73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18-02-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4784	b2e.exe
812	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4784	1552	batexe.exe	73
PID 1552 wrote to memory of 4784	1552	batexe.exe	73
PID 1552 wrote to memory of 4784	1552	batexe.exe	73
PID 4784 wrote to memory of 4672	4784	b2e.exe	74
PID 4784 wrote to memory of 4672	4784	b2e.exe	74
PID 4784 wrote to memory of 4672	4784	b2e.exe	74
PID 4672 wrote to memory of 812	4672	cmd.exe	77
PID 4672 wrote to memory of 812	4672	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\291E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\291E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\291E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2F39.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\291E.tmp\b2e.exe

Filesize
2.8MB

MD5
d4d869deb2cb71e8dd97719f57ca4cde

SHA1
5189354d2075f165912ab4cb6f2b3c4db2facee6

SHA256
58f0644310abd32a9d1e4221abf0def8003e893d0390bc97cbf8ed1eaea574c3

SHA512
0c77f8d680b3b3131de5ce3eadcc66d6c8139797ad09f873234ac4dea08990848bc54c0b4d0514eeb280172a8b28845fd3f67e725652fd93f802cbaa9b67116e

Download Submit
C:\Users\Admin\AppData\Local\Temp\291E.tmp\b2e.exe

Filesize
2.8MB

MD5
b204987909fd1affa07a987a3c8d12f7

SHA1
ac2219ceaa119d2ff5972d64823f8306fe5e5733

SHA256
ebac3e8089ea60af6f631727eceae490413d64687d439eb2740233d922190d42

SHA512
43fcf140af1456a1c2bffa939443a8b195126fe5805a8e819ac8c939228fc0c182940f453796e58527cbd5908ca2600e7d363f97dc63a94f5c7f96d05aad7488

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F39.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
344KB

MD5
ad97bbcfd88a2eb4e3cd033afee16686

SHA1
d5955ac4f342f9eebcf0c35b0130c8e9a06b2446

SHA256
b81b360b28b9173cccda419fa9dd6ff228f31960d0339ba21e2d0015b5d95ede

SHA512
17a82fa529b761ba9cd36c15b57454670d0998bdb730af051e90161775c6a0a02a2153c82cc305c46c574fd8bf492e9bc0ae2942daec8a01c9c9c3365843d22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
332KB

MD5
bfcc47d4b2c673324f8469efd5554cb8

SHA1
64523df4f780e77ea297e097bb183f3dc087c480

SHA256
5677153cc334a8d923351a3c2392585f8a82d6c302812bc304f76a9467f94192

SHA512
3b6400374ed07044846f862518cf75bb16be998a49fb0f88917f198f0349ff8a1f7c9b033ff1e684fac3ed27736f080e7c4a4464b2d69ad413bfaefa4ed93b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
401KB

MD5
54d6e2bbc8e82aae46e656ef086aaffe

SHA1
d785daa7a395b3b0144374c38a992257f7eefcbd

SHA256
9648587df3047d0a26f2f3978406f17b912caae898111358e82002ad5aad9566

SHA512
19cf1820b156535809174abab685a645ed07515388fc924a5963f776001d1767f28357cac2cab2c84797086eae15faa92fd89c4f3b8418c0d7c9910233c76ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
310KB

MD5
8c12db1f1e4a7a6193983060667ad73d

SHA1
fa4399b416c162a266eea6c429a1382084b35a90

SHA256
c22c719a75484f5049c47384221e0b65bd73b5df7a4f94a75c41ea51baf29a22

SHA512
8c2ad600c93d1d920eb0d058af02b5d06d313f7746bddded975191be0c004441db620f5bb0f4ce5eecf4919ff396f126a842176a725d68def79342858acad1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
282KB

MD5
7db9595a6dff05a666fe93ac14f6c9ca

SHA1
ca179786ff8cec71c31d432ee5ec043c5c7f7754

SHA256
cc2f6e2aded7ce61bb670218cf1a44ad8820706fa3c69ac06afcc675d3d85522

SHA512
33597aa413984be736a053640a717674fc06d99f5ec8b5c2c4558f17cee2f766ea106228a51f00b6712f2cec6d3f83e296faa83bb1239279969fb51e61fe9116

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
28KB

MD5
63ebbc206a407ab322225a6ecc95e71a

SHA1
ec59b35501a751c678a6cd2547d4501625638acf

SHA256
43a503c7915df8b96be413cebc3ba40f5da36c9bd84de2230f1ccdebb13b4127

SHA512
46394a3eae23dcb3ad4be466fef176238ce640dabf598f2749728ac72b9bff8fb0b5b43b352ebcac7202ae830d36f9c3660ad3f96b6a9d556f4917d073bb62cd

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
399KB

MD5
9bdab8b160582aab4b4e7bb31a5506e6

SHA1
b7a061624305b371469d217a700bebeeac195546

SHA256
fb1c9e42fee4007f61cbf3fce00ce3dec0786f92a67d67e80e99fec7543228c6

SHA512
cf9408b88d2edd4468fe518fa4a10be70b8313d431f96ca301509b4fd81bcfd666a8bc8e7e29fe8122d718f764bd559309cf527f00ece1780794620278874377

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
77KB

MD5
4f761ea5d134bc7f7193e356d0143fe9

SHA1
fdc5715d16329ff04219f7df906f7bc912707c96

SHA256
e7bba37a465d728e5bfb454114f61836abb333e36dd451978787eea4f010c540

SHA512
e7b12b1dd0308921362e35ac8b0a02d2c9ae9dca2c0bc553bc1b78fc0bf39f8bd20a8081d6a0489a80b5b41ba42f4286a5099e0af43ae281381ad182f2fb4123

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
d986299c6a159e226726d92e4d9255f2

SHA1
a429e54ff55377e6e0c2ce7f2616bd45dc68264a

SHA256
c5bbd2d8ae872238c8c549bda6d776b8ea578dc2ad735baa61e9cd8c5fac5923

SHA512
0a42a103b34b098ede982e6c18feef1d398fe385733b69b05439cd47908233012946713f7dd1141ad2d8bb135053109ce21fe8b972837a5d05b998510e77cb21

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.0MB

MD5
3f92fcb390c4455c752adaa762cd4a8a

SHA1
445ee388e977f6d64a306a38a029a278c02c3a41

SHA256
8a388620a94063ed238608b441acda8f51290d5c1c57b3d7db815c2aaae9e3ef

SHA512
31938b3d5d4f019aa4f0dfddade2faafbc435d4e96a0cae3f98b4c91044cb2cb3eefd4dfd006bd655c50dc077195cdb642f85ef065339b371a5f594ff03fe713

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
34KB

MD5
e881eff60bb9b28e0f9c712ee20591b3

SHA1
e9521e9f079fbdf934790685e568181bafa4a7f3

SHA256
04790e257bb7cf5eb108996cb7e56bf4f9c34d7fdf9229424470d38826b3b132

SHA512
8fc5497347f68c5deb23977327a22b4d344e24479536a477a2fc70cc944666f70f6a622f59cd69d3d84b7cdc100335121083d1f48c6b5251f83ba684d53e59c4

Download Submit
memory/812-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/812-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/812-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-43-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/812-44-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/812-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4784-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4784-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download