73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4892	b2e.exe
3124	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3124	cpuminer-sse2.exe
3124	cpuminer-sse2.exe
3124	cpuminer-sse2.exe
3124	cpuminer-sse2.exe
3124	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1764-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4892	1764	batexe.exe	73
PID 1764 wrote to memory of 4892	1764	batexe.exe	73
PID 1764 wrote to memory of 4892	1764	batexe.exe	73
PID 4892 wrote to memory of 3840	4892	b2e.exe	74
PID 4892 wrote to memory of 3840	4892	b2e.exe	74
PID 4892 wrote to memory of 3840	4892	b2e.exe	74
PID 3840 wrote to memory of 3124	3840	cmd.exe	77
PID 3840 wrote to memory of 3124	3840	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2F77.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe

Filesize
3.9MB

MD5
51fb195c824a4ecbe0d99bd354ff7348

SHA1
3ee06c23d1b6699d092c578b77c802625acababc

SHA256
784571dfb2581ec3848cd8d88ab0e4cc52edcac0adceff292395fc2aa19b847f

SHA512
e9821f284d05dfba4c7c127b394d834e82b8e1cb8d004e7ec25fc6f7583706e01b4bd9cbad6be2c8175dc5965e177d25b7a6151f58d9ce5d0db5d00aee48065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F77.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
513KB

MD5
05d4000f115496ebb33ff5d34d25b3f3

SHA1
999515e2d8369cfb093d1cdde9cc7cc258922e04

SHA256
fa13adc9066fa434d6f1338bafe16e5e2b5cfa882bbbcc97ea19daf53c2b53b1

SHA512
59746d9ff5ccf0ab15550297abb656c91a5e11af1a22bc6fa15f4ace98eb76dae241cf6d8c6bba21362654947e8d3c4e36df2785c98127bd77938c707b19efaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
383KB

MD5
b07e6c21a1b7291b964b468f374809c6

SHA1
10446acfb54d5ff7b2b62f7be3f4fa3867d8f41a

SHA256
67fc26af563c79334e6b677da61d9da188e023035f335e377ccff79a9b6aa2f9

SHA512
52ef13c079d1949c7d1d151231479dd56781dff441d063d7d7d28438876fba46c754d79e047417b71dd16f3fe13e5f6b183397e2d17b33f8fdf5219e00bfae82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
440KB

MD5
ac40bd6a6595ea567050268de0bc879e

SHA1
08416d11d50236a7516ae68b7eaba5992ba9dea2

SHA256
500ef60956c0cbf78a9084e2884162dd6eb58ae8bd781fab94f72c79a8195a57

SHA512
4608488d52b66a60216658893fec524ca9ba190909ff8b73b799fa976a8e427f80619c280cab4332d40d93809f6f82893d3c49dc7d5c8de42ac0c34fa448654a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
367KB

MD5
50f5fb03288d68cee6c915b6a78cb211

SHA1
a7a117fe038935760a4217598ed6e1c18cba1aaf

SHA256
57c475622c4a5a5aa95935a976a9fd5a3a087339e16b69d08bc77cd817c8d794

SHA512
dc907de24da7114a561b06755923ec42b15f2c906e20dfb0bc8933ca42867716d5c6c7ff0f119bc3b2937780ae0665ce4cc415d38ad35e9163cb4fa54161b0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
431KB

MD5
0985aba3a14e7f4b1d29ef01c5925d5c

SHA1
b08c92a03b74f06b235d646ffad51c2f8f9b03b9

SHA256
6c4c552a9c703e503489862ee5feec1cd9bcec842cdee4d0375abea7c28298d3

SHA512
a11841858e3bd65b43c443601dfe1f103218a22ab5ef3212b9dc46be3e7a55691d1b78498ce85c6ed8454090e362f49076d4f704503d82e91b27defb210ba0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
388KB

MD5
f4c6fd740f7d31f982a48ebd29394daa

SHA1
b29eba375400b51747d38a8ff8e23d1d8f8310ee

SHA256
bf99e21c141d90274e6933b84b3b7b3144f0eea7dcc797b027ff5fbfb9305156

SHA512
aaf05af4b896a9f272eeb825dbe0edc6d4141482d36b786d22e321d1a7c8ca3eff87393bfdaa9acd2256bab1f2296851cd87fe98c9b5ccb95b0281ce6bb13887

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
460KB

MD5
446cca8b23682404ae02823ebb4f161f

SHA1
cacf0de2a26d661fa890d7ab53845003ee6d9a87

SHA256
62424a24ee0239ec88f801e398852f6ac31c6146091ee968d60509aaf2b65471

SHA512
7df6292d3fafd692d7a1001221e570401acd813eb295a9bbf9a28b9b79cf6d329b8c1d4594f6af3e8a16a0094306fc064ddcae3635a6057578b85de4a5541faf

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
237KB

MD5
7ee53877ac2f1965db7f813a68ebdceb

SHA1
ee97e27da569656b28c0b2065a5f0ec9b4a1418a

SHA256
77fb404930b71d72a588bb004d316e3539285819d4a36001d382684978acb0c3

SHA512
3cb1a549474e9755ae34285c9dce45b13b4dbd41db7859c1329b1d6b4d730db36c306773782c2d5397146fcf1b1460d68320eca5a2d92a48081e1d6c0b3b4012

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
365KB

MD5
15a2bc17a77275b3ca135144339a576c

SHA1
d1bc7e249ebaa8f33eabb8b083bcbc17d027f01b

SHA256
57e1cb9e08fd7504b66f3c5865fce6948fbd7442cdc9af83addf9f6a2dcbd5ca

SHA512
6c196143e076ddb4b8d4b31d677e81a95898efa2ea88364db0dc492d30bc2a1a350e34bcdaed95091ad2573c670c88c18eabd40802597c7ad6e642d95c7d6522

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
414KB

MD5
8c9b5382a86a84c967deef7cab42a75e

SHA1
296da9c28ec6da0cbcac3cfa6f2db8a61540ce26

SHA256
2dcf63d53884d8da22ba52a96635a68034755cfe5e83818095d91fb3adbe4991

SHA512
befb9714adcf54bddd75ef91520eaee68ec0a6c4ac1f2a6693a6d9bf0ba6f5af747a53781ef02d76b4d6b51b281a341abb03e7a306007bf7232477183c31bc0d

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
498KB

MD5
eae8a1d50cd2f0670193e72e904e8e3a

SHA1
d41d9aa9f1ff1522fd1ae93630bb67da89d70064

SHA256
542d729517a6386bb978681fef6cb7df523f860052adae594ea9aa3308a68146

SHA512
195550751b3e7509397ecf028ed869f2e0c848824416a80de0d5b02543db374c64b747c1a5884f6e76677bfd0eaebb2d662ca79584fb795378851c81f20afe29

Download Submit
memory/1764-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3124-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-43-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/3124-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3124-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3124-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3124-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3124-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4892-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download