73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4548	b2e.exe
1968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1968	cpuminer-sse2.exe
1968	cpuminer-sse2.exe
1968	cpuminer-sse2.exe
1968	cpuminer-sse2.exe
1968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2628-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4548	2628	batexe.exe	74
PID 2628 wrote to memory of 4548	2628	batexe.exe	74
PID 2628 wrote to memory of 4548	2628	batexe.exe	74
PID 4548 wrote to memory of 3464	4548	b2e.exe	75
PID 4548 wrote to memory of 3464	4548	b2e.exe	75
PID 4548 wrote to memory of 3464	4548	b2e.exe	75
PID 3464 wrote to memory of 1968	3464	cmd.exe	78
PID 3464 wrote to memory of 1968	3464	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\91A1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe

Filesize
2.8MB

MD5
fd6b6fec31b8af2014531ec3919d28df

SHA1
d4eca90aba1e61340815c0da20a25ffc538470e5

SHA256
ed34a679b11b2a308f2200a1608be42633c49ea507311d29d196f34c5e516553

SHA512
e76d09d488585dc90e1b2b1b1b24402a9cadb578ecaba57fc1a917e3c4c23c2ce127eae1f4a5cb27bc79b29331b0592fa39fbbc0f271344640531a42e2b05345

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe

Filesize
2.8MB

MD5
2740cb40f3bb942bacad943e76dfc78b

SHA1
fde11bb3935bb4b9a3b6fb116c2ab41115df46f4

SHA256
bdd722aeae58ed53a890f323f98b6d6fdc19b09ca2c806897938fa99370f58ab

SHA512
2262bc0eccba4e0d6d77bb6644db0a8fea37d1e5db4c981aa838fa2899815aeb22833c6061bf1711505643e0bea655f6cdd0a9f18730c6d154713492a57e9875

Download Submit
C:\Users\Admin\AppData\Local\Temp\91A1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
605KB

MD5
87d616fb414ead497fa7ddeede50f0dd

SHA1
5214cba53f47663464ba1bfea9929e13c64f20de

SHA256
560c76748b9d8f27aa23a68c91df0fa35a826b8eda92b5d64b1532bc6668ad60

SHA512
6bcbf9c641320c115a1896d9e981057fca969bb8ee281ada0fd4cf7d08c849fb621e13a503d11fe8fec7f36c39ca010e42ae116a70f7bc3a675c358f9442ae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
a567802cc4612e9d9dc79172bdc1c556

SHA1
1d5387fa3fab3ae4ec763158a5fcae85a0904a33

SHA256
98833dacaf3b32d18c5d3664a6af6d3428af927f794a4724d909284eb4b1f39b

SHA512
8fdfd9b52da65f4974e5e1e3459e4ed6d98f751b83658a854b6a830cdeaa215bdba2675548f83e45716eab9895506a99296d7efafe46b542001bf6af095187ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
680KB

MD5
91dcf4e4e0601dcf9884a8493b31f3f0

SHA1
a935d13dec12b875d9801ab64b643c9bbc22a9cf

SHA256
073495861267c4518fe7b33e28d8e820d5e22979f672198768625e1d48c9daf4

SHA512
4e981ba72fb6c08b24714eeac28dab9ded6edc47b1bd24d0140211480af890692aad6f49da47372d95eba9ee8b9806608d9d4f88f93119fd0c174b5861363ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
988KB

MD5
707dfff4fbc68b026b761c44544444ba

SHA1
f734a26e6c3c8c7a89df9b0e0755d963976aecf3

SHA256
2caae95a7e024ca3e4947bed79edd1390312ee5dc1fdb527705e1b3bc8d08411

SHA512
413786c24a45fb216b1327df65db76222218f74be93eefdb4a6e576490417078d86009c1702522afbe41ffbe49cb0e792c502d25555b99f6fc06d0e72648dcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
372KB

MD5
705ed533e1e01ab35abccc20e734d3ba

SHA1
84ee778c348dd2ffcc37509a484a0a9a13afd293

SHA256
5330a12f54bc71bda98f45b8b96b7511fea54fb06bd386dc6624b16d2b4bf30e

SHA512
b72ecdd9c56035ff3126f6b46323aa07c894c2b1ab79e3c6782194e8b2750886aecb5e9a6d93bdbc724ced71d00a4f64a933a678c630c2f9a9df42d3102b14b9

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
657KB

MD5
e35956de023d4ffe18a28cbea4dda264

SHA1
91231a1678d50e173c4b8a7e5b94e785a6f1d8d3

SHA256
e1b9dab3eac13dc3ce383ad0ba5facb3cf05e2ca47dc00cfb25b4eb43ceef509

SHA512
1cdfba630c0547ba81d8eaf283735a2d3ea3644311b9074e6b30e1e83e8044c3d0bc6a793cba87e2b0113d682429bc2c8f4a187669664eb898022d590fa47adb

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
606KB

MD5
be4b3bf90d18d55b619e38c9634ed844

SHA1
3f9e71179a31765d30e5c56783ce928474e2e57f

SHA256
9c3c3997b6cdce49b3638b32499c238a3517be0cf1667c65b5a942cd94a3a531

SHA512
ae7f734f5ebdd53e42409f22b26b42f35a28c972edf5fec9293515712d6794d584f6968336dac2b389c0a1d9186b7a4b5ea92ec28ef82ac2cbb60bf6295f0ede

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
791KB

MD5
11d6343d4761ccae10626996ca8daa86

SHA1
599a5e4ec46e42c422641067cd198ef91d9d1abe

SHA256
21ff431fef0216505a3a57760b432aac81159dd0539a0c45b559c971a0353d27

SHA512
73f64d678a82e49948b252ebfd68a1d73c6b8acc2d18af00fadd5b3780a8b83cc3ffbae198860caee588f398f4afb6a65ddb2821eb42e7a9d3cbd9d6b86f6f60

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
240KB

MD5
5907c423db736020f455acd05acc3cbc

SHA1
e090aaae8e9c8afcaa0ad122aa50597db14aad18

SHA256
1485a1f4e2c660ef3c0c7928ca1e434a3f91a7e4d46a2743734ecaa1d8a47840

SHA512
d97a05421fa0f7d4be8cc33d9954df63ac04891fa21e77b564d22a2e766f1065194585e89ab10dd41ef7bf7b555e0d82ed3b64c7df4016f0b72e625187c1cf05

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1968-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1968-43-0x0000000064810000-0x00000000648A8000-memory.dmp

Filesize
608KB

Download
memory/1968-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1968-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1968-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1968-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4548-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4548-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download