73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4524	b2e.exe
4132	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4132	cpuminer-sse2.exe
4132	cpuminer-sse2.exe
4132	cpuminer-sse2.exe
4132	cpuminer-sse2.exe
4132	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4524	2688	batexe.exe	75
PID 2688 wrote to memory of 4524	2688	batexe.exe	75
PID 2688 wrote to memory of 4524	2688	batexe.exe	75
PID 4524 wrote to memory of 888	4524	b2e.exe	76
PID 4524 wrote to memory of 888	4524	b2e.exe	76
PID 4524 wrote to memory of 888	4524	b2e.exe	76
PID 888 wrote to memory of 4132	888	cmd.exe	79
PID 888 wrote to memory of 4132	888	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\C11.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C11.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C11.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1364.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1364.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C11.tmp\b2e.exe

Filesize
3.5MB

MD5
6a5d728749143644265f1d40efc733ed

SHA1
ae09edd200a2fd0fffbf7c2712e81a898b57793e

SHA256
cf1d0700b53f06718b1c1f1bdf7449a9a12feb155fb543651a6383560d8f80b3

SHA512
53df90f4a92ca88257e669b6ce15574cfcfe604585a128b3805acde7d5dc115af4277dc0f9075b6472b30fd954d4726841286e7a77236b4e784cd459d0d99fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C11.tmp\b2e.exe

Filesize
3.1MB

MD5
25134fca18b0526aed8f69ac3dc21282

SHA1
9dc5f3917cc88b19aeeb3baf7647f788ca67ad71

SHA256
5d06af87bcce4f67e339f63f4b9bc817ccfcdf51b320924833b9814b2a7f2e9a

SHA512
68376e1c17bce8595e911eba364ca67cb03dc3b2958253237f7cf570114a7021dba1ab3ac50837bc3e675ac1c48b6053b221af4c6211d92548d44aaa13412e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
554KB

MD5
bc7e316ee3e53fbf00d9cd3ff474ddaf

SHA1
44374e38b69b0568b5b0f2ce53d78921804318cd

SHA256
e39d0ddac483d2904943305583d2914bd1f0ed9699f1f6b339becd91b4c9017f

SHA512
edbc61842debc5615e64687888ccb7f77005c89155d312f0041bbd384c6193b22bc3aa4452e1a51333f4d7925f33a6a767ddff6c69d7dff992e42e6f75fdfb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
484KB

MD5
713cfa9557c34c7b29a6a340fcb00e5b

SHA1
744839d74f139f9db217da41bc5c855240e766d7

SHA256
2ff8d7a391ba6423380fe72d481343587fb53fd9aca6713d95f25a994a72419a

SHA512
22ac7342b6750ff07fc2a7fbdd20da42949d2b956c1e51e6239fb75b21ae886c92e8d4a3232a650b3ce13dd61dc9d5da8634c6d28f2ee833af70422c3eecca50

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
313KB

MD5
1cd8e0907c0bfd06f2594c92559665c7

SHA1
bd3a7a9b61cb26121aac1651e1b4c00bb11fa1e4

SHA256
ee7c0bbc322d0b86d4524197595833dab6b00c8e68844b841b1ad9f4b518b984

SHA512
ec51674ce1ef37c4955496982cbf4599118adac59e1ccb71a81cc66fe41571cabad157d9a0b1e040be6ff576661a031f4b12c613c3058c81d8c8c1aec03ed786

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
324KB

MD5
2eb25908185c9eff2dbb958582963ba5

SHA1
2d5443f28a8462710c556cffc4487c3c73847ad9

SHA256
e0b81187a5a0f0eb74c35cf4905d9c5d1c3ab9979938133a935a65c6558fb9bc

SHA512
3b8c3bb2f51238538ca494f929593b5cb1b6b54b94000867ad420f3ba635b5c90090d06e8b9388ac48ba37a7632feef6dbffab615e9b2f8acbaa9f7751ef705f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
268KB

MD5
aa703ad00394480feaa56eb85947a68d

SHA1
59272017e5eae7fdf0dff60b160685cc02eea586

SHA256
c591f261c0f9a5472ad0dbb8f8fa01c770f04d6fb25737c3f40d66e38257c1ea

SHA512
f4ae1fbc82e24c3161b0eed37566bea81f194389fb88a1474ea47aadd903463a15cfa98c5b1e471d757d94116cd470ea0a5036310a6ab104153a52faa09f4495

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
252KB

MD5
e29f4fbaea4f18d683aabc76ec56a86d

SHA1
f4372d4df050c34f76444f42b4b5f087d3123030

SHA256
7a6884aa22b40b90956da469387298a3e9ce751f258ebeddb7b45558126d2866

SHA512
e7e62564e0979954044694fa5ec81c5f708e87a599ec7ee9d710ed57898d75f371ea9ca416c14c60c8b85b567c851e82673fdf13dcbb9bcb4dfcfa37060f536d

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
197KB

MD5
d185dd410bfb67977d6779c1ff72a397

SHA1
d08d67d20717de8f866f5d2fc3b3ff141225a871

SHA256
37b9815d5ef0710bba76636b62a81d682b8bc7046dedb5e57a117d6084d15986

SHA512
aa8afe2ff2a78a2a189b6ac3f5e3bcb706a5fa3089e450d15cf8bd64b085fba6d51f01ed123e969f102273d193411236587857572eb3726ce266dfcd9898940a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
176KB

MD5
571c0765e3bc712eab246d8238ed2828

SHA1
07d5ca6b3c1c1368f696d7bc945d73caa2423716

SHA256
b7f590ed697a18c54f01668ac71871505ad70f6a57c3dab4ac82094ca3f464b7

SHA512
310b0fc184a9fd3066fbafc1a129d408da65b7ad53bac970e08414a98d5a75407c53eb4311f73394ad345e384ff839a5d2a91bb2a187e08abc1041283acf4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
326KB

MD5
a50af12859f8a9b11281ffb58e4b911c

SHA1
a28353090f49c95c5bb8b4ab25bbaf4cd19c0d6f

SHA256
feae28de4f902a85bd374589e5f4aaed930830721a90eef6c0ea4e0990c2de06

SHA512
49f5ff2fe881d98bf874e11a87e8847dc1312be7050c98d3903c86eb0f04dea1d386da52983c8d5eaa33e448bca22513c0cffcdb6b53301f9b02694d36301238

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
182KB

MD5
14cae27db810d51a86e33bdc6b51d21b

SHA1
3a3edad5d045abcf4fcc9b03207a3dcdfb9f525c

SHA256
4bea9ff2ac437b41cb6ee4587045299182a1700ca0ab3fcfd24e98c39a6d4513

SHA512
b20c5e97da41bdb9b08af3661722233be203a1dcfabb88428dbf549bfe93bba08931dd8559582f3b1fc97d721cbd8fcf1c658c3576f5c3d02b77617839e4825e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
246KB

MD5
e5f4639bffc25d373448118d784877f3

SHA1
b475da07fde106f1214f7fd53e0d8b1b4965270d

SHA256
5be9b2b56e74079f4f99cb5626ba34c8dc699e8e6a58c855d5e846a9c3493614

SHA512
6b7167906933440504009304e278e986b778213c255add8e32863e53af01d20c12f5134a1bcdd6f820db1f3ebbec2c0095292ec7ecfd825907d8af5c09ea24df

Download Submit
memory/2688-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4132-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4132-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4132-43-0x0000000070ED0000-0x0000000070F68000-memory.dmp

Filesize
608KB

Download
memory/4132-44-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/4132-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4132-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4524-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download