73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
295s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
4968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1208-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 4968	2336	cmd.exe	76
PID 2336 wrote to memory of 4968	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\147D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\147D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\147D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1BA1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\147D.tmp\b2e.exe

Filesize
787KB

MD5
0f2256f5ff2335cdbb69151bc0ecbb5b

SHA1
885f3eb3c63b47f5ce327518373200315f8535cf

SHA256
a2f120318811f467458b72c0977f6c36fcd063d944574da5b279f727daf89ba1

SHA512
770442f45c3d004c14c6a4e361350fc803e804a5b36f7e8e973adbdf73988196f02cc0617c3dc9bdb54d9b6f17d8ceb33d060e98cd1f891983354d934f4e8596

Download Submit
C:\Users\Admin\AppData\Local\Temp\147D.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BA1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
288KB

MD5
02e9eb5492fe7172175d5d0b090f52b3

SHA1
417b6d58203fa662b587e3f527fd9e7a7d3e89b0

SHA256
3565aca1f613e7083ef57810f0bc30f854bbcd33ba7b9b63fc6d4daac95881e5

SHA512
cf15c7bab25bc3be6fde1828be8360d8b15508c638293c5a8de8c0e173ac698a3bb55bdc656ebd509e8746a8dde6d54663cd441a0dc4ae74a1f60b43606e2de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
329KB

MD5
35281dc8c3f891ad557bfa3fbfd96cd9

SHA1
efc94a3fd71566ec0f55bfc93b83cbc7114c76fa

SHA256
3575c23ca6b84eb1c0f80e1ffc2a333e71094616ba4fe8db17fa6c4e195bc9a2

SHA512
429627b63ce7fbefbd203a172dfbc86d422e83fbe1e0477612c2cbf090fbe4c202d290003bb6ef82d9b81df75dca53c6d582191867b53327797397dad07223c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
108KB

MD5
3578b1049dec9cbd4975c8d40ee82652

SHA1
61a5b40ab99ccef7a683dbc8b8791ea6ff25e0c9

SHA256
9bcb335ef672ebd9a988b5594199e045ef8719fd467c3f409dfb8b2af10abd59

SHA512
db1db716a6fd6ea6c9fe5fea81f18aeac9e41b0eeae5c75b7faf04311c34830e66fa2cc4d275ea48f802ff31483679deb724abb22a4202af540779f0c16298a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
295KB

MD5
0ad5bb948aeeb186efbb375fb3714ef0

SHA1
70b08848d04ec33c031a033aae0d9c3b5a265fdc

SHA256
bf6e9a318733771957ef3a85ddd61a7ec5d0abe04c8d39579e186a9ecca99e37

SHA512
d3c09c61312b63ae4947d52062fb3098faf98a56ac26c221dceb4377f4f1890c5d5acbffe9a62d8ccc5bd9c2df1f406aa2daf0f32cd52ec5d4f4ac2de6c4691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
176KB

MD5
619c512034a2ac046ad6632bf91597bb

SHA1
56d47dee1455968abbc9f98cf34bebb901a30db6

SHA256
14b2ec61f54abfa694ae6b44f42c4ec1d7a483e91e874ab7ea5dec4c3b8322a5

SHA512
e2f7bebc54bc5294693477f58ae1584e8796018ba646f714bddf35e66043c4a3d7e348c5ce195650e0384d639ffe8da47d0b0217da670b3a13d112081d2dfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
284KB

MD5
0b9c1f390f837923252eefc625531a63

SHA1
086ea6f46154743692ca6da7ca5a4fe90c4821fe

SHA256
608f3d3d2a60643c391cf457a1a27e550a9b59b2dac1b112e4c35b005e9b22f4

SHA512
28e79ae9e2aae3c041362fffdc0e66f734be9756974be9e92aecbd929f9641d2f556b56b5bebade62212d457f9c03743576f11f42d1c342672a7a9ff75e4c275

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
412KB

MD5
2228afe77a9b0e7bcd00a2bfec1bae18

SHA1
fa179c3e4fc6a2e8c5f8e611b21a1b871fdb93f1

SHA256
495865db12e24aa1eeba156668639537d0aaea3f822ab878ccd1323a3901a2a8

SHA512
6778569b459213175ac0c415b6ae7b6c9fdb272d3e3629a69f3b186e9adf0cc77b29e1e378652e31656ce247412acefdcec0e382535c231e6164a2444455e448

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
528KB

MD5
08165358f30b045e33ca0a320123fe7e

SHA1
f29c69022c2c93186d96fa0d921eff73fac22419

SHA256
f747847c846eb8d958be4e75e0959eb3f4d95af231e7ad716983c986f9dc88e0

SHA512
325970185780968b36417dd6cb937c94a36dc7b6553d6d5f7dbe68903e1d65cb76556c906eb4cf520d930a3b957b7b69199509fffa9c5227c385819d5cfd12ba

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
520KB

MD5
e5462fd50470f7316ab6db414522bec7

SHA1
5f3bc81604d322a2b1ec384cd7297e07fd9f1dac

SHA256
7d9e5e50574182d79ee5264440be561d165e97f8d87660e9c479857b4ee645c3

SHA512
ddef06b962da19fd828c9cad22ba07bc34602a9b199cf3149d9a0b6d6d8f10566e34b169ea845dd564a1452db658ab0d18aedea8f7fff814cde4facfa29a5038

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
621KB

MD5
2fe98b61bccd58833c9923e74f69a382

SHA1
8731b18cb5b16ffd77a277641a282f6edf6c1051

SHA256
cbeced5943c0d8044e3037dfaf4204c4131c1b2a82004e1bb0b474384c5d6228

SHA512
fc1b9cad484c4ee54d97a0b0e4e3913a1f732badfe3f2a9c028ba7f33487d5ccb5b0287a31a1797998af0e9627b09973621f1436c455913a5e8513de1b7d71de

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
240KB

MD5
1ce1c60be1035a92fee2360da3529378

SHA1
c3d5eea0315c97bb3d5b4b0b0c64dc560182bfea

SHA256
79408cb9c74eed23c207e346288ccde25802b0bf49620e0b969e3465c731b37f

SHA512
eda71aab1223840da54502c41c520d16c5ccaf1bb724279d8bead1fd332f7a1d0ac67eeb6c87683c4c385a47041a5bdbaf021a83ad53fbb06527582b7edd5544

Download Submit
memory/1208-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3060-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4968-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/4968-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4968-44-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/4968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4968-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download