73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2320	b2e.exe
2328	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4192-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2268 wrote to memory of 2328	2268	cmd.exe	78
PID 2268 wrote to memory of 2328	2268	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\23DF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\23DF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\23DF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29E9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23DF.tmp\b2e.exe

Filesize
1.1MB

MD5
a43a8e689cd5eb2690d211c1d48e729a

SHA1
92acd696234142bf22c8b5f1c1af459f38dc3bf4

SHA256
de564130f2706db8cccf91eb5cda9c55b9cb1cf5c775c3eee2d27c4c63ae5adc

SHA512
d804a9846c745cebd70e25fc740f2d8ab555e3b66ec9a1199539d08a0bf9c7cc4d2122eb5fb65ad6192835649fc0cc55f08ea2572c131c6b1931be3d30991182

Download Submit
C:\Users\Admin\AppData\Local\Temp\23DF.tmp\b2e.exe

Filesize
355KB

MD5
75b21185c253f44b99d7138972819d35

SHA1
e98e6897b59dc959e165312416c75c5d50313797

SHA256
23986986bb763992677fb48621f8f0d61d984bf12f2e185351e7f9a561cbc90b

SHA512
d30e78dee8d5dc4ed3bef60d92d84f12f1c33d1994462d4c1f3200ce92552aa08ec855e70e8d2b506335fc03fa08703028520c9144f959e2e6f3aa18f22eec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\29E9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
541KB

MD5
b9685dfd001ca408bb1e00d2d3fe6cbd

SHA1
07a9d54355527ecaa84c3e5be05f6cfe04aab301

SHA256
a8e22455483c3649770bcd69e8963b43be331dace9fab13d5b39e4de9efd5a33

SHA512
28773c213416168c15f088cbdaa9c1ad8128ae9190d8282df95940eb9d2fa7f12faad70608429875514fbdcfac7238ab2606ee4664f8848d0e063b4abc6d7ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
537KB

MD5
0f8c36bbcc6a25f750629ed1d7f613ca

SHA1
5d7a2cdedf04bb41b1dd67fe4689f06d41aa59a1

SHA256
28daa00fce785e59248073697c0aa993bdeb65a4ddd4fb41310c70a7a0eb25b3

SHA512
cae694d5a5e137270a4b33d65435115e1d8697945f2c3a324b37788dad74b0714f527963d3a0c2a7515297e2ae0cfa8450513133aa84424b0246c313bebbc4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
414KB

MD5
38e98c66cf2c394ea532e2cb20a997e9

SHA1
181b0aba745e30eeb131f47521cf6635d0758862

SHA256
91d4ef642d080b5a0562d193eb85e30b2387cb1f62c4d5e7eeb450b514363a11

SHA512
a71cc309557f934d3829a9345246ab9128b45a3310ef16dd5e76b5b66c48abf1d54a23b2438f6ea80bff8695fc8284952c68f814a5ffd48fdd057bb03ea9fa3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
356KB

MD5
964af6428d60c57a21f71461429ba5ec

SHA1
efd045b27c6633ca72eebf2be48b15f71fcc697a

SHA256
c0f953a4131e8360242a7c0e32fb2e662be40bf77c1ae18ce8cc0566ed709a38

SHA512
cf2ea128a74203285e8e7ab95919aaeb2a32fdb17a46399181abd1705bd30b3acdbbdd54aab728b904c5c5df179eda96a02195cca6ab3bc686383114a963a510

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
434KB

MD5
8dfe72704af67897d000cb6b50495084

SHA1
8e62753dbf1ea192746f12235565a92becf4a074

SHA256
c0b5114bebef3bf94e1b69ef02686ec956f42fe8e7c7d1c70560c1a7ecc6d9c4

SHA512
8f4091807d223aa25191ca591b9563accc4c90e900e4188a8a553bf137b0b241a10c84201b9a51a69ffcfcfa24a63e513d3ef5f8da1eecdb4b92273fef750053

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
544KB

MD5
cbf875d462d1d463a85954ac788cc586

SHA1
2f9c5c6263c671459e1154197e0d427d7f19f386

SHA256
bfd6200a24342cbd43ca930ae8cdf686e70c26445558bf5285ab68cb914299c6

SHA512
2bf026b8683373b1f346ef6a851f7c3f1219b033d512a59ee8822e197ecec1323935b120545e25f1d60442d0002c13d7f6b4922628aeb32528fadebaf79efc16

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
524KB

MD5
756ef57e1706ba12038ff9524d62a4ff

SHA1
970572b4f361c3bd2202567e9cff64b826e15ab9

SHA256
832e146430717ab5bc71776d0255326118561af740711e61fc4a144a1f1db122

SHA512
d8c4a505c966421cd90d7b2ed98c9bb35cff92ca672ffd245a82d7a965a1e88d6ad440045a4263a2553dbbe2fe8937e2aec5e2d0069295c290e4249534ce0b51

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
521KB

MD5
0ab42c135a22bacfbcf3649296796fdb

SHA1
5baa6c842b2cde5d7924cc8e41a54bdfddbf97c1

SHA256
94bca98e0e89f0c8067ed19581034e78773de2b55a0597a938f1389cbd8f3b1f

SHA512
cf7d500c6e6fb711ee8b18891fbe6f86ef05d8aad7db2beda183ad57a35e69fb48629cf9f6dec5e4ba6f39401261768526c64cb754bcc4e58743d55b969aff86

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
236KB

MD5
0a95aa7e1e0cd1e31c2cc3cd43433b75

SHA1
f9fe6a0ca3964bccadcf1aad54ad5f71feb2aedc

SHA256
d913baf70e5e024adea4352c082f1a420462b10a40d58067d0cfa5f42203328d

SHA512
9a9299481de369513c457d2ddb19676960106f0c06c3cfa4baa0cf2690b75d30ae92b3f9207929c4542a286a183c31ce2f6e8713c6aaeb6fb78c6785c5100459

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
290KB

MD5
9f61832145d8c59764305097d333f1c7

SHA1
a8c1247f5687992ea0337409a8a108aed5d28df5

SHA256
71142a9984d6f103b3130b2b5ef7c89bc00bcdb7035e6ca4c0dbeea245a9414c

SHA512
20ffde88f00a08b3aea241eca47d81c83dbaffdc2f1bb161b96623bd25eb06dbd0525f13587d6d313df0d5d6826a3fd88dec0e45f89517c9838b50669b65a321

Download Submit
memory/2320-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2320-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2328-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-42-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/2328-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2328-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2328-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2328-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4192-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download