73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17-02-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3936	b2e.exe
220	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
220	cpuminer-sse2.exe
220	cpuminer-sse2.exe
220	cpuminer-sse2.exe
220	cpuminer-sse2.exe
220	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1616-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3936	1616	batexe.exe	73
PID 1616 wrote to memory of 3936	1616	batexe.exe	73
PID 1616 wrote to memory of 3936	1616	batexe.exe	73
PID 3936 wrote to memory of 4196	3936	b2e.exe	74
PID 3936 wrote to memory of 4196	3936	b2e.exe	74
PID 3936 wrote to memory of 4196	3936	b2e.exe	74
PID 4196 wrote to memory of 220	4196	cmd.exe	77
PID 4196 wrote to memory of 220	4196	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\AA4A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AA4A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AA4A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AF3B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AA4A.tmp\b2e.exe

Filesize
640KB

MD5
ec807089447cc8ffed3ed14af8e0dd7f

SHA1
0d5600b96cd4d605dd40d169bade90cc2e41d4e0

SHA256
97789e181648b41de38dee9a0b40452bac36d463329a87bd2ad517a2968c51f1

SHA512
a2f87f33cd02f225b4c43f4dbd93e18e15e49dc5cdc1ef05f99bb54cdf2b759932d84e29863c11eb1941fb82d559682ea1be25ab7c826670389fb659d6afdac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA4A.tmp\b2e.exe

Filesize
1.4MB

MD5
c5e09858066f182b7f5bdcb61d9b36fc

SHA1
7a1de79ffcfa17a7a86a01f8d5046eaf970b8905

SHA256
b5ede4ee58898940fa268a8aa17da9fc31eae634a8c95afcb2412ae199e8f4b6

SHA512
70e4e7cf5ec9df418480b0773c325e489749cbf6b5af491b24f6a6b2298cb043f681689531e70666787d42723d096d57012f1bccf317367908ce68a1420a6dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF3B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
836KB

MD5
a85420e3def6b161615794b8744f2e60

SHA1
ae20f183127f05eea3acf687afdf535c36e34e9d

SHA256
4c1021e0939818390e3f43a301e9bdcb8fcf703769103cb7fa65932de952da31

SHA512
920e7cda759fb15776d973deba900dfd81a1c5cd3cd25f625e1406b9ff9a3b00c25d903fed5898bdfb187526eed0ef36d2b07afbc3a2e8bf294292a104da8466

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
542KB

MD5
712e83ee79fca4bc80cc8a625adb7de9

SHA1
5388f3f374f78760ec2df664b56cbb4fb341b51e

SHA256
dff04d09934ba92d24af98b479e803083ba6ee9c0fa6adde991fabb98082d465

SHA512
fbd192a3b59348eba1413e7cd74e277ac07be790452ed45e9482a7fefcdfb3dc3a11eeb406e7d7f22bdc9bcd75b1cf8321eb0b8c9d8a6c27a438434d186527a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
658KB

MD5
c23ce74110846203e2ab410d17b98e3a

SHA1
b1cb949762fba336e3c61d1d38a1f1ed47628d78

SHA256
4408f15fc5cfcf9f539e1c8f91783e33ca24b4174f9a8fe8201142f7e9b0c14d

SHA512
7da012884fca0cb59583920c04ad254084bdc1f7644ffcb2cda8b9221df729b3a97faf376ff8364fe9fd89eab2302468d68aa47181d8478c9e59499498a5da03

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
628KB

MD5
e129efdd2d172a37ff949fb4f809c7b9

SHA1
8b4c104824e30e10b782a75b089b0ce54df08abd

SHA256
0d0f889a899830d5e43b2ff8fb05e4a6fc38e03faf0d4051b8acd8e7e2fc246b

SHA512
163ea9149c8c9fca8af5ffe7ad5c1ed98eff8b871ec9e00e45e34dd8c344ed52a9d03eceb9e9d575725b032e02c83b7e57621541e18baa1de96419af5bd1f6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
951KB

MD5
40dee837588228f4f4bd1ca3570ec876

SHA1
787cb1c9fe3bbb15b0a05cb0e105a174a1cb9ffc

SHA256
010113f78fcc94cbff0593ea1eb4b4903b23543a747502bfb818117d82496e5e

SHA512
0c2244065fb85652997f2b33fccfb0ebf73d278faa861e36b5153da3313380628bc84862a811c163a6d351dc6492e22dbf628fc485f95ff405c3f93cf7cb457e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
578KB

MD5
0e9e10ac5989663db4b917fbab1695a1

SHA1
f66d80cf5772eaa4c329482d298d813076b881c1

SHA256
dbd0f9df32a503bca60fcb1b551e04d6bf61d7c80133f8aeefa6758343bf6b8f

SHA512
11539f71b5fea5f8cd6afbf0a673f6ef7271517f47c0609bc85a4eb765b2c4fa24385d16026cccbdda5bc0140d7967d8344a079c9e9ad6a5f680e5f2bd725b7b

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
675KB

MD5
34e3c0ed018928773de38014d7ab61ba

SHA1
c4a56092abdfb0cf16beb2e08a056617a48202f9

SHA256
cce02c62ef7feeb3047636c75328e6a520afb8ece22881953f23ab710bbca425

SHA512
2431bbb1f0d2aff2cebe57cdd5c05b872ebd4c091db2d907baa67d7bdf44ce582034950a432cf3127db5b0bfecaea8d94225b7fffb9a3630ba9ded7ba50d5d81

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
381KB

MD5
737fcd1126e57ec2fe5664105db40172

SHA1
be02a0ca385631f4b910e18b74940b95e612fba2

SHA256
b8b0605502656e44635616335e384c40251b39acc04ee1b3470f736ca273efcb

SHA512
ebae5605cb21a4d1103101d0a1deb8e200a7bd7cf3732a4eb1b9ee9e339e363c3ddf559d6bcaddc0594bc80c833b5557cac64586ff4c554a94eb01dbd6f87ca8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
521KB

MD5
386ee92f219bceea4caeb2af15896602

SHA1
d522f9223202bd4e0593d670934a10fba4115ee9

SHA256
10ba518cbe1ae7fde94cc9494f92e2b3322c96de537113e6ce4a738ff379c32c

SHA512
73da8ca350372f4eec56690d1c36784a8b065125265f1ed00a389447e3fccf67cdafb142cb0e532369f464965dba317051f1026fc05ed0e341fa93fb4aea678a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
372KB

MD5
0d764ec4a208a3888226a520e9dece07

SHA1
629fb438cdea4ef1a3a31b97f6fac9c9059f99a1

SHA256
cf5c059387084dec8d2e0c93180d7a2eeddb04025a6f91d8f324d9cc07ec03f5

SHA512
0b5ef4311e7f085dd61be0d36dbcaf799c860dd548ad8d5ff7cd3328a317413f420a56a0bf761d3e25398f9948414e9ed89d3b747d5b91d1189ecb32b07a23be

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
437KB

MD5
dea05a218c6e48cfdbb8220ddebed8ad

SHA1
cfa3b10c61cf469cf0a4c346fce7a88a79fa1e47

SHA256
03eadf3161f2d3acbfc95fed1b5e62f0a50fad4a401d755bfc9612bf8142e6c6

SHA512
04e54eadd242aabe40926e72fb7b4802bd1e86d11cc06da1645e183e282d4a7bf5edb7a4752cf9507ea8861120ea58573a12ba183b4dcc646261041ce0ac0f53

Download Submit
memory/220-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/220-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/220-43-0x000000005BC40000-0x000000005BCD8000-memory.dmp

Filesize
608KB

Download
memory/220-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/220-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/220-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3936-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3936-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download