73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4908	b2e.exe
4992	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4992	cpuminer-sse2.exe
4992	cpuminer-sse2.exe
4992	cpuminer-sse2.exe
4992	cpuminer-sse2.exe
4992	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4980-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4908	4980	batexe.exe	74
PID 4980 wrote to memory of 4908	4980	batexe.exe	74
PID 4980 wrote to memory of 4908	4980	batexe.exe	74
PID 4908 wrote to memory of 5056	4908	b2e.exe	75
PID 4908 wrote to memory of 5056	4908	b2e.exe	75
PID 4908 wrote to memory of 5056	4908	b2e.exe	75
PID 5056 wrote to memory of 4992	5056	cmd.exe	78
PID 5056 wrote to memory of 4992	5056	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\90F5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\90F5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\90F5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92F9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\90F5.tmp\b2e.exe

Filesize
3.8MB

MD5
adcb8ff2f7ba00e47fe3271ed2f595a6

SHA1
8d05baa5198002b7e35b18d1bdc12b4f62e7b33c

SHA256
15fa982982af0ab145ddde56963011b9abffbfcdd3127a5632c1c4990ad52e3d

SHA512
bb3f56cbb0382eee2f3a862583d7a5b6311d2565c0e38d2effccc77360d3fb4064dd97dfbb80b128c14d542ebc6ed34e72ec21ec986926efaf9ce84b854542e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\90F5.tmp\b2e.exe

Filesize
3.1MB

MD5
e7d75dbfc619d57b502eb6788898439b

SHA1
58e240a0465b66afddaf9522b656f16562b24a05

SHA256
b554fa26f8d628bd2a766bd29fa07e8de4a16d67a38a51a869dc9fe5f5592c02

SHA512
98db49dec758851ca5bf10deeb8c3e4d6d615eb49888c775e3927b625ad6ee169e3c2867d0575676f48fcbef41130bb5c2c35982cbdca419befcadf71efbe2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\92F9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
740KB

MD5
9478d3adacbd667e40888afcac554ca1

SHA1
461eddcd8040682403cc0ecd1a70166b3e22e646

SHA256
85c2146bb4c24a404087fbd34959640aa9f60d6252611bba116079e59759cab6

SHA512
8f3d449e299fd70f4934ccfc2102ada7ab2a1dc14bd670272d3733b8bc7891da03b650e0470c7b83ce0fe4a0fd266869728e203b95e1b84b6e27e4c5abd6eb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
551KB

MD5
d5034f13907c0e9538d00a2dcf42c9e2

SHA1
2b71fdb9b0096de1e54ac5a6ddc8c96bd2df40fe

SHA256
8e8382d7b073511560762c16cc3246e04341a4b33691611c8aadc90890452e3d

SHA512
5aa05c36e254bd95e1a63f4cff6e8af63ff96f8d840867faaa72eaab64c4a95d422d5513a124b38eb6764391c1eebffc81e8f8041e53f8bb70c8c95feeeb0202

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
352KB

MD5
ef19638643217aad3c0c441fdc1f04b8

SHA1
aa08dc5108ab970d191bb1c4f3d5f8e53ccd6071

SHA256
3e1816b0c5f80f760b23a9653408e234f945a4e145ce33fcd0b48d645e11e635

SHA512
172a97f3c821e65f61a6ecf0b9e7c065e04cd2072b6dfac0fcf3e6eb925f7b15a82dab49b59039f7249f03ecbc326ef2073fde64128a1cb5f8a06bbcc344339d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
676KB

MD5
5a26a19a29fc0f89c2e7f1b3c68736ab

SHA1
b31532f666e32a9a257a50a1ac6127435ea1f48c

SHA256
4a179a46e8751e9f61730f499b754780602f72377a9cda5a0347319b1771a577

SHA512
37afcb5669756d0ec13f65fa9f72af3264e3b25ef000b0fe94c0dcbabb5040a7947ce7ecbe9f5eb84f8dca35ae0f9f69b51c43a5d462b2e3bac5f3310b8983bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
561KB

MD5
fb620d30fd9cf0f95a752cb106f2cde7

SHA1
1b5949d7167859ec599d506329956b444b709339

SHA256
72abb92afb47b12edf679d0dd2627e089722433cb8af54ad2f8c9f26561fdef5

SHA512
36c1dd2dee5c4aaf4c749223184c09b9a38cc3a84ef4ce725303219b8a6643e5274991bfd0dc814b77c82a37ff16ab1106d61762be4b2f6ddcbf2430fcea55e3

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
594KB

MD5
761cd8b366a418fb665de17830bfc9d2

SHA1
676d99080b4f3ae1ca1ba6e28db7d6eaa4bbfa3e

SHA256
341e737d12093b966287bc2d02f3f62c8fc7b1132611136b5d771aa553ef4fa1

SHA512
c07e66df540f0b2c52c6076ce3c81f33bee132eb30e1ef5a14c464544d32d74184baadee3bc006b1045b163ed6e7bbab647f50c6ab051518e55eda7ed2ecedba

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
360KB

MD5
989e539a93bedcbd60505d7552c85eb7

SHA1
964a2ada09b863a4dcc510803afb4cabc73da826

SHA256
cfd9e051ef4ebbbee7a9c2f671fb55150a5dd8168654996b1c81de2081d3ebec

SHA512
b5b6d3d6f883998971f7dea940ff5fc055ea61712032683ae1cb26fe6597e11082d7b5825085880609dd8c5f5da2c2fa7a7b458cd8fe65c90a9c71aea81baf2f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
563KB

MD5
ce91d281d5f61ba14b30eb5a8a3bd17d

SHA1
6c948a642ed92bcd648deca73ee800e7e6902ef6

SHA256
b03cc3066a3b385c3aeb579d3a59d2ac9f3f4a3af4e3975219d1427dc24eb969

SHA512
ff9e228a4a437325fa069ac9aca8a6ce417973c7d0cecc7aa558d1d6ad7d0f8aa3a0a09b9d53b2cbb2301d79ad10a9a20ab97d0f2bddff70c6a059d43e625686

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
568KB

MD5
9d6301c3d5d9ad4ae766b6cfb95ee0df

SHA1
800cee3f2d9fee2308e594ecb131ade28a12472b

SHA256
47cccac2aa99f3c5019a893a28a62af7d3e714c657c39c677017ac0b51ca7a2d

SHA512
c9087b07dd1c2b21683273f377e451bb36a09c313f37591a6be9f33d41649a9dbf9208d805168f8bcc8f7d9666b97c5503de09fed2d6ab333e6fd86e3584e5ec

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
489KB

MD5
4c0e6c76ef6de6e9833bb5fa3e3e2c3d

SHA1
55f5ee176270885caa5176102ba443138964a1ba

SHA256
0eb357d626ed7860f5a117bdc7367caacafd9d2c4b4e5c69e54a90e2d28b6970

SHA512
9ec75611d5ff67036b5d1e59661ef278e04d21111970731bf9018c7d78c70bcc88c13d5eb59394b53bf018810723ce2bd794f446e2652e617dce91ece8c8daa6

Download Submit
memory/4908-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4908-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4980-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4992-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-42-0x0000000060810000-0x00000000608A8000-memory.dmp

Filesize
608KB

Download
memory/4992-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4992-44-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/4992-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4992-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4992-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download