73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4608	b2e.exe
4280	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4008-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4608	4008	batexe.exe	75
PID 4008 wrote to memory of 4608	4008	batexe.exe	75
PID 4008 wrote to memory of 4608	4008	batexe.exe	75
PID 4608 wrote to memory of 4388	4608	b2e.exe	76
PID 4608 wrote to memory of 4388	4608	b2e.exe	76
PID 4608 wrote to memory of 4388	4608	b2e.exe	76
PID 4388 wrote to memory of 4280	4388	cmd.exe	79
PID 4388 wrote to memory of 4280	4388	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\BA28.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BA28.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BA28.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC6A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BA28.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA28.tmp\b2e.exe

Filesize
2.2MB

MD5
50523b1e6001d474d0fe919e433950d2

SHA1
c4cb42fc1766643aa5df99d304b844c1dc89db3f

SHA256
f5a469e798b1bac3c291b389eb979dca64ad6f078e9c4b3e10b2461932219084

SHA512
ce4096cecd2b21e4926103dda698a0713da081f80d919af0167fb303ac1b3a1b6369d340f75bc13d028911a7341b52085e64a6c062f8c567580b69c6b3ebb418

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC6A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
332KB

MD5
36e18266e9d42c948f72fe878bbbe293

SHA1
00bbcf78d14acd432da59c5399225b085ced0f6f

SHA256
bba6d5842d63297e3edb1d2d1b49e947e566b8559b2e76d29b2bfe7fff8a21e4

SHA512
e9a615a60d1ba03d9339634a55f47529213f356766dbfd3ddb4040d5414109112e831409438141cb5220dda84570a9fa3ab703774fbf058682d6057e07c89f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
672KB

MD5
b26a5d03e340d818a85ede98909e9359

SHA1
1520e53e701730ef34c63b81172f8c1f1cb464e9

SHA256
20da8a8181c4dda6db4f8011088d3e7a668d65819822f0e2c298dd68a8bbd8c9

SHA512
17fc378ac79df2bcb420817fb3972d5cf3a7ac60bdf00956469e0064d7379245ffbd97b1753cba82f089e24b67741bd7282768d5d80ad9269587cb1a8347b0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
469KB

MD5
ab458ad6bccd8094c702117dfce4f5d8

SHA1
1a0b16aba20d2b615a37b041d79335e1934590c8

SHA256
994e93afcdc67d85a0ad41296789120163400f2dbfbbe6b480dfbf3b7d80cd06

SHA512
2023ffbdaac070ab088030df3d06ed662e356301e40d8bd977ceffd59f649c7a60b14267235174a327acd98767f1b1f33ab60d806c525eabd968c65adbc4b392

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
640KB

MD5
1bff0defeeb9f4bc5cf01e916a8d1379

SHA1
bdb668928be0a339e01e3aeeac813fd26b44b950

SHA256
d7f49e1dd346940049b753b856759608013f611624432c7ea57b0872239d35c0

SHA512
edb3e22bb4d6f3376d73ccd538a61292c5a086fc8ef9b8038b663c93d9ec991bdca297e3c6febb9d18fd16f5304e4fa532d603c68739598f4b65af320ffb3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
405KB

MD5
104b9d0e4df901bbbce33afeb3905c69

SHA1
8cba9a0c34ed35ea06e80bd3ed870f41193dc53f

SHA256
281d005f61360fd6a1467cfedab792d5a71201405c8b427a2582a4d119577d2f

SHA512
cb545901daf87971334b935ca03f587b3fff49baa70f70bb87cf48a6a52ec94104a95f199d00e2fb55933f8f103628833d19bb1af9cbd1daba629fd83ede0752

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
618KB

MD5
8343d2320a4dca7f2d12812440b7180f

SHA1
e4e9ce53ff8398040c72d28b4fef1287b29f561d

SHA256
7f46d6ddff28f54de5518f17c93da859c1c7ef7b2de8bff49d5ff01dd820a6c8

SHA512
796f58a7d35eef0a443d82bf79342ab149635ee72a7190e9db67841db1d9bbb0f70d8a7813b96f303e0bf249a5b97085c9199c2dcf42d607b20c368ab7af9c30

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
235KB

MD5
f97ce31221fce4dd53bf74d18dc6d461

SHA1
8d8938898b7aefcf2005934d66d3941fd80e8ce8

SHA256
cd5a88a1b1711cc3d59efa424dc5ce1d211b1f36d612c4565bdaf0ab258c68b4

SHA512
522e3475a556b00381a39485d2b53251d505f420f47abce2832907546a5e0d90c435b020a20af6950219377c150ff50e2d71c5520e6b49b0eb801cc3711f9e01

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
386KB

MD5
4bc7225bb26ccee124b6bf5085247ede

SHA1
13b32f2413327073880922215fb491b28dfd2f22

SHA256
139ebd4eed835114d0fa5ebc2d9f1dea5c1a3d0dd429580b97ab6b72ad3bfb1e

SHA512
668bb9f5e43eb60d0fbebed50e1739c7139922bc82f9eae59a8a857936c9fc6a2d83fdeb65fba106702f0de3da9eac94a186fd6943c8421f659c412003c4856e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
643KB

MD5
33ce20676bcbf90c4e20ce9e9ba75777

SHA1
df71d2b7cdd5e2e6b187bca49996a326417bc20e

SHA256
fdae181d37bbadd31f42f3d73e74565afebbfd6c9ba7eceb4776b73b168fb116

SHA512
d968e60a038b1e3c1c8f1a8b6b6ee87b00b54124505ad8096f4af93b8bf8185ed4adcc3f6700e9c3bcf3026dfb3a9cc9683adc9180f068a8774c3a3f7a490dab

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/4008-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4280-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4280-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4280-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4280-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-42-0x0000000060AA0000-0x0000000060B38000-memory.dmp

Filesize
608KB

Download
memory/4280-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4608-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4608-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download