29456fb3e844922142a41700528f8af4186f081096e7ee1515abac9e8332cba239a3e943ad73caa3477ee719dfb54cf06a7f4cfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
283KB

MD5
1c49612cea04e1e922c07ce4bd3b5a4d

SHA1
d41f54e7a418b76437cdad5482d1a041ed6c4e4c

SHA256
ec81be290f9c205b83870b1064db3d37e6b7f316b204b3ea15ab138ea4e22fe5

SHA512
904a77d181d54129e6dd0a390b1ab22fb699c0f232a52493f101c155b828e9f0cf634113ac11cb5db5c6624be10ac52ae790f8c5752dfae93f8a387106ed36f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
128KB

MD5
48c422e815911804d8322f84e605438f

SHA1
b577cb4575fdf07ead63d0f9831833f4f30788e9

SHA256
3247538f008c10c405b77c7a1ff636bd7f7e72b0cf4b5990870c157958b4e6ea

SHA512
0278d1c8a8bb02bb70bac382c89481451ddd147f2b195fed3cf1105524358a04703be54186e138d0e1f1423441e694cd292eb890cfe66bc421eb160821548f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
349KB

MD5
344099087fe5a9d076190e5e932c321d

SHA1
b3e3de652e7f9aaa4ebd0ee6dae90b2b453e8571

SHA256
2745f8e152f328625fcbc341f439819e781f4563665eb241c0a52bf5789b1b26

SHA512
c55874cae629352fb51e83a073c423c0d1ee0ee495ec8f7f62dd730d60a6e7f5bd6c6666aa4d7f0fb2f2831d4e508a4e16b1a8e24ad33d006d2d08cf59d833b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
134KB

MD5
60a8d5fafd5b451280b067ab50a7cbe3

SHA1
e46c91f590e4a56d3a9c34c3aa65dfd6ec481563

SHA256
4cda8c5abad752502473db64acc870b9770f46ac85b37da7028de973417b3daa

SHA512
148e849e612d93afdb4f4a484438445d15fc4b585e38aca936513cb48edeedc7094823be97eecd0417d6c6e11a26ad2504c20f15588c668aa46fafaba9e70779

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
307KB

MD5
0f383fc2f378dfd900f55e3145cb8efd

SHA1
7a6b391d190a2ebfa45a50467de1a61d0eaea9ea

SHA256
2f570cec6746a73f828222ae34295981277299ecf4bf8a4c390b092917479278

SHA512
5e8472d4a4e74232f916066d3bcbc37e8180853a3e74ca627f05df4e5f1e27b48485a1992c270d5717639eaac1234f6e01ca8e51aafac57da897ed628d56aa75

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
233KB

MD5
898107a90c9c02bef4c132b3f606c5a2

SHA1
23b85208a091e2907734f24ae3f59974572240e2

SHA256
99b4178b108fc6dd87f49cfa1133c4e2cfe72349bd5c386d85d446b203658e91

SHA512
2eba0035fca2ab2c066d8a659d7d85db9209b6d829129b95e65106a5491060675439ee036ae4cb485ccb1d38c8df36168c425188609a51f953c29982b68c1f8b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.3MB

MD5
e3cb9ac6acb316c4513a0cf744b49714

SHA1
2fae28ba67dc090765861ae448947d075d7a7f87

SHA256
5b2c179c0f4210fe96ba61a08f76af1f3b4b00e9aedfba1f5527409a7e451121

SHA512
2412f1930d699d4fdf14e420d8a4085ae5fd2241b73b0e6fcf344476704fc95c2522ceb7238bff858b1dfb52f7e9b2f655f0069014862fc79cc19eba5389fa3b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.7MB

MD5
ef646c3e42663fd17af0cabf29a7b87f

SHA1
4a44176f8472dd486ac2196cce3ad4116fe4c6dc

SHA256
f3e6e29273bfde4ee07030dfd9fba43c4975a2eeb43a6d3162950eb65374866f

SHA512
c1cbf61b89241b004499f9b8e45d1524fb42189b538e265ba36e67bedd500d55b32a97008ea5dd8739e0804ee9baac4b39899c5b820b6610798c12146cfed469

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
122KB

MD5
edff24d97a05d1da9f07aa4292a94859

SHA1
2c5370cb3ef90960bcc7f32f368f76c3a8636fd7

SHA256
43a3ed7762844f0e18c89903133c1ea1c79ae670dcd18d2b0dc32d7f3e55cbc6

SHA512
f2b46516d64d5f4da33061c66dd63a2df35f52eaf7ccfdbb84f5105a09d3eb872176e1992bfb43de25598b67714fd87901f9fd7aafbbf8b24537f456e9475c1b

Download Submit
memory/532-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/532-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/980-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4168-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4168-43-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/4168-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-44-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/4168-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4168-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download