73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2320	b2e.exe
3260	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4192-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2268 wrote to memory of 3260	2268	cmd.exe	78
PID 2268 wrote to memory of 3260	2268	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\213F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\213F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\213F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26BD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\213F.tmp\b2e.exe

Filesize
2.4MB

MD5
000f75482a8f3c361e1ef9b58a16ee5f

SHA1
4e67fd460b9fa59dc5c1147833ad2f40f94d0279

SHA256
5143fc3449d84ea5cf510321dc92e2e28e68385863a6b07da646a406b53a875e

SHA512
fe72c633e123cea33c480746a4534fe6228f2c1f6184edbc75c144a201fb556ba0d68415c2abaa9c844a39bb900300f24476e38a4e13825829da54d629eaf152

Download Submit
C:\Users\Admin\AppData\Local\Temp\213F.tmp\b2e.exe

Filesize
2.6MB

MD5
a6832e3bfe8fa4cb3914e6021085d254

SHA1
e4e30f4649f0a3b09790ef4831411c105b03e2f1

SHA256
ce0829bf77d3b8671745944cb6e9836f80f9d5d3846ee53ed1b0dbb64b1a0e98

SHA512
18904cc3ffa5e154fe5d25c11d36ab32cf920eb272cc497c01ae1be3013b3a2bac7d64fcd3eb333c9992783ccf72b2971f37528517712ed5d16bc469dc1e1b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\26BD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
a4bda0cd7a9d809c59c505bed6e5279f

SHA1
2bb7154cdd78acd2a14d151f747173292eab6935

SHA256
f29d076136b1ae31e15d2f9d0fbbb4ff5db83d162affd07d0602aabfff6f53ca

SHA512
216ad4da690a71fff953d4b400852c70299e6bd08dfad03be5edb2699ce58f74d2935bb52838253175d598165c7301c9855d5cbf803a98fd03857461f1ec3de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
255KB

MD5
e947a5cc4f6a25559b69b4ee1583b79b

SHA1
bf111afbd49d77b8eabfa2259db7f82cb4f187ce

SHA256
d2ee582cb6bec9c6efc1e97f535f974dce118e70381a02fa0e84345420da04b3

SHA512
a345bd62138408361b17714a739b06f648fd5a8da16e6d8a7b96f120a74be4a144c7d647e087f029109d72c6dab5a31435b331c5916df4829fc1a7700c9cf9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
819KB

MD5
a0f1224bad4954fb0bab37a98391721d

SHA1
cda6d6a14f74f3df7cc098fe3093e624e9a4baa2

SHA256
159f54c08f65883c0d334c284f872f74564750ca2c806f0d4aacc2f88ab37b65

SHA512
66791c0c75398e61d6fcbca9a85c5fb7e6c1619e68509ae8cd5eabe280b61bbc4bc17901d3b04f1c6d14aab7327ddbc09c22d833b7cd671fa87150d84156ee84

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
758KB

MD5
3b26401d9bdd4e6b77cc06d257caf3fc

SHA1
62e50618c70c2c66a07998b76240db15f430dbbc

SHA256
195482f095607717339292d8d280caf1f8b778062cb7102876ae3de92029e241

SHA512
c71b8aab5278b192f6f59c903aa2aa29c88e292208ed174abcd51cf0f9a32fe97549c606b6b84b92e37263e0d2d4070343fc99726f4dac2578ca40c607f02ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
650KB

MD5
9bc843f195c2aa55964b77ae79864e58

SHA1
d8891ceb0dfacdb61b8918721dd27df53a3ac046

SHA256
2cd82d52ce41f882e7b044520dc457bbc14a4b1c600d3f4699e461cfa3121656

SHA512
059c6c3c014b2a8961937ea78f389b6503aa06dc9b734441b62b1ae53047395a15920dd95f2c3296291a1bfc821eea37d76181429a28666b82f6f7af1cd07d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
629KB

MD5
f60e177e2f0fef16df88928b1560cf9a

SHA1
a59a1d0db8a68228c8f8d8d9829a043cfa09628f

SHA256
09ca505dd6ce0dcc6a3649460f1ee6ed4902f6a1b68128b2e9346342a06196fa

SHA512
450d648b2f1d892186f1176b0fce69e7ebc04d84d7f06885513c4053ce9b68409fa1e2951ee3bf099b54b4dab954c5208367c6029ff7a017a2e78bd5dd7cc858

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
648KB

MD5
948c9ea55993ee06a3f1feb4587f0f1c

SHA1
0d80a18c42b8ebb06711f3ade762c2b2ffd6999e

SHA256
5333f120fac1f5bb87fbc28f09857ac3d0f3fb8bd0d5136784bd408e344b598b

SHA512
40d6cf3f9f6f3f7e6319bcc710ffb99110abaf0154de58f3b364a7bb038299194c97a31a20e7e45ef722038d413d3fd377957a8b95aceade7136cb4d3d3c77c6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
476KB

MD5
51c5eaafc5fed9b83243e7e9d5b4d452

SHA1
76e043d1518ca33be8a3234eb1784245be78b26d

SHA256
fa6cc75f04d12c0a5c5e021e5f4fdba8e7e8e6549a993f5b0b6c4215c328486a

SHA512
fc45d2c17f9bcd8610204335db87409fa2ffae93d8db1196e664bdf338e42bfef730f594816081e58dbeb409a1037e420d0b97cca562cd07fb9067de43ad1530

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
399KB

MD5
ad87e586af3b1902e28f459d629216b5

SHA1
904b349a7743ad59aa6db40ca55beb3543bbadf1

SHA256
49b80a6feb8887903d8f486d05c78ae19e83e18e2b8f93693b7c198a50aaafaf

SHA512
0f77369deb474a4ceb993f75bf765d3025aee906e0c4ddbb10e5cdf668e0f5238ab86b07c2d7958f27842dbf95562df7f8239775a8afc1dbf226482426850866

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
590KB

MD5
60ade7a962d7993dc78ee75f64bf2754

SHA1
a8010f761e5a0e8aea3ad889340ad116dcf62cc3

SHA256
69d13e181b62cb3a6be5ac7384c398dd339eae685fa05b65a21f5905f9e2109c

SHA512
311d8be58a516b263332aeeb8387a3357d231b591bbdb586f4bf20042794b7ab212040e03c4e85fc4988568c02df7ac0995e38e6cd9626245774c6d17a473cdf

Download Submit
memory/2320-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2320-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3260-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3260-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/3260-44-0x0000000000F00000-0x00000000027B5000-memory.dmp

Filesize
24.7MB

Download
memory/3260-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3260-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4192-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download