73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
1568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 1568	2336	cmd.exe	76
PID 2336 wrote to memory of 1568	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\145E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\145E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\145E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1BC0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\145E.tmp\b2e.exe

Filesize
622KB

MD5
754b7c2c498377fdddea8739568d0c33

SHA1
a92f7f17a5b29f98089f887ec6fc23a1cfe36ddf

SHA256
76682633338b94dccc94c4bcf836d8b5fcd0d2d0187ebdd3423e8f147054efe0

SHA512
c6dca693a7c87cc765f4d42d128a19fb7435cdb43d1a89b0f618bf83d8ae01cabdadc0af65e06e91fe334fffe227a7e80f8b07e48fae983c7ff4e9697c6e5dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\145E.tmp\b2e.exe

Filesize
521KB

MD5
c776cb2c23c439d3e7cc4fe9f78d88e6

SHA1
5b996e0db434910b33fe4b32e7731a8e16265fdd

SHA256
fcf8db4529ca760844e6922ae97ce10197823ca5d21eacda0ecfe36ddd41e23d

SHA512
4ef419e1c57d954d82b3dd5b801bbd480bd16083e728cb51658eb3b348fbddb24f326270c44e27a95c1c2e28350c3187208386f7883a2c303fe65cac1e49b3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BC0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
621KB

MD5
493be10eb5732020c7fdb43826d8ac18

SHA1
836a87dfe2aa1551c34c2f74f0451692c96d3a8f

SHA256
06d0c00dfc0eb32a7780ae5863a30e7ac80cd56bf089de4409426068958fab57

SHA512
a54a8146f678f22baf78ec18ef45fb3e5c4197fb28a74a676a91248e71e9008ee2e28313f9cc09201edca6b7e57c886a32010ec781dc2df55fff58249c42820c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
495KB

MD5
63b950d3ecf3f853cfc3a41d72e6bdae

SHA1
a0007d604c2f6e047abcb5c83113ff66e80544d5

SHA256
360e7ced8ef54402b285550209a160d4dbe9cff67d01830b44643f77f02a0b27

SHA512
d150a6790bd51bb7643013539f454d498840eb1001ad513a11234a9eb27b7f34aa9cd4367ffbd042a828f1e789da562fe2621eb687f36d4a4cff61e30e3f2e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
53KB

MD5
34f795aa0fdccd126e5692c5485cbe6c

SHA1
f72c8e57439fad887c1972f67a58242ca32fe9c5

SHA256
c440c975f4a3e38875ef4f27949ae4754a99b3301f188cae5ce56cd80bff2b85

SHA512
6324b5902cf7859f9f1d92fa4a6d6198e4ada4d1ff2dabc27c474b67fd644a9c848b3faae98c560fea354480d5354a6c6b3f7ef6d5894b2c7ee75c0615032198

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
620KB

MD5
a683eafb57183e6d4d4a5ff0054bcf15

SHA1
d9d8823b461543c38a34908ada16525aeedc45ce

SHA256
b9624b0a9bb26eb1ca58d2ef66e54338c35c9d62f989a4c801db261f2cd11d7d

SHA512
893dbe043e2787925a13a6487d7ec619044a15b02868e6781858a15316e55eb5a232cda11e15fd6355d6c9311b6ef7d27b8fe876ad9645a8c8142e029474f552

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
735KB

MD5
4a0f389ad28dfc5f171c0676656f2022

SHA1
48df5d15299eb675476499f082b5bf50d767357b

SHA256
623ddf75ba7fbbca92d5fcf6cc2754c06f0ef257d9405cd51a298e045f1ac511

SHA512
3fcc48df9a40c5d348588ef891d797470606a75219a3299c86c2bd5353e85a857e57cb81382a2dbef2036f3912e7346d2283e6243a8312a7678be74c16684a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
499KB

MD5
118f860abe74902b5ff807fd6353f141

SHA1
05d76fe1b6f4463c925ad149caaca0fe2cfbca85

SHA256
dbcf54ce32a4f582a7ec83f89eed0d47c40f2eeefa2944f0c9bfbdf2607ca960

SHA512
ecf73776dcf324fc78e64ef72f6f980efb6dd688858356176ac9ba51ebb366b3bc1d588c32fabab7fc8b88f4793308c5bfa7d7ec783391b5d3090b455030b452

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
593KB

MD5
b3799dd9a62470b984a2b280cec91b41

SHA1
e91a37e7d974ea926d76112bb86d57ae35b54467

SHA256
f728c1ba5fd939300192ca6a0c5f38e6a50a39f9b4456c71f675ad61080a2092

SHA512
bb2da3cde729a4f6829ad02ed074a99e053408a57e835c2e86fbdedc105d3772ce9e7863f5fe6f7ffaed5a276691abe116a254dd070dec89d867d699bc82ce50

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
447KB

MD5
c899c0af1e824b2c4c10589d6033387b

SHA1
dd25db4e0bab1ca0ea833d03ada950efdf366baa

SHA256
387cd1900dad169b525e7e4923d2eebe958ec98031e8bd3149e17b2aea196ef3

SHA512
533e6f83145f52cfa851ca438d6c6d820a54a0619cdcb75c4731435d96c05c31d40d6b2376025904724111b27117aac004b1110120b782a477488258babb6e69

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
381KB

MD5
d14d3104186e2656d9d25f5d29f4df60

SHA1
402025c20c46f0848d5ce8f376402668f5d8f496

SHA256
5d72fa2dbe1f9662d92930e20f5ff710bee271abd6bb7f44bedf0acb888d293b

SHA512
b340732fb82aef3f966aac9a480fc887bbbe03927eddb66fe281c0fab126ccb0d6c112ad4ee347d80d746dcb1019ff5dd3ea0c4ef854c76912937d0c7ad271b4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
415KB

MD5
579ac1a288a1d2ff695e4417cd6e9525

SHA1
c32b4c94c7dd03e70674ab01432b096da5ac707a

SHA256
5dcf22069a573ca641e0bf2f04f5cc1bb057a344f4df049a3aeafb55cc361e53

SHA512
6c55ee3a294a55d5902ff55d80366f04a4a66e6a7de92e44a00024c3142843122fc7cbc61330feee2dc5ca74cb48f85f1b488dabd7a4e7a82489e4c724c19839

Download Submit
memory/1568-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/1568-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1568-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1568-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download