73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4492	b2e.exe
3892	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4492	2212	batexe.exe	73
PID 2212 wrote to memory of 4492	2212	batexe.exe	73
PID 2212 wrote to memory of 4492	2212	batexe.exe	73
PID 4492 wrote to memory of 4268	4492	b2e.exe	74
PID 4492 wrote to memory of 4268	4492	b2e.exe	74
PID 4492 wrote to memory of 4268	4492	b2e.exe	74
PID 4268 wrote to memory of 3892	4268	cmd.exe	77
PID 4268 wrote to memory of 3892	4268	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\2A57.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2A57.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2A57.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2FB6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2A57.tmp\b2e.exe

Filesize
290KB

MD5
009e9f6cf91abaee6c8d30cebc603b8c

SHA1
4b4ac8abb98c65590c15889c4501a33ab0a2eb3d

SHA256
d2513c669f0815d10a74ce1bec966c3c4f6f16cb486c9764e782e02dda9751de

SHA512
51c68b1aad4842715010a7ba63222c6171c1756adf18fa8fb4d325aa4350e27bee9b4a2f4c0a6db437042c3bf72cfcc7d741a67c249c8122c810b00cb592cb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A57.tmp\b2e.exe

Filesize
376KB

MD5
c3a37b1417bd6460f8841332a1619f95

SHA1
e9dd9aa3091734bdcc39464c140ef29201a4c08f

SHA256
c17e086ca330efa809dfc43ec99586faffbd5bd3da4897bf783cbe651bfa5b3d

SHA512
9693fe0027f0710fc2eb36fac1d9d3844ceeecc3555dc9b6ad057eb094012cc502f8aeffe2f3d0638e61c94dc2558bcdabe961b6f39dd4fdc794c0e8dd87225d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FB6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
680KB

MD5
eeb962b13051d9d470b7d4a6588e1626

SHA1
bfe07ef3d25eb850b4637ff3ab0cd397acbff848

SHA256
bec26ab4ffe158e8d070682887e7af8a20d0b702d22a97ffe7c2e3691c588e75

SHA512
761b7a5e28d43956d6bc79820a98df66f49b8d6d8d20063162fbc1949a66ee8b14db406057f55a506c4c837945bf4cb7e91eabc812abddddce15fda3b6c9528e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
736KB

MD5
7d3ac705058011a16e181976216cff6f

SHA1
1999612cf756c20266b2fe7b566e23a769de3e31

SHA256
6aa41a1d318ee040e144976707d6c37b6687eaf98f545ffd00cf23d54fb307e6

SHA512
84ed68c0daa993437f7bb1728088e6a58bee0f23e433029c31fa520fc43b6ec19c70723d98e989c744449ffe8646cd43a92c67e59ef93bae5941bee3e6e8dc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
760KB

MD5
8ad69598e75ee9b90e22b945a5a0a798

SHA1
a46ca673af840b30a70c0808c4e7455eb8e8c615

SHA256
d588bf24bddc1817e472b246d6edc07995d3bdd62f0d1e157c5935b4de89a486

SHA512
956c337f1450612afe7b2b4e2befe303a913452165f0b030ee016b412c2b0873e41f0455c653b497a09dc2ef9c9c31838f1a29b12fd73bc870c1abaddd083c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
769KB

MD5
dd7f375835ead4dfd09b154f0ce82922

SHA1
b031bba3b1f0657520dac549c0e75fef47edf89c

SHA256
8d742e37517fd23c285787c14b7e2239a1d2fb70626431a09ffaca0a7ac776cf

SHA512
aae59a0510c312c2c032bd3fda757be52e3f10bdebd1629e7939e6894935ed083d403e137ab266fbe966edb12d9964ac0e02012ae12e8de120bb51b9fa5e3515

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
589KB

MD5
832f633f6e2877040bf4f1ff05d65b7d

SHA1
03fcd07fb75af5455fce8fa94a3554fd2cf00441

SHA256
e078c2130b26dda6c7606a0fc37ca1c6fb0147e8fe8ac9555fa01db5c2b7aa96

SHA512
c80edf0782899290b75281222fac880e20ecdcf8fc531a348b7e711cb1f5df1caa98ea51c610a7148c01913e7f0ac73a8224dd2137ed30d08ac608dfe60169b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
554KB

MD5
120aa344c2662f0fed77d83b8356af6a

SHA1
72347f576f00db601fee8d8b18f493ce62d2f3f8

SHA256
8c8978287cd8573de9f88441633de11edf3cb5fd29b95265415f30aa70b1672a

SHA512
f7c1383b9eea51d555156a79f7b63b5a6affa7b840a862685027778fb871f762158afbde54491e7f68f6e5aa71e965174f6be7351fc266fd3a4a72fb7b62e44f

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
618KB

MD5
d14e2fd65e4e83b305205b897e5ddbb2

SHA1
c9963e8dc49e20e36e795422f03270c4e00059e3

SHA256
7917919df7373453132f2dbf5898f3a6be19dad099ddf85708b32b05f371692a

SHA512
6e79e155da423b46b91a5f0382428d8cf8ab22bcd3af22809e7f4a93edd934aa7960ab694e1c7e3c5c0a8b6a13e12243d033e44de7a7424ed39984921e234b1d

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
494KB

MD5
07be65ca5a5783bd33f5451d81509eba

SHA1
d9aa6dc95b7798c57d7b3dee3ef2d0ddb3df97d5

SHA256
4808438efcb217c35b039f21dd819659deb98add7240c829fb8ea666827eb153

SHA512
639cef7285dfd8b8ff52c3af09ee5c6d27893093cc339d4a7b1e3de01a035fd078252a247ec20db7ee67dbbecf3159934e15230724948e74a1da07cd81bbf722

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
789KB

MD5
fc71cea7a154a97f49d7d7d46803bdf9

SHA1
57e51918fc89ce29940a9d4180436d69d5398951

SHA256
9df41943fa39e43f54e1369e688f26a2f81b4d02b7dfdfda1fd63da45554b7ee

SHA512
cf22f0fccd5f60f8afd42342c8ba5265c105e31e59b2141ee1d148cd420ca30dda54bbf09a194952fd40f3d14781bde023f8905333defd54ae9ea18b4f9150dd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
494KB

MD5
6b75afb21203759453cc07ee30c127f2

SHA1
d94198c4da3b3dda71bbef55caa9c4addee7b608

SHA256
4ad06c50751298f145cc606ce522c80ec8076802b7de42a667ae13f7b2b896a2

SHA512
516adbb1b93d92342304ffa742be50579634cb57d0827bf7b4cfc0d4b8049ae962e814d45e799f1344edb920068ed6a5deb9def2a1e05f683572c92f6292b8b7

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2212-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3892-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/3892-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3892-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3892-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/3892-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4492-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4492-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download