73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4656	b2e.exe
4968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 4656	2900	batexe.exe	72
PID 2900 wrote to memory of 4656	2900	batexe.exe	72
PID 2900 wrote to memory of 4656	2900	batexe.exe	72
PID 4656 wrote to memory of 4840	4656	b2e.exe	73
PID 4656 wrote to memory of 4840	4656	b2e.exe	73
PID 4656 wrote to memory of 4840	4656	b2e.exe	73
PID 4840 wrote to memory of 4968	4840	cmd.exe	76
PID 4840 wrote to memory of 4968	4840	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1354.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1354.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe

Filesize
1.4MB

MD5
c5e09858066f182b7f5bdcb61d9b36fc

SHA1
7a1de79ffcfa17a7a86a01f8d5046eaf970b8905

SHA256
b5ede4ee58898940fa268a8aa17da9fc31eae634a8c95afcb2412ae199e8f4b6

SHA512
70e4e7cf5ec9df418480b0773c325e489749cbf6b5af491b24f6a6b2298cb043f681689531e70666787d42723d096d57012f1bccf317367908ce68a1420a6dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe

Filesize
1.2MB

MD5
05f6765e8266a1a7d81a80da7788444e

SHA1
e7afd0bf0dce889a026f4233c6705907083e6e23

SHA256
3256219f071d9bbeb2b3483abc7e647cbb550c0b74c415ace444bd8a334df9e8

SHA512
417d266a6eae32d630cf1322d3ab78f8547b09254ba3b5e2e544a7fd294de819754ab2f104ba2f3cab59a1fcfe7b0ea6f622712736079b7eec12a242b914293c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
330KB

MD5
8ae6cd63e0fa1fbfdccdb41487508e58

SHA1
2bfac91c6a940e2e2e7257eee15e2729fc65d8d1

SHA256
8f0779186160e3c499f284d4f2ce860f89a73de4b7d2a01416204678880a3673

SHA512
9250bb6985e7434861cb2363ff42ca3235291e02c2e12d8d9a2394733a9426d9b9c11c8145a5163511e0c3d4694b23e713735d9410c60eacece5f0d19cc3e131

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
297KB

MD5
ac7944abb771d6ef424ccd85e8adc91f

SHA1
388e06efa03b622cb7fef3bf0268070402d7c36f

SHA256
13471b2c1f87ab1a6a809ae1d1f4eb3d02d49979219ca5ee5df292e163a7ca3a

SHA512
d16c8f55437bd67d9db6788a2d3d85f8b5b13e45b5cb6afb8db2e407988790c6a1ba5edb82b004c46d99343264eec8c7a1569d5d64b3f5e0cca5e61730a3bc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
274KB

MD5
b551e9b9b46da257333cda743d434d80

SHA1
4238d50afe45a2afaf26f70210b01573e515b59f

SHA256
e68d7838abbd3c2de78421b738f608cc0496f5abe95b2e347cdb0f5809376b63

SHA512
6a6b14f779be00bf19db7d95b6b2eb0d96c1f99d6926f82a5e224188e7eba306e0650b8090c2dc26c6e7f4817a27afe26f3b54a558441ce01019d1d712ae7130

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
369KB

MD5
4cafa81e222a82b52ae07c8d52fd7faa

SHA1
b1768d45e41434b112d2adb840598cf858d86801

SHA256
422d0dae9d05a977418f368c3d4953227c92abbe43f2dfa68eef5a217e3250a4

SHA512
ae6aaf22630b62d57e477927dfa993b88aceb8e1acd8adef1b5b6ab67d0ca12dbac037966e807359cd83fb29efc56ab54dc5647fea6bc36aed34753dd41fb1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
363KB

MD5
3b53d3fc2f4c9e6aca0f07d45d7cffc5

SHA1
ce5de57b18cc3b34324a484ad8b868961f8fb5c9

SHA256
550b3e390af98eaf3df1e23b7e0a7c57fa44b2dbd8acfab5710c2d9ed39dd13b

SHA512
46735581f539bde4393070c76edb0759a0db5f0335f0223bfec7259c7bbef44635b67ed5265738c974e54a0341c9d62d0ab006bb2c3e13e9ac63ec905910bcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
288KB

MD5
f6c55bc0be10871e81571507edf8331b

SHA1
057edb99c403202f82d98fc4163c123ce6c59d6f

SHA256
1399be54837e72256a536730f16a22cd599de67244715576befc42a839d47d5c

SHA512
5dce91d93eb397dd4537e3ff6b1df9b3dfe25fd99e20eed9a9823b3b11c1d7309417238f52ed9d4001611e853fe672d90afa0abd20bbc7063e329de16dd4a177

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
277KB

MD5
7cadd005c65e38d39652327c484ed344

SHA1
72b2360409e7af48be541aca19c491fd1b8d4c49

SHA256
d4b11b720e8dc941de29b39e5c51805a94ba70204d091bbb126294872c49dd12

SHA512
db8e8c451d7e2cc0f624e7f0dd210953acf295d87a6e65959002b7a3414e1898eec00c28edfc27532997af5ffe0d1e19b9c3d62415553eac7e0add9429afccd8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
296KB

MD5
e176f4ebaa803a615e2c13f9a3b113d1

SHA1
e350d31e42e82171cf31f9f7c152db9381b043d0

SHA256
85a225ab6ec9985041aee8e3cf0c733c17160c1a3434b77c33b9269430d3fb15

SHA512
86133eb1e6795f2c1a51d67ce9ebc863269b818a1502ac7cd20a90b159ed58514b34b80be918a91c7657adc3f2e45dd3d8fd8b988151dd3924c45da76bdfe472

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
449KB

MD5
3a38669d27c168d4bd4ba98853b6a1ab

SHA1
5122ceead877c42bff0ae49114c27169c56d6eea

SHA256
27ec001adc3b2fd6a406ee5156d489db6bdbebf863f4e97935e76615b6d023fe

SHA512
4e905e3391e8f239baeeea8f6e29d18a1a4c09da5371f6310fc7218c299c09ee69d36ff75eba4db20f3c847db4849bcf2e436e6b3f8dd9649b59bd28a399c4ae

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
357KB

MD5
3fdac40ad04114d14d32f49593684e69

SHA1
6811b7f649a573193ac032d4915dc8106feb065a

SHA256
b4a8c08b60ef812090008097cfdfceaa03529641b869a5c60d3e3b31c384cf0e

SHA512
59be6c0de051108743c26095bebb080bb8268b1bef1d575890b0966f42386f76d0ff5c26b0d6a725e1af8ed76fccc31ac6362220e45bda32dcc16d52f3abe440

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
290KB

MD5
1f28d585877b6e045cdf1b179a16cb5e

SHA1
b751e103f5e93f46a19a690eb47c32f5a9ece1af

SHA256
b47a9a7d1436f3da789394ff5e7c9003e013235c6026ee949b615850da21cc02

SHA512
330643868905dc92cbbd071c4a46267d1cd185db2f69f1ef829e94136596e23df584ea0d3fce0b6151ba2a3eacaf46cb51391920d88f6a4dcad494d55af7fb6c

Download Submit
memory/2900-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4656-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4656-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4968-44-0x0000000000E60000-0x0000000002715000-memory.dmp

Filesize
24.7MB

Download
memory/4968-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/4968-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4968-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4968-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download