73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3172	b2e.exe
928	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
928	cpuminer-sse2.exe
928	cpuminer-sse2.exe
928	cpuminer-sse2.exe
928	cpuminer-sse2.exe
928	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4628-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3172	4628	batexe.exe	76
PID 4628 wrote to memory of 3172	4628	batexe.exe	76
PID 4628 wrote to memory of 3172	4628	batexe.exe	76
PID 3172 wrote to memory of 3520	3172	b2e.exe	77
PID 3172 wrote to memory of 3520	3172	b2e.exe	77
PID 3172 wrote to memory of 3520	3172	b2e.exe	77
PID 3520 wrote to memory of 928	3520	cmd.exe	80
PID 3520 wrote to memory of 928	3520	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A690.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe

Filesize
1.9MB

MD5
2193f4200d09d968ad27b3966e2433b9

SHA1
8417525275ad437035423a61a689f5394621959d

SHA256
046193a384e29eee7bfbd9eda8233e5274b02d7a8f0fcfd48af104bbeea02cd9

SHA512
31aef6f62aa580530fb7c20ed9a92d5ef97a43c49a8e94964fc20ce2ad2ffcd1443e2839e77f1355b791c9705e31e1f882ea729549d99c0a1d8c082f4ad25f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe

Filesize
2.1MB

MD5
2708b0f2d2d85ca071d78d26e2fc1732

SHA1
4fd4a618341f4c6ad0c425f261c36737deedd97e

SHA256
90255d352ea90f7fcb989e6876a6939d611852bb320929e3e88d09dce1cf74f4

SHA512
d3d79c07b2347362a764974b303b33ef424fe792922b903f9812fb284e60250755cb6380a0eb029d7de322563606783e1e058cf2a718d2f44e3bd3b608d33349

Download Submit
C:\Users\Admin\AppData\Local\Temp\A690.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
9bde0a8443acbd6234b3c1682fc8bce2

SHA1
e4016dea22a401d1bdbec368ea3769b21ce9a2b5

SHA256
489fc2313327f3ca0bb7a19cf33ae3736cbd44059646e2b19ae0437ae8e4479f

SHA512
78b3ca7db67db183f762b35aab4cac580e6d48fcd62a678cd0f19496fd6cce3031e828dd861af98699c35771a4cf56e037bd22b9b0bd464f35fca14b28ce83fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
9KB

MD5
6bd7368561314bba3989d26edf0a05f1

SHA1
d17b5bf5148776cce82db4c5641d08553440e7b4

SHA256
c84ed84327140041e0ee867e7d90bf88d7e487ef43614786f1d7b4a52aa3f577

SHA512
acb5d1cc37c81d8d70994be18e64c16f0dc635f5550aafa01af09de51b145249fac9a6d4383f0a2f5c6b42ca75fad202adc32ffcd8819bb0e018c4c2f3197f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
8994ee79323f117348ba305f8957ec7b

SHA1
7ec128802eb6d3eaf297f36ed9f7b16eb49abbd4

SHA256
cea5377fd5209e35c26aafe8a29090fe291d93b414bd93c9caa6208fac98805a

SHA512
b62ed5db25c31a22e216cf6f21a5f6691c1e426d8b77699a1661f661a17934ddaf34da6dc1c79231d735ed9bd01632ecd1586a766252bb962f7594536bdaeb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.1MB

MD5
f4dd828545d2a8aa5671b9a1d9650a79

SHA1
063a26ad6d131bc002229b05747c6e6cb5f7f668

SHA256
8ccb4ef95d0ae951451df373e0995f95c11f0286e1b55fe614740991afb0971a

SHA512
386791bdea65a7ab834d47d23db58f46ad493f9cbfda2a8ef1d04ff31a627d0e09168fdf03d6a0136f57234f76c389bcca638128bf94f70bf86900b46f06ea7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
76KB

MD5
2739f7969ecbdfe5f5815c3932fd80e6

SHA1
27cde251824ff8b9d5cd9edea138481fb4a61713

SHA256
4536181a0e59cbfbfb2899829aebd27e40a443e2ea39500fda318233fb8d42e2

SHA512
757a029550283044b2e3da6f365a48ec38010853f66aa52a327c36781620c919938d08dc98d63858b5d703a20a2752f90cd25a91297112a7060004d32633e4fa

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
143KB

MD5
ee5ff96128fb3e091c42e1c055ac1122

SHA1
5d95c6e38a4924454bf3e783a35d1c7cb8b5f5cb

SHA256
ebf05c1881cf804604d3286c252dff950ceac721916d74340757726016483818

SHA512
db73f9e4180ab4119cd7242913014439b931d01a7e1f0dbfbddb276e5000b0659da8e30b17031fe120ede2b175fba50673080436f9b8bcb4004cc8b61fcf9116

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
78KB

MD5
6ccfec6cb8edaca3417acaa4da856575

SHA1
43f5b1a78e158e52afa9646c649b3570088e03fc

SHA256
086616dfb8af354bc6b7fa71ea7586aa5407e02595ab2e108ac4bd31d0ef8e1a

SHA512
933777137d64faad6f8c8d2c70f93f4d3752194d37b3d03553e24639071c04b4d288ddb9161817103a4cc6c4af10d7a0c4ac315c591e1155cb77de9a64ddfc05

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
228KB

MD5
773063245a66bd9c34639cbb0004eaba

SHA1
2cb06950c4007ec8bafe4e84f2aa651ec4f32d0c

SHA256
b4fab406035da9f131c9d32c1858c40167f01c9a1ff5ebea6e30266263346456

SHA512
58f00d0bc6382f0a5b4b4b1128abdc70031bafb39490b679e99db0bc2f5f09978e49077de3be325d8f871f19bd3e3f8586f34e4de9c88858ff6edd198a3106d6

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
191KB

MD5
7f8f2452169c8176628745006999c775

SHA1
a9ca49af20176cca18cb31a1eabc96751beb3fe8

SHA256
6f2604b29464243137a1c3aad5db718904abff509b1c3d1d7837725bf0c6bb4c

SHA512
53b5f4f77d3371d61ee7aa3f36fd6b443bda1ebca76ee59e2fed3787baceb651f7ab13afd71c4af120b849731c73e842b4ca9e348c58a6722b07d22ca4c55f2e

Download Submit
memory/928-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-43-0x0000000051EF0000-0x0000000051F88000-memory.dmp

Filesize
608KB

Download
memory/928-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/928-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/928-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/928-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/928-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3172-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3172-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4628-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download