73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18-02-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3608	b2e.exe
1568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3912-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3608	3912	batexe.exe	72
PID 3912 wrote to memory of 3608	3912	batexe.exe	72
PID 3912 wrote to memory of 3608	3912	batexe.exe	72
PID 3608 wrote to memory of 2336	3608	b2e.exe	73
PID 3608 wrote to memory of 2336	3608	b2e.exe	73
PID 3608 wrote to memory of 2336	3608	b2e.exe	73
PID 2336 wrote to memory of 1568	2336	cmd.exe	76
PID 2336 wrote to memory of 1568	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\D3A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D3A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D3A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\145E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\145E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3A.tmp\b2e.exe

Filesize
4.5MB

MD5
15fe3b622166db04c27b3fcb5ceffb24

SHA1
a794100da106418811d553ba4bf0827f5db2a1ad

SHA256
5607b3451e0f482583e6ecab18a8220ca3adda2ae9cf33d4de26b2ad52702343

SHA512
a1568593ceba6c60da1fda21ae76e2c154db826f85163663a2aa02cd70ffd4dc1577060fe320bf0cf07bdf83945cd52a57f417fed60a730b7c2a38569404f2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3A.tmp\b2e.exe

Filesize
3.5MB

MD5
70e7e1875e8f4ec7b64fc4fccf2e8bc8

SHA1
94d5f094636105721308f6eeb5fdab856605dfdd

SHA256
120368a73380b6697b3aef5e01e2aba24b7d4e349bf2304140c5ef8f67cb024d

SHA512
0787baebeaf584f7b6ebaaa48334e22c9a4937dedf573fcb4702995c89756c483863ce92d4c88ba1d6a0374dae9c09f92e570eb153cc473d59a50f4822664e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
a720d57634b0897c488d098bff2d2f2c

SHA1
28455cb3848142c758879dd844f98c10c8454309

SHA256
01d40c7c599c662fb997ea892ac3df64a15ffad0d2cc5184256cba5583aa0e07

SHA512
9d0d64ce2afe7aef2bf8554902c7fa65c560ab4443da2ab9f3d1191034c8b08dab2519216d83e8fe524b214d2502ad612689aafc9ce813b3257f2648c8bef29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
586KB

MD5
aa5fe457e460f790260fa8f0c2f9e93a

SHA1
cedc2de3f0d7870485b14021dc63531f9bf1044b

SHA256
99f546eb11a5649c32dcd4348b09e9e0759c33a79d057108a4df59ce20bbc49f

SHA512
668334f4d02a54d601f7ee2721aa1636faf1cf14304d3256eb183b0c49bec0634e253393f7ef81d50b3cdd484e555d3820c96d1a2b1306e74f91f7aa9a49614d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
dc1fc775070969cdd42dec9508a631a7

SHA1
cac70070c3f66853ac335d0c8aaaf1180426ac7c

SHA256
5d9951083dde6a8c855fa3db3292e42658bb695dc2a5edd9448c38e64d856d3c

SHA512
67126dee45d5d45d562f8053f5742eef203592fd9f9f21b5ff610cecae94408e856ef53aa1e0c9d1bfc3fb73ef1ba8fb98eb1badd1d2253cb91716da510735d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
5fd46a66845c804b88dcd97ffcd66652

SHA1
9556ce5607bdd245c8e4d6a24b8217def653f57b

SHA256
b7fd85a2268a4d62fa15fde3d9e51d6fa3bc865cb4d8e5fdca309be7b027f193

SHA512
0896697d588401a6d29c30e77574ece4f0ba699b082b1bad93964748313a5903eb4994ec81c61bfcbd75f2be3f5200dadda3fd1454381cc5874a9c8952ebeedc

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
512KB

MD5
bc9b06a37685a9d2c5c0ffd4ed144e86

SHA1
3e5234a71739d5eee72b57ce0b3e57a363dc51fd

SHA256
8718aa67315b5664880d8237117d482d144beabe548d5eed3c9431e7310c4039

SHA512
206eba92eeb903234fa323e5689024b3493575a16b3e86d6b5785c546e8bd8ed093cc3e7f91acb08ef710a22256adffb5eca58a6e47b1ca3ab2828d4bf4576cb

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
554KB

MD5
d40312410121cc76f5a5087b06f5a8d5

SHA1
803687bd8dfc0dea9c1d9a459d146157fc143cf3

SHA256
60bbe573c68a275015aee23be020ee1c70436579dc6754bb5101291c28890124

SHA512
54debb073e525f91ac4bd286b4b78a9f8cdf2899f209ec3f6153369ab641e875c0318285e5e308db61682900c0cef8ff2469822da937a4bb5485bb290c916ba4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
536KB

MD5
b049cfab33f6ee44b9c4d406418a2c1b

SHA1
6dca529d96deeb12b1ad9dc3c302b523017c1456

SHA256
aad208fac545153a7f9e870f514af9c3b920cbe3c83dc88a18bdaa46aee51c0f

SHA512
4a67b196fc5853039eea9ba58f02cdace5536937ba80315817f9e8063a9128ca0a351daabac6f29a9caf7eafdcf9316cdfb2fa6e773ea4a3eee0f8d57cb4414f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
494KB

MD5
7e1210a4af489fbe56839d23097a6047

SHA1
d07e3594c76ab6def4d2d831be739db2210eece4

SHA256
b30e6458fae5e7338444ce50c983188d5445b259f4cb49195cad756090f3f710

SHA512
677da7fa8d5a19d85846c12c14eaab35b90895e89384a987a091f26b5085b4bdf9213e6c9fd7d0e695e93a5924390093e3d3e0cd9f648e90d07da456d5dc2984

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1568-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1568-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/1568-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-44-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/1568-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3608-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3608-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download