73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2320	b2e.exe
2296	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4192-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 4192 wrote to memory of 2320	4192	batexe.exe	74
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2320 wrote to memory of 2268	2320	b2e.exe	75
PID 2268 wrote to memory of 2296	2268	cmd.exe	78
PID 2268 wrote to memory of 2296	2268	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28B1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe

Filesize
1.6MB

MD5
4b3e3a3f84660472fb9714cd8feaba1b

SHA1
8561afb6ae0a1ab8a4d8364928811b66fcaf9da9

SHA256
006513b9e4310066d4cb66a1ea11b6619c10e428f5a1ccc39eab92e1d487f442

SHA512
a4ccf4de38da8d27dd065ef09b81a4bca708188c6102211faaa186ddd8f68b87381611da54cb6098758733c799e2a3450cb5cae66b58c29a4264d93f93a1edc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe

Filesize
2.4MB

MD5
9eb4100a8eaa6d91c3a57d7e6608b828

SHA1
644203c500aea28488dd6699a9b8855f86973aa5

SHA256
13c79535f25405d24b9f3204a39b7d7f246dd4a1acaf2df5d6d8df14d2c1a95d

SHA512
b2ba9044d0b4d36a928983445c67f5224f84a8fa394b5d10b6b9d7a21010adbde56da9a6695b51abbc48f89f6f2a8270ba9bffd44cb2d2fc2f5a16245efcda00

Download Submit
C:\Users\Admin\AppData\Local\Temp\28B1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
633KB

MD5
8abe046d2ba78c96d559877a938a044a

SHA1
96cc3e0ac1196945907abd682ebc12d2aab1a096

SHA256
1f7ba2434fc1e2f8b77b39fe85ba9c357176d1b5a9da050ff46a64c2ea571d5a

SHA512
a358fb5a896c8bfb9bf940e5bf604f612a04d4ace447ce331d6ea4e0247f40d619db1ffaeb3d07a3049766f5e9df34f62063113f3080218837b077dd5a956778

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
739KB

MD5
653b3244dbe074d99148991936d251f8

SHA1
b593e7e4a38ff29484a2c4aa857ab83426e8281d

SHA256
a8e92984f98c289f57ca783b738b38af2a96ff803bc5ecbab61c99cf30b6fcb5

SHA512
319505b82f214184bf2c3c25a5e55dc5f0bd5065becfd45f7c8227b7841a4a6d5e393a7250945f5837fb10345937e3b001ab78b3344d9295098c42ac2e0b5e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
588KB

MD5
92b2024335ffa21ee76bbfe1760d509e

SHA1
ed1f8a2a079e0dbf2f8f373056b8e152428b2341

SHA256
89d55c6dbadd8003ef3f0fb6659ad5a729afa58bbc513b2d3e5cae3730c05e89

SHA512
92d1b07a8803c512d9cbfdb29a7c586915b4da04027c24b97c7b09bb066a48c28baf7661bf85591541c78d22b622e4f73e2bc343c80b495d26e425f952720e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
13d5d5d28e916ef5c0bdc54e16916ce9

SHA1
19e0079554ebb12bd287914666755a8dcf8dd759

SHA256
0e9d765ea67d73cf98bb57f9a4f7e75bf9fe99acb69eeff025be84e6cb1f5411

SHA512
e7b558e5ef33772a80bfbff629ca834f359f6b419126b8d2ae2826fdd9f6c786f01f0fd8f443aa86186a64e92ae11dfddbd1b3546e96b508fff117a36f29cb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
803KB

MD5
c63d896d98db96619ac531ca65dc3131

SHA1
673be65ce5186379176bd50730b1163700c34cd4

SHA256
2f826aa22ee70cec10c3e8798c7b789773c51b06acdda970880a5402e9a6deb5

SHA512
59a4670413ce9b2ab35500851e279202b895ddfbb030ac146f26f0d077cce95b0c764368776a69377fc7b36f8ec7ea86f252e1bc8ce577f033e5a0d65d91d373

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
508KB

MD5
26c704fceed4a9c3b2c10dd2bd368365

SHA1
3b9b8a30182658afd262497117362fb141867c10

SHA256
041493e9bffa72438ecda4a100e4dbc92a5b7dcdec3fedb8776e8037f98eea47

SHA512
363ec9c72f16e9435bf67870d78803ab9d688960e2358d297c6391e4da46ffd0561230b7b2dd2acde8c4e00596c410e339fb89f7bc86baeef13c870787396f3e

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
776KB

MD5
d9767f513a2bb505b308070056a8acd1

SHA1
92d4d8c9dbee5d21123095d16a3bf9e2143ed5e3

SHA256
b9b3b920e13296293a81e3a278a8493c0d28bc5addaa9209626c61ee3c359a15

SHA512
4d2fcaa9fea5a2e437fd53fe97d70ca9531a6f97ecc88bba49137e10e4ee42f3ad83741a625e7f6687129ca9dfcf18e53a4e61a6ef38d9a2dafb798f1d8e2b3f

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
828KB

MD5
64211e3bd3f57a2ad27e6d45f24db100

SHA1
c8459706d7babd73a510f17b27c9ebe4ce71e71b

SHA256
be88170965b2598e3885d1198bb9a99ea21654386cc1ca8c839588afa92d9115

SHA512
35c13c8dac83f65e6f1a26c8160348fb9dfc45bd1eb2eda44b93235766c99c6bdc695b5e84b291947e1f83954f2edb89ff8a9e033098120bcafd43bade9f17fd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
501KB

MD5
b60dc856c982f771ac0cc5c074379828

SHA1
57f41421a9ee3f0ec0eb075d76476485a9c13430

SHA256
dd9bf627e0a99e81a8792ea636b4788d73a59f8d08c3ecdd75563916808cdd5c

SHA512
13b26ca119bc85bb6edbd1207e5ed46c2e5b97db594e136fd4036dd9fc1f0335afe4baa73b8c0bf27f44c1ecc85940e2a50998b0c9add5120cab1c4595c6a0c8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
536KB

MD5
5b4adad54adf8dfe43fe398ec1bb7d66

SHA1
76eeb2631000186448f2c0729cfd7a8a4b26154d

SHA256
1d777753e115d4686dbd20afce673daa50c270f8cb9f6504d181c16d94165c60

SHA512
039559573cb0f0a724d75b7cb2fa8214f2e93981018092cc33791fbe4c9d571de86deff89f992188063493c5a92741eb768968cf6e287d6709a0d3203fff881d

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
558KB

MD5
889a46a4a1d799db37a55324e4491b5a

SHA1
36576514be5941bcdc19f6cee7f407baac958c90

SHA256
9f3270c4bdd541b7a1550f8a0f847a2ee57cff7c1fdfa483017639bb2ae272b7

SHA512
a9f5df91ca82638bbad97744900ca2077e2c9a6c30a088056010615b04f5da7d3430952054fd18c1314ad7c23db0c3fbe97e169f83120d0b61022b66dee64e08

Download Submit
memory/2296-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2296-42-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/2296-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2296-44-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/2296-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2320-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4192-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download