73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4836	b2e.exe
4548	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4548	cpuminer-sse2.exe
4548	cpuminer-sse2.exe
4548	cpuminer-sse2.exe
4548	cpuminer-sse2.exe
4548	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3568-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4836	3568	batexe.exe	74
PID 3568 wrote to memory of 4836	3568	batexe.exe	74
PID 3568 wrote to memory of 4836	3568	batexe.exe	74
PID 4836 wrote to memory of 1564	4836	b2e.exe	75
PID 4836 wrote to memory of 1564	4836	b2e.exe	75
PID 4836 wrote to memory of 1564	4836	b2e.exe	75
PID 1564 wrote to memory of 4548	1564	cmd.exe	78
PID 1564 wrote to memory of 4548	1564	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Users\Admin\AppData\Local\Temp\EEE4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\EEE4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\EEE4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F3C6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EEE4.tmp\b2e.exe

Filesize
2.3MB

MD5
14ea1df7e571b7746864c5287ff4d562

SHA1
b529eef28ad5da09bfd6905c50a7ebe7e89a9883

SHA256
aa437733932832f75cd8dc3d341c5791828b759b1e0c86d0868b022fc6cf3618

SHA512
2557110e30f750cdd4da43492c727f516b35472ee2173ba1a3e02d933c3119f425729d893e46a4b4045687128cdb4fabee04a6aacb12930a95a0a85518c7edc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEE4.tmp\b2e.exe

Filesize
512KB

MD5
e4d2817f5e794155ac4a8a1445b9d728

SHA1
07f6972ab84878cee3a3e158cf9b0b27c8ad175d

SHA256
24781b2a837565d59faae5eff35a839726a5aa2f952f46e5e5b593f53ab6774b

SHA512
9ed2839db8465f9eb07d9bb2d29e1a35cc1c2e0b8c8f52007248752df018c899135e6d3f944e7e1363b3d5fe4928ccb71725fcaafedfd3cd496307619cf164f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3C6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
384KB

MD5
eb8ea4d2595402528f73410e2c8651ed

SHA1
23abb385032a9317d00c826eb21e0fe6fc802c50

SHA256
fc3c5c1787c58c465ea47ab132afc59d209b1f7d319ae80a7913ed5c39157017

SHA512
7f4485a662859bdec898bb4f9675c8a834ab570ae7f4df2b6e95a9f5ab45f8fba612d04f0edfe22dc4bdcd3011af0536ed200731262056cd7bec332ce4b18573

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
320KB

MD5
59d36bdd941feb6c770ec68a37e8c21b

SHA1
1191d1e478164cd720974ea1ad2bc248999a8d45

SHA256
d5227dca74d9be12116b359c9d61265b102c0986eb6196e269cc3e3b895c0293

SHA512
b1620dd0763f2f7c263ae69c71eba7cba29d89f1bb551356abb7073e4e7013347345c43f2bad3c4733300c5b98feecf2fd91db2a363c9e5dcdd87f170edbe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
210KB

MD5
ad9b74a4e7a4677eaf8869f90891002a

SHA1
66704c28391ffbbde044fdb2a2fe30e099112f4b

SHA256
9adb0b9be624b27dd262c3b047dc49cb8ad0625acf592908b8d1fb2f047c5c69

SHA512
e31964950422231ca8d407acd5a23a50fe953e111abdcc40fde13389ca0b588b97846bd64322642921b4ffb95cc43bf2d385f7cb3b67a9792d617971e19a25cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
6cccf65bd7d7ff5b53aeb882e15c462c

SHA1
a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d

SHA256
1379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2

SHA512
c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
256KB

MD5
11e8812bfa1d698cdeb73a16c1d7c963

SHA1
e8708fd452ab5946b380d0c353ac26acf289e548

SHA256
e0f9ddf8afd30511763f0cf792369e32c955f15d9529c00c5fe9298a80d74402

SHA512
fd54c9c6f3520b2ced6b42235ebfce6d8b622c53f1fbf810baace657a7d44430968b5ff90cd1d860dbdf7550dd8cd467636c862ff0dd0832f25145efccc7731e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
64KB

MD5
7fcedb6e973c5df3b6652a2afafa6a13

SHA1
116728803559ab58a8127544df80b75a0dd1c6d2

SHA256
fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825

SHA512
05c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
14KB

MD5
5c37dcf3e37dbc99177c5bcf977be61c

SHA1
44b8d5a15e30792b04ebbcd38b18779b66b5c07e

SHA256
29d05cc85bfba5e047fa07d67fd4832259ed2cd8e651e1d0719d6d1fe4ab1c5c

SHA512
7653829956b1e040b59d78d1b8d3efae81a65c906be1a5538d0ec6167af3fce5f0cfeaa506290d3ab23d192ff971a408c5b4a74736c83ba3ee9e6faa6b611d7d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
4.8MB

MD5
9b7005b0cd65f4de09b2b360f9c17ec5

SHA1
bf6e47256a84284f189fb4fde155ae10b18bd97d

SHA256
e2eee45e4abd2dc2f6a2c29b2012ce2e52f312dcc55056adef11d4678329fe2e

SHA512
9283de9512760a1bf98e90b18cf794d0e717b9b9d26739e7b80c77c93ad3dae30c58254c909ea45d0b483c4a41359efe3ece7d1407a81c43c582023cc45d705a

Download Submit
memory/3568-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4548-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4548-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4548-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4548-43-0x0000000064AB0000-0x0000000064B48000-memory.dmp

Filesize
608KB

Download
memory/4548-44-0x0000000000F10000-0x00000000027C5000-memory.dmp

Filesize
24.7MB

Download
memory/4548-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4548-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4836-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4836-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download