73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4792	b2e.exe
2036	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2036	cpuminer-sse2.exe
2036	cpuminer-sse2.exe
2036	cpuminer-sse2.exe
2036	cpuminer-sse2.exe
2036	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2876-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4792	2876	batexe.exe	74
PID 2876 wrote to memory of 4792	2876	batexe.exe	74
PID 2876 wrote to memory of 4792	2876	batexe.exe	74
PID 4792 wrote to memory of 836	4792	b2e.exe	75
PID 4792 wrote to memory of 836	4792	b2e.exe	75
PID 4792 wrote to memory of 836	4792	b2e.exe	75
PID 836 wrote to memory of 2036	836	cmd.exe	78
PID 836 wrote to memory of 2036	836	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\9990.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9990.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9990.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B55.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9990.tmp\b2e.exe

Filesize
6.2MB

MD5
078f4d10ee41be7ff3cb661deb176e43

SHA1
87cc78544bfa540e5b8d179b651b419379e3b360

SHA256
403fc04b82dd2801c1bfb5ce105e5c7ebcbfe7580b240bf868e4fd778d9160fa

SHA512
c98c705ea0672f66c35cafa693b6915d78b3fce06d0692f15e1edb8dbecf3c009a316f978cc153676336ab3b1f96d4984d59aaeacbb58a4609959dc2e2ab2fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9990.tmp\b2e.exe

Filesize
4.2MB

MD5
2969ba03fd2ee1b923a3f869e74c7269

SHA1
62346a6b6b0947951689983a470c21a92da699a8

SHA256
845e13d60f21dab2ae5426b23878eb5de2229f77536d83bf0e2173835b75efdc

SHA512
88d9f678725a1418570abe8e9a82b703636ef67d09484289e63d0572240eae537df6877ae5b41c568285fc96b57ba6bf65b26a5061bc60922dc85861bddeb597

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B55.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
0a3490a6be4e4db9c57fc35240dc4cc9

SHA1
9861e1745c139aced4a4ea73d06a821c7216a11c

SHA256
664e655fe23bcef3c2788f0f797ceafe4b38971dc859f1abd0c93e42427a3f10

SHA512
14e56270796eb68552c6c34183cb9e7e8b8b65b1c5a3717636d20a145c1c0280fcbbf3ee4d4efa3e754720286745cac9481f8eda328fe1ba08f16c506d369034

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
f4a5d54bb551fa69a21f8f17ea5f9650

SHA1
2d5492ce306cd12a481c610cd6fe103776678e6f

SHA256
756e4ddb94dee935cc1bb50c491d68dcc58eeacdf692044609a1a79f53110c10

SHA512
5358c62a90e869f6c2652c021af2630b1429aa7888b078b85c64459b83afd689654a987a0c7c781dea85d84527800bfc29388e4e05b668e1ce5c56d419ec3dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
5deb3c84dd19afe5f5a3e791631697a9

SHA1
0699ff6e4408077f5bb269eafaee540fced6c555

SHA256
4fd426cd06b9fcefc8aca25fdc6de67bc5d41885dfd825694ff163c8e9f72007

SHA512
e3a11ee5f1d3bf7d1b51bb16c51165c11568204f1d068d64b27e3529eb2b03358861f661c8eab1e47c8baa965aa3da5b4b20e0d30499b68d2fe6cd19af4eae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
696922f5250b5df33813776816103357

SHA1
6f6e4cecb16596c1ad0e631c7ab5b56659da1ca2

SHA256
2802e69b65032d2cb76172ab508766f8a2b2beba9c2cd84dbf7c28fc9cbe1c7d

SHA512
dcb8535a83f321561241432304155a2e2a18435e102785a5789bd3a9ed643f153fb63ca797c8ca798d2d85927b29375048b43b0ef0bc4cb00c1c96b5822e8ae9

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
87e55261b978383f0d7e1e81d424e34f

SHA1
a987eb1f060b45c6b52aaf05cc78dac710d1d173

SHA256
f270c709857ff75441a60b2d7313ca624d71aa6e5c1e38b13bae6eb7fcf8b14e

SHA512
d9c7ceed01294105ad4515a821a237d396f48d21defc7771a1416d17c891f00dd57fc1086a2c3934b7d96f75887016d0a2b2e657fa6f2302afee28b2627de5b9

Download Submit
memory/2036-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2036-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2036-43-0x000000006B2E0000-0x000000006B378000-memory.dmp

Filesize
608KB

Download
memory/2036-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2036-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2036-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2876-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4792-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4792-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download