73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 06:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4824	b2e.exe
3596	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4824	2400	batexe.exe	74
PID 2400 wrote to memory of 4824	2400	batexe.exe	74
PID 2400 wrote to memory of 4824	2400	batexe.exe	74
PID 4824 wrote to memory of 2192	4824	b2e.exe	75
PID 4824 wrote to memory of 2192	4824	b2e.exe	75
PID 4824 wrote to memory of 2192	4824	b2e.exe	75
PID 2192 wrote to memory of 3596	2192	cmd.exe	78
PID 2192 wrote to memory of 3596	2192	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\A901.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A901.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A901.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AD57.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A901.tmp\b2e.exe

Filesize
9.8MB

MD5
786576d1c8ca39b9d6838acf24b03020

SHA1
c32b84113168f12eeb05512b6d4952e48efdf515

SHA256
94b97b0b1e87393550c4f4f7cb7fe06e539982a5fc844174a6dc686450a6fd13

SHA512
250f63757ca69cbc70f4ac6845decaceae65d7fb51dbd1e12150ee2e8682be070f17ab3e63f8fc12820d34e17a5786ab7e0547c5cf3c0ee1a1afccc30c4de565

Download Submit
C:\Users\Admin\AppData\Local\Temp\A901.tmp\b2e.exe

Filesize
11.9MB

MD5
04d50cbb43d10f6fe96d0598bc8cc6bb

SHA1
a0cf4634ad63f62a0207ac0290241565baf29667

SHA256
d715c6d19d83e735ba8d0578eef43397c18770b40f46adfb58a8fa0061d6fb61

SHA512
1117949820b865112f59bd4d6d13b3b7f936d2d792a875de529015fa1717cc8d8107d0be738ac2c0dbb92b05e3f0052a9ecdb4eb6154c3960ffbcb41ec4810cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD57.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
291KB

MD5
2904d967fc14aae3d659869521381a72

SHA1
d3fb2f08794c9eea8c9b07d070c388a35444e74e

SHA256
c999217e26e3123e2e3c5c3d5e5c2397c9204cab970f5955b5224f2934657d75

SHA512
43655b13534114e3ec55cade1f1fcaa269bae19dd762e7b3698fdf45e449a35487d2d528cc3f2edad49afb157fe0c6e607b640c12e4793852d21d144d1a3b429

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
42KB

MD5
e82fb282ee4f91dcf656a44e54434264

SHA1
446bb698df4182e1fc855b3ae15cb3390c87b214

SHA256
7b971ee9e53270359e987aced51dfdaead26987651fff474db6907dca395c0bc

SHA512
c4e5f4506f8a8ca06185fcff5496b3eb1e187daf3ed1223581fd5d230e5007ede6ea45ecd5ba2127e115b1d2074ecde53d263d8ec67214787d2c86f06664abc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
6.4MB

MD5
2a268d17d6422e65ed5977bcd8ad9852

SHA1
6d0d46aa6799217efd7bbfcd5309d704706a639e

SHA256
b8f81b7afa44e9bbd4f710a8a7268921ada69ab029ce83c4f8f7ceea04462d80

SHA512
ce0068cf7ec2771151fc0e5220207d40a325207a02577631998895b6e1ec63ae30b6c0a320efac2886fe06e532e5df3959dbecb3ab057502a72430cd225d1d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
11.4MB

MD5
c9ae142c1510e09336a6ec3c4f956503

SHA1
955797b076daf02c2157e514a95099c71fea2512

SHA256
c69d02d880d31c0302122eabcb4a2dd70baef0371c50bb67db0c249c84130d84

SHA512
60184072570a41aa1070a6c1ea671ec3aa092a7d5f8fc6d0b6cce145a0b033e781c8c6601c87b8bc15b6f5d08310ac3637cf340d4348cf1f9bd4d20b11885956

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
9.0MB

MD5
437b0752117276fb2f6005a9ae35bc08

SHA1
fc536ce248d6c20c4ed7ee4847d8990f47628301

SHA256
02ef36b2d4099133e64c0df63ece8cde0682ba667797798e35505b0e5df26e06

SHA512
45dfce65c10a10e53ed4d2fb5e4ddf067f881ac234ed31137c452c573f3626eb5cb6abb44a3e3fce3cb4a1b67cf7cd049bdd630665a169df89382a1bd18d8755

Download Submit
memory/2400-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3596-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3596-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-42-0x0000000062770000-0x0000000062808000-memory.dmp

Filesize
608KB

Download
memory/3596-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/3596-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4824-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4824-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download