73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
326s
max time network
328s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4824	b2e.exe
4828	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4664-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4824	4664	batexe.exe	75
PID 4664 wrote to memory of 4824	4664	batexe.exe	75
PID 4664 wrote to memory of 4824	4664	batexe.exe	75
PID 4824 wrote to memory of 536	4824	b2e.exe	76
PID 4824 wrote to memory of 536	4824	b2e.exe	76
PID 4824 wrote to memory of 536	4824	b2e.exe	76
PID 536 wrote to memory of 4828	536	cmd.exe	79
PID 536 wrote to memory of 4828	536	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\1940.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1940.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1940.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D37.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1940.tmp\b2e.exe

Filesize
5.7MB

MD5
bf5d2c1bed482fab9212867aede8e958

SHA1
9c128afd41ae20ccd3436e76684c0fa2c7919859

SHA256
20c2de0bf8c5c46e04d1e064be896b93b8cc892069515e18bc1fe73a68e4f10e

SHA512
84e74ff54120d85fe9252dcd11b138490fd8709addf3f246ea88528fa32c78b74adb980935e6ac7768ef2739eba05bb6eb5735c2b541fea218e0072a97ef2a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1940.tmp\b2e.exe

Filesize
13.3MB

MD5
a5b272450a5700f53db82dbb09b85926

SHA1
549a19cbbf7fe774b7f44ef94776e6f85027c3fe

SHA256
53db83eaa5b0de6f43df41055bacb33e7883d0f82b0f10cf6c6ad9104bf25089

SHA512
debe0cb44178f1d84636f3a7d2ef08a98449380766b1bb7974db5fb031570ae0a635492cd3157d85f5070b821f55ffcd710759eaccde2a31cdef965f0f2da333

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D37.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
6e18fc4eda8ed0e6aa6ed56f84803ab3

SHA1
e4a0a4432fcf3184baae1b01a8cb771ed580dbe2

SHA256
f51cf1f35d722b4af4bde30de5008d67d7256d271953eeb2ff63780978f4a53f

SHA512
25f97a3a07fd0aed4a5e6bd58e4cc3ebc2c56c0a314103536e9342ee10aa3c01baa24b459fb58d7154808594203e2b4fddc23f6c424182e2e8bb3a978b4dc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
384KB

MD5
d1d1f36cdbccda3b96e8c164afb74526

SHA1
91bafcd404c8568c9a195ec8cbf9592ea9e17e8b

SHA256
ea6e726150aa9a8dcf9ccb6a991440b451f9f2dcc46d93cb35971556879d1d03

SHA512
2306e6578ba2217b4f32913e1ac35e0547723b873c11244e96affd05457945373c621ea16a82e1e3aa1a177e3059efc40c8585118c63a3ea145524c51d1d18c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
640KB

MD5
1bff0defeeb9f4bc5cf01e916a8d1379

SHA1
bdb668928be0a339e01e3aeeac813fd26b44b950

SHA256
d7f49e1dd346940049b753b856759608013f611624432c7ea57b0872239d35c0

SHA512
edb3e22bb4d6f3376d73ccd538a61292c5a086fc8ef9b8038b663c93d9ec991bdca297e3c6febb9d18fd16f5304e4fa532d603c68739598f4b65af320ffb3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
320KB

MD5
1ae43cc09627ff82d15527ea2693fd76

SHA1
c39ffa1a4b80c29fa1f5caed3e7d091253266c66

SHA256
b63980c9d592a6d0d8521f74bd4c6f7cc4ae5f8c3320d2bd63764c56648ac45f

SHA512
21945e4e2fad3ee2b2a19d19bbbc1ada832c33a0d3bf499d6ac8f093b39021323ea0f7df3d54167a3456cbaf01ff126a6e6abbe17dd4eb8d5a24ca000888c271

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
320KB

MD5
c911df8bf8c66277e14360319b0b93b7

SHA1
598c59c0e7cbecb788ee676db218dc0faaa39bdc

SHA256
4c53941f04ddeae2179047a1c7f8c7f7f46af0f08c424ab66d61f2316f2ee77d

SHA512
13aeae87ee52f22d1c928c99c66e116254cde630c09f90b146962fa61276af13fef653b7a66184d00d614f0379750e641c2e62326ebb5588ca632e56c935d77c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
620KB

MD5
ad8b8e2baef7d3141b7cf6b493e8ec8b

SHA1
f55aac82ab54fbcb38f8be1e6c50eea8f3653d9a

SHA256
71543582797ac7d7a53e4452d8775e77b0bff80f9605c0560493f3ce413fd1f3

SHA512
5812cd1c205c3614bea15952469ac630d262af694a8117d028219fb80ced4a51ac22dc666c2b073a771bc1a4faef63bc9c7f9b0b89b05bb5f62e36cb7845fbca

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
130KB

MD5
6b7c502488d9263b52224a72b11ce621

SHA1
4b32003ed30d359209c73f6194df8b14741113ed

SHA256
65cb6b7be789151ac87f746ec917a120cac61b0e0ad32390ddcd065d8b522da0

SHA512
86d778a75381e3cb62764d5a1903bca4435fb79a1c7986c01dc49c49c0d362d4ccb07792b682ad53ad3c6726272a7cbfc79878ddc1ea01a6bc7e23b84cc592e4

Download Submit
memory/4664-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4824-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4824-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4828-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4828-43-0x00000000758A0000-0x0000000075938000-memory.dmp

Filesize
608KB

Download
memory/4828-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/4828-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4828-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download