73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17-02-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4400	b2e.exe
3136	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4204-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 2736 wrote to memory of 3136	2736	cmd.exe	79
PID 2736 wrote to memory of 3136	2736	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\BC3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BC3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BC3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1373.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1373.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC3.tmp\b2e.exe

Filesize
3.0MB

MD5
a5edb569cc0f920515dd02e916b9b514

SHA1
4f3157d28d79ce7ee22cf74c4165987a2082c80e

SHA256
433528b895cf36f1054a2f8bee1c81ad4e4cd21eacf63d95a2cb5d577bac8ce3

SHA512
c6e537392d45129b26010e9198372b783b555896d05abfdfb61e975b80f1faf52618b231655923cd13f7f41e69be1ab547db09135d4d1d28351b1098ee9d0dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC3.tmp\b2e.exe

Filesize
3.1MB

MD5
baff6fa6f6a97bd884ce36a31f20e6bf

SHA1
cf8bf95df67cda466e29be4ca7b530cd0a80e2fd

SHA256
7e1f2fa01cba58706273c852836d5ccad32b5af2ba4e3fb0f2e9a54fbe37aba4

SHA512
9c3a7143fc82009f6287d55f2d7c5ff70587066954adece864085aca43b406260ec01358fbcf3944c6222afe2a713442c652ce2ed67a5294df81c4906694a01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
b45a554c88d31258b4c7436d0ab47ccf

SHA1
66b31ea48cfdb5d3ac81829a2061909b6092aa8e

SHA256
85b5b6a33049c8bad28e311b6888d2e340a954d5af6ca0121f6ede163fa361c1

SHA512
6a45f9320743d05efd815836714476944e5d21b58ea62960a942409233812c41d6b441e7733f5238cdf4c3e4971ba546756b13043b90ba4e0f71f397bf9e42c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
7db83c2d65dd58173344a6735eef4601

SHA1
e6f8c3958bd1edace7c698deca70129ba08fda3e

SHA256
a5fafc8ad1ec5bce1df6f4ff7aae48ff88e655fc6c4b18cccda87e888e491272

SHA512
753b6b7f7a6b2242dcebc2d2db5ec8af58dcdcf5b04dfc94cfbd7e249322883ab8008d34ff1d6599b3ad6bc464c49a86327fc1200c84f8a0c3736a13c5c92074

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
27f0a2d17ac61ea3cb8af2b68b94e956

SHA1
c3d8cda63f618da156509cbd465ecffebfe97732

SHA256
b4e6855ec7ab7457dc2e3ad9ba86e4aaf4982a75e0fb538bde7d58f147bec523

SHA512
9bd25e8ff395dcc614610af5bbdd45dddfc3e233aa14d4bd5b325378b6beb355c7082d7b203d1e9cc41829d69ebc6ff95aef9e770726792a7536223059c0b582

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
99304f0fcbe10c9607d343e4a37de13a

SHA1
fb1f9ff785ce89fe59c6d596565dc7ae46c45e7d

SHA256
f8b3cbfb339ba7eff966c9bef86e83c27f9fa1298e948912230abd989afb56de

SHA512
fa00510309aeefe0f5c18ade635fc8a541904eff0af788e91576c2416bbfa1e0323ecd1d8d10ea302f8992441eafeefb6b55e23c7caa4d8589e27ce259c2cd26

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
4ff4f3792db66ce25eeec2a6ebbc26af

SHA1
808f4629481c9d972c12f37de6352694f0f35a27

SHA256
cdfafa9c3c27370e4a84cd36e0470e112e177cb697f96d2883569449c21c11b0

SHA512
c2536d4ebc5013fda313d52c906935fcb59a67c76221ec85ba4fe12aefa77aa5150104c4e3eaa533cf345d6ebae022e9522d25a9cf3c1f6bdb2d5702872cc8fc

Download Submit
memory/3136-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3136-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-43-0x0000000070ED0000-0x0000000070F68000-memory.dmp

Filesize
608KB

Download
memory/3136-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3136-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3136-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4400-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4400-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download