73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4916	b2e.exe
4720	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1008-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 4916	1008	batexe.exe	74
PID 1008 wrote to memory of 4916	1008	batexe.exe	74
PID 1008 wrote to memory of 4916	1008	batexe.exe	74
PID 4916 wrote to memory of 4344	4916	b2e.exe	75
PID 4916 wrote to memory of 4344	4916	b2e.exe	75
PID 4916 wrote to memory of 4344	4916	b2e.exe	75
PID 4344 wrote to memory of 4720	4344	cmd.exe	78
PID 4344 wrote to memory of 4720	4344	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\8E55.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8E55.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8E55.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\90F5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E55.tmp\b2e.exe

Filesize
1.9MB

MD5
237e34e36691f4724c6be7d41f44a371

SHA1
d5d9512d740e3e9f559aad3efb45bf36bbb29693

SHA256
061c26e2905978d3be5102df7b5281426cf75b4b15373e40ab739f1169444597

SHA512
1d3aa2397419f1e6f92eca5c0ba7efb113cf5bccac3fc48d7f5c292966bc3038037dbad7ade8fb987f4db9008de6e50cf8a8fc8ca8e6b61d061e5a06f5df7112

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E55.tmp\b2e.exe

Filesize
2.3MB

MD5
7e118ee82c731a138d2c0ffe58f39bb3

SHA1
f0535a0081fe4f5520f213261ab48ccd2a76240a

SHA256
ac9a081e1e5dc85d5fb27a89ba974d48c0b983b3a43adf197381be8694448123

SHA512
3cef77c1a9f445e7dc4d857284520af0fa6c439de0c7dfd6fb74b817e99bb540d031984a99fa4b55401dd5c04ad2ba1b39c93d929fc528e54a7f51beccea5727

Download Submit
C:\Users\Admin\AppData\Local\Temp\90F5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
517KB

MD5
d2f0f8b4945ea13cf47fca77bd40b9d2

SHA1
b78b3569eabf6e6fb5966faea8b2a1372446b1d5

SHA256
4ce1ec25ba62063f16e8fdb0079e8aba88d2ddda5fcec9a7af738d2ed7231ca5

SHA512
3fcb5fbcb87781ea11a4ebfa4ed9f0e9bb81bb8b2b22ca6870f92e661c0cbb5e75455fd4f1d3379aeb9bed8369809f4f803b20a6752fdc42e2b01c5990776577

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
98KB

MD5
f924eabe1bf829d9dbdd7a3a560ec243

SHA1
f437e2804abde7a036cedb357af47a45259381a2

SHA256
9640b20be3dbddfe1ba3ab7c43649b06d15c8f43a5cbb56bee954ee4dc977854

SHA512
7459329af9e4280f4d59a153f3398a9ac0bebc54e0750330c3a15187b8832aaa36183b44dcf0c149d3fde170ab3e894f46c5c9dd97cdd6079ceb5c6c42106bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
200KB

MD5
c0e7226a6c367dd3ee2bc957f51838ea

SHA1
c4e5c3014928047243975d879310d0a5a1932020

SHA256
68af376bc75e7b742e282ea57a90078f1ff88a67e4fc90089947b31bc6df1e69

SHA512
060740ccdc9a2ffd1817788b6ae49e62dc91c6f912f67f3364fc70e29d0a1e3513e66fc61f14a0aced99eb60b409c44b751de489d17a794366a0cf36ef312246

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
194KB

MD5
72e6bdbc6964b056ae652d5d5f332335

SHA1
f7ae92c422f40f94f1b4ed1931d115258d59a44d

SHA256
0fed01104bb62fc8e9c8ae15f6584a82a444ff3f0003f1b1b3d85cbc84298d6c

SHA512
ee67c408cdfce50bf1c0381eb2aeb3fa4fadf7f091ab103e5d33c758161c24a344bec4da218a20efa85637ad7d0786e5a8fb3b22bd9942a2689887d35d5bab21

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
104KB

MD5
b094c1259130e91e997484c79348bfd1

SHA1
476fe9f4bde4bffb70fb637cd82474ddebab5338

SHA256
b41c0a41efb8c51415e1b12fd48f1d29fe8e897b48df2c712149caedbbc69624

SHA512
c328dc9452f9057826f5410662fb2222e3d5ea24c779a95057e863b76d4d58bddca77efd16147d6412ddcd15f9d602dd8f8fc77a8220ec77d9a31562d86c910c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
488KB

MD5
a8d5c83c2cdf8ffcdc025f96c7506d76

SHA1
4f84405f740df20fccf6672faa876d5a6f5ae772

SHA256
dbbdf2364b18faa264b10e682024475fb90927bcf0ffb0dd7170095094381dff

SHA512
72d8831946f320d6161411e258147c009a5c7c56260045e4fca33e43ba74221d0b8de77bd134726397f5ccc3ad3d9004110f917f10714b647600daeea7803c8c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
181KB

MD5
316eaeb62e49bfec3cd953f1171f0bfc

SHA1
ef9176f1212428ac92679a5790fb9ce96fad3af3

SHA256
e43435a193af2d3dd3e7ee9231df5bd3e810b58247539e4e8825dbcd7185ec3b

SHA512
4595f11b36ec3fc6bc4e6a9c75c5cee7aadf2bfb865e69d0a9ace6925d94b274d8907e96a49a0218094ce5509282b2a806ad823f3246f4cbc4271cf2186764d9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
104KB

MD5
3f0286087844430da23d804e516b6680

SHA1
4567c7a729fdd79ca7583cfb53d551fb8f76a5e2

SHA256
79c1bc8bff2b5d2655c68c4ed324f157422543b7068ecff106185db9dd285106

SHA512
d96304e952eaf5598c230e97600b675150ed5fc914728ab0ac4a2c54dcc47931103cd76c30748ea5dbbb62314884f8b6567503b32a12664e29865279583dff6b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
327KB

MD5
270b53c73831fd5fb9b1c589aefb46f0

SHA1
3ae89757907d2e843d678219c9d4c8fb24f05bc5

SHA256
7983786186e27dc58a241a1c91200f3d2ec7ccdd60915db4e8b6141e6411c840

SHA512
8d04c196186185794b4336cd45928b365a52eb49084625a1f6a2f754ed4f14b5585fd494550207e56a8d9606e6f68784f21dc07f3ff5fe0e538d3af2eee6e4b6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
98KB

MD5
df76c7190505437e83d7b7bdc68759dc

SHA1
2b97c95e1ec87596670d5d30169bed0eb4baecda

SHA256
f95f7b4b3dd00616c554970c16473d3cf4f15f4d1fd1562db279217e96667362

SHA512
08371282fdff6a2060c07519753f3ec1e9d6e4ba1cf9da1330ef93d260fa23c788d82dc0c525073627e37176e1d9dd8dd4b4bfc9ce643149cca815fca6b26ad8

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
599KB

MD5
aadc4a0b4a625f3756113dceba8acc35

SHA1
bf088f7dfa2135847af6ebf85fbb3c88ba88cd95

SHA256
059a94650696879565ea6e874ef9cc85d4f0f3bdfca4bff005d008106ef57742

SHA512
1398583a7b577da323dfb7ccfa07bf4eda3f6a05e44d973d2b6c6960af301229ee92cdce3399421c4bfb33c8d083601095ad17dad9170ac1dee1a8b488db0aaf

Download Submit
memory/1008-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4720-44-0x0000000000F00000-0x00000000027B5000-memory.dmp

Filesize
24.7MB

Download
memory/4720-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-43-0x0000000051150000-0x00000000511E8000-memory.dmp

Filesize
608KB

Download
memory/4720-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4720-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4720-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4916-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4916-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download