73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 16:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3876	b2e.exe
4720	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe
4720	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1008-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3876	1008	batexe.exe	74
PID 1008 wrote to memory of 3876	1008	batexe.exe	74
PID 1008 wrote to memory of 3876	1008	batexe.exe	74
PID 3876 wrote to memory of 4536	3876	b2e.exe	75
PID 3876 wrote to memory of 4536	3876	b2e.exe	75
PID 3876 wrote to memory of 4536	3876	b2e.exe	75
PID 4536 wrote to memory of 4720	4536	cmd.exe	78
PID 4536 wrote to memory of 4720	4536	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\949F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe

Filesize
733KB

MD5
6e211df6420818809e3a3f2ab323625b

SHA1
8d03b3acaa03384a463fde029d3eee9243390fda

SHA256
78425312b0a0ff1c046b88a45bc436d005be7fd40ed7e8b62667cefd2841d62a

SHA512
7ea3acbc8a7cb0359c9ed010b82135ff60dbed8f3e1d5fc3f8063be00d2e3098cf9def208de3fc8669fac048279bf8564682159c3f5c55a3d09b64b5bc25caff

Download Submit
C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe

Filesize
476KB

MD5
82f163ed1f01dcc32c0406f24b9d4fb1

SHA1
35212e41401f82aef90d442761629783888a5789

SHA256
37772ec1d1d11b594a4f730db65a5ef138afcdc0912f9d2fd6ecdb5b43904e92

SHA512
b138536b300e6763b0dd9bc8d527387e7fd94f04859b439fc7af8512ca3a9b2c35c88e4de581eea2d32dbef7c1f491c5928b71408b44bb8b38eed8cc1d80740a

Download Submit
C:\Users\Admin\AppData\Local\Temp\949F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
8b77dfada08ec2dc05cfce9c9765650c

SHA1
a091ee205e4180a5bbea5746adedaa9cc4b1f056

SHA256
48a142f067549e1ee9e1c621314c2ebb5c1826c1b20cf75fa695cbe4284e7afb

SHA512
8b5bedcc48cac4fd663a02c46e373aa1d22e68f1fac890fa59f9f7e49d00b24b7167f70e008d3435017441412d4c44db8a69f3dce34023e1b589c0d9164920e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
413KB

MD5
47ec71bd96943769075e209d8f4fb88c

SHA1
00faa51eeb3a9c6187f09941f102652ef99bb98e

SHA256
413007c9e7282fb2d8200a9bd3bebf828fe563f2f1e794ee9399950ad8697cde

SHA512
0c75edf92f3e6e5aea7ac800bbaddc164009e4b57aa56861c6d9148ca2380d770dfc6b72188f8e68cc882a2a653a682b6c08d14631e2d227c2aaa73ce4eba870

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
549KB

MD5
ad2469285b46f375497880b7895ccdcf

SHA1
0f55a3a503e225872b26da4518069b48184afada

SHA256
5bdcdf30ee8844b870a6fd9ac968928c91c25547d05a8eae937a96d78fb20009

SHA512
ae918da2e8f270160c6d7cb8420c78236ee6ca1a3ea0d4fc2a51d6ded899d8772a90ab7aebbacc24bd05d2c1d4f09eb75bf39241add0de6366cc842ddadd7264

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
865KB

MD5
4533de012aace43b5f51656f2b4b7e1b

SHA1
7e792c983b8e71620a7643cfc2d8a1858f40129c

SHA256
483438cd4131140829a0a1a93d235da6bd89dc43efde107d53ef4d35ac32d168

SHA512
26106632318a462195fdc793059b511d880a99a830bd06fa2bde9249d9224d9bf6d20f8b17e1e1c734c7cd987fecdded19dde73b6b27a481c9796e7aa86f0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
543KB

MD5
42a386bee93c3fd0f3a299340e31f144

SHA1
8e0b4ce3dddc11858c68e97cdf91c4c1d46d0ef9

SHA256
ef887f0b5d2f2be48160ba88257e728caa988d753f42df3d373084992258f9fd

SHA512
12dfc4517ee2dc7b2cc5a6b8fdcee26dc33d637982acf81bc8d2794585a1061de19315779f1bc98eac85ffca5794026c24620315ea17a810b650adff4dcac05f

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
434KB

MD5
0653325bed7a2cfe38065ca4d6beeb98

SHA1
037a680bb20050b19fc46224972c3b1b1070d0a7

SHA256
b1a620dafe570027d93a0eced128d2862e380c314ec4fa018d598ca1c31eb9dd

SHA512
a0dc5653c9e4388ec7bb620a020de7215c42f565a6257b4af3e85909e7832477867960624f2dc86dff0c454ebca5918c2cdb7e9a9570c0d18a947ae24acbe3ad

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
508KB

MD5
2478626d91689d4884c04532e592d085

SHA1
280183d4642032859a203bbe201aed50dc6b0f32

SHA256
9e9c23f4eea5da02b0c1c4e3575a623749780eb99a33a756346740132b739afc

SHA512
bdd2a630a78fa68d8ad9fd45d073cfb9820a71364eae7b7af222f9689433607cebb8c1e72fcede29285d05409e3d1652c9fe1149fd8870105b588e0ece07a5c1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
547KB

MD5
d086d6924470200f2fb572a7e76ea418

SHA1
07115dd0ce022c15b6b97b46491b8b820d6dc03c

SHA256
4a9949ad2e30013e6ebb3fdfcce2f81a9d933fd35c389cb8d0c0f288a293c9d5

SHA512
8d8c6ff7e8b045ef36d58c4751652c2c72b7e7d6f11a4b4b000b4b3ebc00550c3e9851865513e2aeccc9c9c64112e478ad22cebf271e0515bb6cbc6673492e3b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
346KB

MD5
6b2eb0e94c2b0f9a848326339b234265

SHA1
dce874b5ec3eafedc195062dcf0731856d669acd

SHA256
968c743ddcb8fa03f0fda0f89cd0e7b8a4d8709665005e1bdbdd5800e1cec4df

SHA512
c17c8b3130e86f848e4319b72a6b76f594d6daa1101609ad8c637c2b4129179741ba821d01146195b373648300cd355723bcfb734de12aa0fe6a00b03abb130c

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
501KB

MD5
bcd9c344dfce15eb04fecfa0ffef566b

SHA1
fde339ba01d1d663956ffa756bc6bc9a800ff0db

SHA256
aa260fa238f6879dc058167838e147f08b3ca9c0d252e90121904984e5490fcf

SHA512
666c3fc15d18f4e320200532768751af872695b5b7ae5100c0eca81fc79efcd0575fe4c0f74f2fadb5e9a3fe6a36b992366605a255460ccc9408d662c10693c8

Download Submit
memory/1008-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3876-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3876-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4720-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4720-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4720-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4720-43-0x0000000051150000-0x00000000511E8000-memory.dmp

Filesize
608KB

Download
memory/4720-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4720-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download