73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
294s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1480	b2e.exe
2924	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1480	2356	batexe.exe	74
PID 2356 wrote to memory of 1480	2356	batexe.exe	74
PID 2356 wrote to memory of 1480	2356	batexe.exe	74
PID 1480 wrote to memory of 2996	1480	b2e.exe	75
PID 1480 wrote to memory of 2996	1480	b2e.exe	75
PID 1480 wrote to memory of 2996	1480	b2e.exe	75
PID 2996 wrote to memory of 2924	2996	cmd.exe	78
PID 2996 wrote to memory of 2924	2996	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\A4EB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A4EB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A4EB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A75C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A4EB.tmp\b2e.exe

Filesize
5.6MB

MD5
1297be7f05d2e6986af16af9b6be7d71

SHA1
6eb521baa853e86e9e4c098354c77764f4c26960

SHA256
c14268fd824d23f6333f17beb0e4094002861686b6f8476e8fa220e0b920d626

SHA512
b44304eacd470c2a14f3cde5371bdc0067e357675784910a720fbc85f2a242166455cf5d9edf80d4c79b6b7c80e24f8a8e98514b8b4c68a29d4e0d470d31914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4EB.tmp\b2e.exe

Filesize
4.7MB

MD5
b36bb34713dc0bf76fd70d38386c8f02

SHA1
7ff12997dddf110d7941277e897934be8f914934

SHA256
b12990418f5b1daad26a470022e01eef82a37fce7c8b11d32f702cff7664336a

SHA512
303f1771a58e4cb003ae62d08a8880eecd5765921cca08a990458c83f7bb6b4fceef232bdbbe271dd9c8569137756f141d81549ae3cda1e05a15d900363b66b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A75C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
398KB

MD5
b5941bc145eb800cbf93a7b101518290

SHA1
8089b0e4938a8f47f30c7c3b629647bfc315f9f7

SHA256
8188457b8a2be568f3a0042e4456a301e9e3d1967734b9ff29b4ec0f0d0bcf76

SHA512
1a2705e31353d0799d06361c5f9101dffb47b704048097ee96c71c6ffcb8d56073f1628e64b9a44729d130794c9f2e1fe8064ad5e9004479bf44d7e77ae7af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
328KB

MD5
1aae7f33a85b4628da0322ec2553bd19

SHA1
b3a15bf60e87d944c65e957afbd60d938323d13b

SHA256
fffc9f17798adc508b1c8a4aa4602bd2d4a2f7fd8c804e59db1acab614f4f9b4

SHA512
95339021acbd0d168c2d6438424adca38934a6ccb8c567cbf8bf8fb9a1ace09017cd30c7549a2a638c62a1789f66aa1176bd291ab5161b5a08daed4134506800

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
294KB

MD5
93e23d479582f36bfea533e550d8d012

SHA1
7a75988218dab5ba148b2f2e51f401b7c9ce5f2f

SHA256
75f3a2557dfcdd58c325e54281a726a90f058c5aeb8d002b1088b9400b4122b3

SHA512
85f6b0f5be44fea668e334a544a25b228d22a9086e00e7f8dbd04a4f6f98b14483570ca50c1a186edb8a660137948868e21dff0774191d7fa3767381b2d8373a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
172KB

MD5
fb988bd8c3d2f576861751c827b337db

SHA1
ff7734e5f25f845abe780220998078698d4b4e78

SHA256
916c57fdc3b0affc23033aabc194871a572e9d5e94c193d4251fec4ca6d48465

SHA512
72e5c9bedf46d3027852da300eeeea1c8e0f467aecdd6ac44f99bb530f79b0b91b4e1d8535f21f7c307f5faeb2f61c735455b0911395c20506f04eeeebe9566a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
277KB

MD5
73920b39eebe7f967aab4c1f9fb25f3e

SHA1
0d96da63995978a0d781f1a617bc0bea9923ac76

SHA256
43712ac76e8498da6419ce30296f7d0db4f2603c513255ea95ec2bc1382a4c64

SHA512
9bf54720c0ec411b753c1365509ff13993d225c8636ac33fb3b251ec5d76774d561da905c7215efc18f638ac625c394ef7b59e28aaaac71cb788b3d1efb01175

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
169KB

MD5
279aee74bdd1d9fa343a63dc078f677a

SHA1
6d68039b1049bd5076109c360116d97da0d9ac15

SHA256
c5eced4b9b238a76f4370f99f5117d0689070882c1f904e15a2aa4f0fa6fdda7

SHA512
ffc122452be35c3882af3f72f5d245b32bca1d5ad516b5c409b6b240eed113d087dd51192cfba34a55798f5f1fef1413222d7c02032379de974e1671aaf2d7cb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
230KB

MD5
49fc6ae02521e17145cf3739fe8de849

SHA1
2eb6a842106a058a879b7489d8830618fa06080e

SHA256
37791d1f74e6cc1519d8c627aca2b579c8ddfb2ab9b20a1f6b43e4d431bcecc2

SHA512
efc263cdec412b4d12281abba353aea595e0efbeff9c484c3ee75bf0ce5b56863a02f9265d02369d53dd6e89136f69dec35800246c56941ac2e2118f5530b7ec

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
183KB

MD5
d38ab1f5504a9ebcb44edc0780935dc5

SHA1
3e235ad32a5d0986b761b8d3d0e3511e4a116240

SHA256
1f644285d3a9cc19cccfad18b8170e0d5515d04a96024b9284529e1aee80667f

SHA512
15c66427795fb27611f79a2ac5793337e4c28a15ce5e8ce52786f407e604cf2781ab11e5da5b67f0a3400e876c83c78a1aa8422ecfb038ef28a22738b91dbbe2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
59KB

MD5
36297ac53c43a288ed322fc0fef00285

SHA1
3f3ac35e0b67c62952b7c9a7e7ed8c46fc948b3e

SHA256
3fb37d542eaf9aa5dc1fbe3ab6a592185da47ddab25ba9438f5efe73b6e6a479

SHA512
41c745127786239ee1cfb61a61415951148fa30ac98fd454322632a10861a11ecd70d4fcd811d93b3d65d3e7a743e6def2550c925d2719b39d1d0ca1b5c71488

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
68KB

MD5
d3fca6ed5c2eaa4749e81449bb0d209d

SHA1
f82e3fd3b0a545667125b2570e642330552f3914

SHA256
ce7e72939e1384888b80300be9daed9b43ddde7c70a58f5bd725d573ac732454

SHA512
50c154cd1d85fa489e7107da20b314baa62c6cdfaaa3529e3b1fa34a9d7503080f0e0ef717540c02fcf2ec5e2ddd6e5d3120508187ff0aff4e06e45256998906

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
204KB

MD5
0300af542262ca71709a2606d8659300

SHA1
46f2b14d4ed5a5fe0094b00fb1f6ea03586377ff

SHA256
51546cf5f8a018ac14032f054784a087722570c850c30876789f918df5967997

SHA512
cb6222db94843bf65921dade8a17e80980b191c2d61b18fd07a838f2415dd07a6a265435c8aa3889dfc30e670da4e49a5ddcacd76debcc004deba0c69d5f1ec5

Download Submit
memory/1480-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1480-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2356-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2924-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-62-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2924-43-0x00000000667F0000-0x0000000066888000-memory.dmp

Filesize
608KB

Download
memory/2924-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2924-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2924-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-59-0x00000000667F0000-0x0000000066888000-memory.dmp

Filesize
608KB

Download
memory/2924-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2924-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download