73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1260	b2e.exe
3864	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1260	2940	batexe.exe	74
PID 2940 wrote to memory of 1260	2940	batexe.exe	74
PID 2940 wrote to memory of 1260	2940	batexe.exe	74
PID 1260 wrote to memory of 1180	1260	b2e.exe	75
PID 1260 wrote to memory of 1180	1260	b2e.exe	75
PID 1260 wrote to memory of 1180	1260	b2e.exe	75
PID 1180 wrote to memory of 3864	1180	cmd.exe	78
PID 1180 wrote to memory of 3864	1180	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\B314.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B314.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B314.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B611.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B314.tmp\b2e.exe

Filesize
2.0MB

MD5
96b0601b9c40a456a8910d012a396ef9

SHA1
15899fb333d0cf0aab7ac683c48caf988aa3704f

SHA256
d81c0693508cae14372d124aa1dd23ddc03435af1129ca9b467e5fbcab61e8ac

SHA512
e135e6943e17b509404b5c2afd7f22cb7c8e641704a1cc092aa7562ef88b4a95daa87e44ec1a88a743e0f6b1536b73dbb26a68565c45bf34bdfd3262aaaea1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B314.tmp\b2e.exe

Filesize
2.5MB

MD5
694dcd603323658fa3e5b8353d1ae9d0

SHA1
6dcdebe88ee35557469d41f586b0c220491670b5

SHA256
37a21b3b278a9cfb711e60f0f0db9af1e1ae7974206796ee29f9ee5fa63cb81e

SHA512
52db9ee9dab23449cfc2a7d25fcfe8b9b690c21664a81c3b9c9555452537154d65b37608f18e158c0fef98c99803a4f0c9370df20f4a9fdf3cee5d55e862ed9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B611.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
327KB

MD5
9f74c95af5bd856dacad3e121ba0dab9

SHA1
bdf1396c2a8a685625ce88149524257b9b9075e9

SHA256
4fce16666b7c133100dbfc10007681fff76401afd1edcd6bc5d0071d0a79f9ab

SHA512
48917255eb2c6ca8b951e0a7a6a94210f0648c30dd468ac3b44b00b21cc8fee3acc1453b4dbb85489c3ebe681c5176d4945b97603e0ff813f4bed4512a54ffdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
628KB

MD5
26d9e1fd5207c3d00408325fe15841f2

SHA1
77fcce84c0de8cd95cf993a8cb22f48b763a0b72

SHA256
8e9c6d5511c7e988617a634d76af2cfd339613a563b061bcc6149ef088a3a74a

SHA512
c64ffcd8d57114195f9a69a536980b58c63aa1598a12e21ccd924da0be354d8f5a1fdf8e0d01d24f9be5c7fb0d38edeca8a8aed8ae96698ae52782b04319b947

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
163KB

MD5
ff56b2613d4184437915b0ff8699007a

SHA1
e768e7e607f25dcd5bc49fe4801586216d5a61bc

SHA256
fbadc779218d8e154040e9f68eb89cabef954ec4a7bdf02763a3417fe0b8351c

SHA512
a6a91d6071461dde105ecb2f2c6623bd8f4e86f39993762dba16cc949e32cc114626ab509c31243c39eea786ffd7a599a27cf370401648975a5bd158b5ac565d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
346KB

MD5
4ae0b6f8b873cdf35821036ad4aa51a7

SHA1
60696fdf2279cbd84803a8585ba4667876e794d1

SHA256
bb602415f5125a2d83d1fa9f5b8394abf120e8bef327de5830cf7b8a7732690c

SHA512
a5e686692c4a7532e9f2748c5b29fc29f3cda014184f4f05baa35904d2d6d19ab9933ba8794f457bed41a1aec4568156fee0b641e354a081ea709d659e5526ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
269KB

MD5
0a4045ad399e6d78f25015747eb3e2cf

SHA1
660a68f6c3fd92568127cf6ea2ca8fb0db859ea4

SHA256
554760cea2efb60dd2892644d917f0a1a894abc3f61f78f52b1140750991a8d0

SHA512
f3b8df396e52ac2476f340bc5e3d553a48d3d71394b2adce3dc5162b5aeeea25e3d9e0d21c486b4f5a2258a7b719869629a3d96511eafbb855779433b7275f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
156KB

MD5
113ee45d2eb40c97206c7d1e43c10312

SHA1
087d93ea7802ebaa619df0ce6fdf38c7205a2f2b

SHA256
d4238ea56d4c7a10729313b22b3810bb3b7e639555daf8a04aea81060f09a9e6

SHA512
1acf32619e56e4a8c331729a4578af4ff606749e4ecc83a2736ae9f1d597d051bf03fc928af93c1490bc93af098916b4206bf384bcfadbf3954dd5571f09f428

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
160KB

MD5
d179aa9a715d4c534d83ae134fbe0c7e

SHA1
54f7131bcb7a59c8ac04b8126e2a4c295c276b48

SHA256
f799cfc7457436bb960e3c9dbae5e3869eced5199098d1894d791c5b7b6370a5

SHA512
2ee1c415416d7197ef97b2046c7384186ed5166927ebcb4ce7a5703ff82ac2e0bcfc7fa65ddcf1882ca1cb2b030af86a16137c1b174075977528873802e6cb43

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
556KB

MD5
0e6b128e86b083c324f7cb77d44f000c

SHA1
c399076ab702e0e80e33d83601cbf83e7529155c

SHA256
7fdf3f06486a9c223a24db26e9867a5ed2832ccfa6a6a9f8c76c355965cbaf71

SHA512
81299e4cfc5d3efa09634e3ada6bdf447c8cc352c86d7f5b96012fef219d74a5b0ec0d8c30ea12807d24b045223fc4fb4324e543ea7eac9b1342e5c9c898ea11

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
250KB

MD5
143117b609e2e60abbc70229adbc9e7b

SHA1
0f2c4be38dfe7fd39961f1b2d12767ed1f665cfb

SHA256
519804cfed26e927ee5a607a263398b3bae57866f48e63779eda9678ed5d14d9

SHA512
36551e5e6c1b1cb52be2028d8fd0f248a71757e4115a93c7ef5bc09237626d13c1a13e30a313174f3a54869753bb7a321d79d054dd323b2d85b2048898427ec3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
273KB

MD5
08b33154621ce579d74499f6297cd354

SHA1
3f77ff22ef4db2f67b952175b66185894b570d56

SHA256
18691db5e4def0497e1eb0efcfff02b992bf377f93b16217c429cddb59d2c3d8

SHA512
5f64f6a08577b9a6ef1214e1f04a0eb33295f398612d84f141ead81ad7957d1e30f5e6bab7a23c8b734bdd716ba581fedfaa9b8899c545ecc765295767f55e29

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
71KB

MD5
c2281083855dc5e0d99ace6099c55d44

SHA1
064ef501a25861b7e46539a83e229d536da0dc24

SHA256
1e6f72ef734f03b827cc9765509bfe027fc94ad7849dc3c450df025cdd99ee65

SHA512
d94fc4144e40f3666499eb24551aa0769a388603873c795455ce4a2bfbd9227ec14a3856c9e62ea0113112099682978d2e44e1e711d4d56ee9b057f1145ee974

Download Submit
memory/1260-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1260-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2940-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3864-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3864-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3864-43-0x000000005BBB0000-0x000000005BC48000-memory.dmp

Filesize
608KB

Download
memory/3864-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3864-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3864-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download