73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3476	b2e.exe
1152	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/212-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3476	212	batexe.exe	74
PID 212 wrote to memory of 3476	212	batexe.exe	74
PID 212 wrote to memory of 3476	212	batexe.exe	74
PID 3476 wrote to memory of 980	3476	b2e.exe	75
PID 3476 wrote to memory of 980	3476	b2e.exe	75
PID 3476 wrote to memory of 980	3476	b2e.exe	75
PID 980 wrote to memory of 1152	980	cmd.exe	78
PID 980 wrote to memory of 1152	980	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BE10.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe

Filesize
1.4MB

MD5
fe4bc2bb4397eea601e0fa6c45cc20c6

SHA1
35477fc0a38f9db357a70f9b0573537fca582a9b

SHA256
8852fb3a8294753e6b088d458547feaf54685068ed6bc0dece93f608ab44afa7

SHA512
3759f54232069d2efba631954ff86bbf5ef58a616e4e0109c9ad5fcd632ee97ddf169ebddbe58237dbee36951c8d2e176312abe4e142f636398bff8fc2973bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB70.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE10.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
f49c60db74970ad6464dd53eb480899a

SHA1
fe9f6f8e311d084590962a5b37fb870bb7b20138

SHA256
82d5c09073ffdb94c9b0777496d5a7e40e75e4b009293b9f5f333dbf6c8da326

SHA512
1a79b4b08c4da1d5c9fe1a2bae0c2836a89f04f66670157be5f22d05161d8926c531d4137d05317fabd6c1d281be2fb3dd012b25689b1ce4ae9335d7dbc177e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
af5059facad95621df8947026f5c34c5

SHA1
b994c974256aa8e6d5e3bd6c3f36cd7b20a9b843

SHA256
8cc46c87421849abbbdbfe1d8a378f16dbddfdb129ce44ca7819478ea5e1e170

SHA512
d126958870849c73c3f944ca5534b496fb5a76c92684cdd7958ed899d2dd88d98a5225d519b088998581b53fd2315c1e7322007e78fd5fd47db50e002cbaa3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
916KB

MD5
9153c26d46d4c2671f14d3612e9900b9

SHA1
34be755d2d7325f288d296f0eb6cc23fcf489f33

SHA256
7fcdf1b6b7de962882affaba517daed2007014386bf97679c9e4191d2383b653

SHA512
d56a267f8b516630f628510047ae56df7246353a33a29ca479ca5fa6df9a9f726f4bd625d12c72e262af249cd57df6c46b714d5120f0da57b2c350ea1a00d04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
158e50386af6c0965a3bcfc50a38ab83

SHA1
2bde51bcf88f3f23afded53349548d23ced04804

SHA256
d0708d019c934e3ac2df641ea45af515bc9ad6b2da1122513beac4c9e4ea882b

SHA512
646403fa13eca30b309f8d2c311dadc152dfec30c6d25193cfec8791b6abbb8f133c658fae4ff181f6c6bb6973ceb5e6f7b3689aa2edd9908c96ba898357f379

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
946KB

MD5
fc6d6ab93e1367a316e325aaec7e680b

SHA1
9802c569b5403ac7b29a0c837993dae957c8046d

SHA256
50245f0aae534a19acfb4252e54f55d482c1e161a542c43e2a6cae1bb6768ffd

SHA512
9f413a78c4dca8d667f568cac20b540f80a28440aee00ce0a64d6f71352b1a9253fe1c1aa179e17ca297547a51f6e8605aa4d41a88cd89000798fea53a784ac1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
5d838c102df2a346188f08a717fa0e56

SHA1
6b5cc5cf27313b66bc122dad98fd1902fe0c83fe

SHA256
6b162c9eb46dd2189a30e99baa92f6e5e393e25d91c08c2ed413c33289484b7b

SHA512
34e1706ec5228f17cfa21679f215bf7f8eb2753990307650c089ceb121b644ebc8fb36ec58226fb305d84955bf10b08e74b4648e30095877dd4392ef4a6318c9

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
dbf3c2e0b98d2afa6e6cdda597142cf4

SHA1
10a80378106524779c61ebac965a125cb2dd5611

SHA256
c3bb47c8bc745ea42f5b5dd5619cc206ae0105d3d888a8f13dbb16806adf5a1c

SHA512
0e877f15fa0a8dc7399cbc0e9c1296ec0db84f55dfbe9ffd7f54a420f170504554ef1c09254cedd3434cb2e7cf97dda117282fcd1522b127f9bb0af22e32a817

Download Submit
memory/212-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1152-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-43-0x0000000073DA0000-0x0000000073E38000-memory.dmp

Filesize
608KB

Download
memory/1152-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1152-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1152-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/1152-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3476-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download