73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2200	b2e.exe
4788	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4788	cpuminer-sse2.exe
4788	cpuminer-sse2.exe
4788	cpuminer-sse2.exe
4788	cpuminer-sse2.exe
4788	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1792-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2200	1792	batexe.exe	73
PID 1792 wrote to memory of 2200	1792	batexe.exe	73
PID 1792 wrote to memory of 2200	1792	batexe.exe	73
PID 2200 wrote to memory of 2256	2200	b2e.exe	74
PID 2200 wrote to memory of 2256	2200	b2e.exe	74
PID 2200 wrote to memory of 2256	2200	b2e.exe	74
PID 2256 wrote to memory of 4788	2256	cmd.exe	77
PID 2256 wrote to memory of 4788	2256	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\2759.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2759.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2759.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2D54.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2759.tmp\b2e.exe

Filesize
2.9MB

MD5
de85103441b88434c9b04127a0772405

SHA1
3eaea984416f4b5b7cd692402a97d1a50d5d47a8

SHA256
e4722a4215a53d0636d6a8eec1bf1c33a61eca7d2f4ea4f45c52fe61fc24392a

SHA512
aa8fb503e0b2a44c8ebd20bce7e116bc6f42201e3235db40810aeb8e2878086e360676c4f637aafd75b7c122e882c37b5e0e42c52ed7474f2ed1aa7d9b221c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2759.tmp\b2e.exe

Filesize
2.6MB

MD5
f957e9ad257376e95f17825b7dd862a7

SHA1
71f2b45b9f486eee99f7b5cfb133e7150e1878e8

SHA256
f2dde1e42bb9bedf74575ae2060fc2784fb2d2b73fd262462243614ea1666ced

SHA512
1c816c05b9d7f376887de29d54239de706bc8c452c0847ba43ea4a46d4fc3541fc2f7e48a16393123838225d62c563aa69c64e478a842b7a3ec3bc7ecd20aa74

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D54.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
574KB

MD5
df2bf3f50cee32b07c92cf2086e6c1b4

SHA1
881ca2a9baa4740ed31e5efc585f5be63916ff92

SHA256
3f36fca93cd9f00188d5319c956a5dcd79aa25e532159509fea46f0bc60681b8

SHA512
36977b3f597f0069f8a0116a0daa9c2dcbc8c481e2b86e7d0109d328ba5ba233fa7fb98c230ecaa7c529f469d2f3f31741055884fbd4519e00abb893497d6f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
779KB

MD5
fd5b47f72b9d46287b8bf40e1eec6e93

SHA1
8ab8b63c184d2eda2bc192928dc3332e64fbf046

SHA256
a1b2f2dee62d6816a2e385092aa2d6d662534d9a5d6a3b9c1f3a16208e41a1df

SHA512
cafde59be7ea2fbddbd8f4fd8b33b05af9a2fbd3de1ae27cd288a1bf87c492a7c14429aa3a41fc058ba04baedeefde38273dfe6e1e2be5f72d9321bd5bd37013

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
875KB

MD5
a4ce85ac09d980eb79bbb48963260ba5

SHA1
47102fffadbae93807d55cf1a0ad0f1bae5652af

SHA256
75ead9b73d6af309e86698ab467924fdecb30f057a6ac285926ac95b3b4bf2ab

SHA512
67bbd81694f3611b8a15ca4ce1a7b446a669d6b43c7ad5156038790c14dc7db324e16b9fa1f8b05a1a4e4cc6eccce042a3099b18851c5eb7ee63be43035400f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
d0799ea13b04ed4a25038b832aec29ac

SHA1
6c9771ae8849433e1bc548c8db42e85ec9ef7a28

SHA256
2b9f794a43f82a1fbe31d594bb20cd23006a07b4ad3bda33b60c97293afafe8c

SHA512
532ca1032c7d89fa842376bddbb87fcd8adc3f10effb66d1fcdf9a0986c63a27b5fdb8a1b56224cc07dfec8ad567117f2f172db6d4289f16964f9403dcf06fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
975KB

MD5
628732453b9cea37aa51b3422d40ab86

SHA1
48c22eb657a45b5a43567a1aaf16ae10f4dc105f

SHA256
f63298ca0dbb63feeccb1502d8c2b7fe3f89514c7993cbff4883ad5512c155bc

SHA512
482bf7ae568d23266f96cc0ee04b78879e505d21e140bfe659220ea27774ceb6bc46313ca540946e928d2f53db727788d6a9549d40e40a21b2fbef775eb43a6e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
701KB

MD5
61d72a31bc73225413d5e9debda67b73

SHA1
81eaa708bbe755aad1d02a517f3b52ac87421163

SHA256
d04ed6dfac3002178bec07492f661494b2634fad4b4e8ec01fdd08637939d7d3

SHA512
4829f4f959e8ed4912a68b1fb9238e1ab6526eb9d2f6c3b2aa0e2088942f6bce3aa36e1a0bce4147bd063268b2414cf88d878c154012f4ba1e13396625fb845c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
697KB

MD5
490a578de0cbbaf0f6580f3e32cb945c

SHA1
b9c69566e82e6676dac3e8e916267360bca8ff86

SHA256
b2936d0009e52b48c1555877a12df239b38cc6ca53cc88c2c6c3b25fe419558a

SHA512
f2ca941c677d016abec009b017181b82e8ab78dae7eb6b2a58601fda95a0066a5370a2f3a1966a80063c108a0a5d5b3ba0f9fe3186a179f9c447282dd544b611

Download Submit
memory/1792-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2200-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2200-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4788-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4788-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/4788-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4788-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4788-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4788-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download