73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4596	b2e.exe
4104	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4224-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4596	4224	batexe.exe	75
PID 4224 wrote to memory of 4596	4224	batexe.exe	75
PID 4224 wrote to memory of 4596	4224	batexe.exe	75
PID 4596 wrote to memory of 2212	4596	b2e.exe	76
PID 4596 wrote to memory of 2212	4596	b2e.exe	76
PID 4596 wrote to memory of 2212	4596	b2e.exe	76
PID 2212 wrote to memory of 4104	2212	cmd.exe	79
PID 2212 wrote to memory of 4104	2212	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\99FE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe

Filesize
5.2MB

MD5
13015dfa459e1048325f8581f5d46054

SHA1
6f6984c9d862d72be22acfca329d88e5544ff4ba

SHA256
5ba4ce2c5f0c79c07e41fbeb186521335ae060de242c49ce54feb64ff973a696

SHA512
46ef05875d1a71097f80d15a5f4db2e9d1447b5505265eca3c17972fd6974afd15387b045856a26f799fd7d2009ae250a11083fcda1ff864fd2fdc1be5002695

Download Submit
C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe

Filesize
4.7MB

MD5
4b591b460134a9b338f7d3953c13eafa

SHA1
e60ee796d81f9708aa96363e180d8d7b86ecd752

SHA256
0f973cee720ef7c4918c3e9ae9b6926c355201d6344f311bf3792371cc14fb86

SHA512
4f738422372d8ad28cdcaa11bf178caced8f5fd41c9616f6670d541046fd3f27741cfa2b58718b64a63915d32bbe885c692effcc9b80d118761fd0bb5af5f9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\99FE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
986KB

MD5
2601e9812b1edac6dae87ddcda44b069

SHA1
b697a3865038a00ea65a7f7b6ba4528989203bfb

SHA256
187a31a3a60ccf24f3f4cb56f342c84ba9c913a9fcd318621645e3481db65051

SHA512
1cb3f3a000ee023077bb56c3f1f48dfb178c32d470a5b811e5a97f8acc2f6fe14ef94a208cc50e6cb2a7a150dfe17dde14d9612140ca02a27b20380ab901be26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
a8abcdcc2a9aa0b9b08d2665046c2b4c

SHA1
5ce706b86504e476af2c3b6df2a2fa97855bb13c

SHA256
bf1c9cd67c83a5a8fcbf0a7b43d103d7e1d5bbeff12cfe94d1c9c06f2dc8c960

SHA512
ca8b09c5b53ea1e8737e6757f6d4fcaef27e57d51d8199ad6b8604fc1fc340da3f800a3bf84c4137b7f1e316869da453d701ac50f59649879aa8905d46cd9059

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
775KB

MD5
530389ac63e37a0c5f888016dccf3fd9

SHA1
380c9fbe353159f3980ab9b8b3ba3430bb9ab738

SHA256
1aa460272308b7bc86c226f86e92ea2a249796b427d88408748be964ede4bcac

SHA512
8054bf891c37a4bdb4bb49818379fe2e3f075076f379bd7aad86900fb339da7c5b9b471a69cebac5db74032989e6c96b78def76ed02d3ede39ce987b64e2fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
832KB

MD5
d33f0e6bb5e8d2b9e111a90544790dc8

SHA1
df4e81d22638d511e761744e886c33bc12096c48

SHA256
40729edf62213c039a1818c9adb9478aa0284bb26dd071bd1ac4de1da2470048

SHA512
ce4ebeae054117d4de8b3fe2403d95a6d819483269f851618958e864887e9b2f42fc9c893e1aa207dfa2d94900c8f4214a67796ddeb2a80ce655d69ec290d629

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
347KB

MD5
adf1ed18b8d3eb21ec05eaee8cfe268c

SHA1
2312044c1209450cfad955422557a3e32c2e43f2

SHA256
38ed9cf530a7d42b52bdbd6f87322ade2bf872a22234589632f451e40a8a770a

SHA512
2938920767be79a592dff7cff7811326c8445a62e65dabbd01d4505983f56c8887b512737eec36ac39f8d290a3880fbc0205a2be8fab7467eb95efc356289c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1007KB

MD5
3825ccdaa577dd928de64ee4124fa639

SHA1
4d485075e4d15357209224054f044679457a43c2

SHA256
050ca2e39a0bb89081644efee59d3d8a838c0a84c89373163c403b97c3271998

SHA512
88014fdbce28b377cbda5766271b0efdd10769bc6bb74382474a3f318a5a0107db379ea4c10579367d60ed106ccb9644b24d370834eec873fab6351631773c74

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
761KB

MD5
77dd1a808ebf6a0e025f941a9247e38e

SHA1
78b63754eef3200f0684caf03a7626ee0870c184

SHA256
49d4fdd7a8d8a0c901820b1ad40ddbc48c659c0877226998fd84689a28cabcdd

SHA512
80b427330b06da78be83f3c565c1cf2e594aca9fcca4ea86d673d6655453642dfde2640bef08b121000d2ff1ef30661490566b9e7e64c55290620b3d4034fdb9

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
699KB

MD5
b6d514584fc25b01f2d1f6f972de9bc6

SHA1
efc771006bea1859130d32cb1ca405df3a9bc6ea

SHA256
c746bcba66ba4d8fe62d6efc15f5f2e86753d28994bbaa1019d3bcf2076c18b7

SHA512
d2837ae49f9a699495ee64fdc6ac28f22207535c21c54df8e3802d05018a12f07fa89000e2cfe42fa6c58fc10ee0f6f12ef0251dddd9e1165a00841cca82cf96

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
50bc2bd613b3aab19fad9965926bfe24

SHA1
d7ee52609edabdcdbdbfd359e8b8c0d226d43473

SHA256
a311f6198dcf2bb585c736573d83f2c5656f164305c4ec8eadf33edb769ad1e2

SHA512
afdab58ab8cfddd523c138b93a07be6e26ee56589d60d9e81deb9a5ad9da0c6d97fa8338a94bad201d7ab192a680cff54c5e379ff25914fdda2033cb1ecf37d8

Download Submit
memory/4104-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-42-0x0000000052760000-0x00000000527F8000-memory.dmp

Filesize
608KB

Download
memory/4104-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4104-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4104-44-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/4104-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-63-0x0000000052760000-0x00000000527F8000-memory.dmp

Filesize
608KB

Download
memory/4104-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-78-0x0000000052760000-0x00000000527F8000-memory.dmp

Filesize
608KB

Download
memory/4104-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-89-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4224-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4596-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4596-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download