73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 17:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4772	b2e.exe
3108	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4772	2028	batexe.exe	75
PID 2028 wrote to memory of 4772	2028	batexe.exe	75
PID 2028 wrote to memory of 4772	2028	batexe.exe	75
PID 4772 wrote to memory of 2796	4772	b2e.exe	77
PID 4772 wrote to memory of 2796	4772	b2e.exe	77
PID 4772 wrote to memory of 2796	4772	b2e.exe	77
PID 2796 wrote to memory of 3108	2796	cmd.exe	79
PID 2796 wrote to memory of 3108	2796	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\94BE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\94BE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\94BE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9693.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94BE.tmp\b2e.exe

Filesize
2.6MB

MD5
f845d6b8c0beb43591f7ebc96344f81b

SHA1
5bcb9d96f6589b559060e11d6d5a0bf73d91c80e

SHA256
841b8431f27f5e631d37c605530e6ce5430559c96fa9a6ddebc7e9dd63ad04b2

SHA512
8de293211ad14117c9ecb797c78c738c91b691f3dc861401d537cc72c9ba05a40340c452938bd6d72bf400efa1fffb7bb387f204035697b8a229a29288d5d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\94BE.tmp\b2e.exe

Filesize
4.1MB

MD5
d2c419a721d788c886ebc0bada6a278f

SHA1
94d19fe33b785b89d1060ce3dc9ae4a228791210

SHA256
650228630db655f08faa08da1e0a36d140c2212db9c910251b7805de8e8c46bb

SHA512
59ee192be1b742861e60745fa7c44ea0a8ece045f6c7938ff8d83cc8d59d171a12d50fec02c3f98493bfe1a2006183e13b92063011e6e805379f31510f44eb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9693.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
565KB

MD5
1e2e16b4574716c6945b6ec83ac4f3ca

SHA1
f7e02be258705b4a14233392ce8240c308c6e653

SHA256
cfb2ede69703beb21a1d87bb9215da3f075704e5b7bb273dba6d7d3022cee570

SHA512
58d227e4159145c39d5a542be9dbb09853d67dd956b7970eae4730c843d8c6e670e74b9aa0c8cecdf91026c011a54352c660957ca4d8e709747b11f3f780a4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
282KB

MD5
8551e7146ab7a56195946e22390fab02

SHA1
c779a1894328065aa0031c97ef7e96bad865d498

SHA256
c8639051c72173b43b7730f783d199615d12cf9e813ddfdbece5b2e3a54a4472

SHA512
8ea83ef0846b33f83c17375629e27c49ca62dc189d434d7d1fd0fb436faa06c62cc3696af57e2dcf074dda7abcf58e8624beda534585cd70f9674aa301be92e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
384KB

MD5
d1d1f36cdbccda3b96e8c164afb74526

SHA1
91bafcd404c8568c9a195ec8cbf9592ea9e17e8b

SHA256
ea6e726150aa9a8dcf9ccb6a991440b451f9f2dcc46d93cb35971556879d1d03

SHA512
2306e6578ba2217b4f32913e1ac35e0547723b873c11244e96affd05457945373c621ea16a82e1e3aa1a177e3059efc40c8585118c63a3ea145524c51d1d18c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
915KB

MD5
583ba10809e58b017cd2e2e1e27f506c

SHA1
dbced741d606e7ee8cb3952f76491e3d839801a2

SHA256
3306bebf319f52f020eaf47b03bf4d84c73f6475b8cf3bf177d79863393d3488

SHA512
34faaae3dc2f52a8942c39c0bcf3cfdee06df62ff03c72e93932238e16115abb7d307d106ee2b72e8d736272364a40662cfbccab0c6e63cc0412b1e27de93da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
854KB

MD5
3c96b5860939c9f796717b2d0c2779f4

SHA1
ba999660c053bee63b6b467070b0578358ca2570

SHA256
02894d9bf897317bd5ee6c7888b52c9c8fa42117e233825ab9bdd1ee82df220c

SHA512
c8616a40debec00f16ea01f5c14b4e1d9afc6e8ad96d6ab427666cbfba905e03d780002fcccd7cdab37aa7758fb9c3de22aa22d3a700208a6e32fdfcb1c8bea6

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
768KB

MD5
e3f15c79f945604229fa814f57c79274

SHA1
19a7015dfbe622ab86c48693ee1605b26112a3fa

SHA256
7b09ee53447ccf77a0f2d7bfe25908f963d681433d3cba5a16c7f45646c42175

SHA512
12dc1df8a947caee13a12eca5a976feffd7408402b0495e4971d4bd7181e8d353ebc17da044d2ce6d1c273bb05a0ca5ddf7492394b355786d8b14b0997de162c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
228KB

MD5
0614acccb6f1b6fa5abf57a0a6b92308

SHA1
efc6fec45b50bf567228fff8aa26178109c64001

SHA256
aab12b19dbc295797a34e863515bc7f4c2278a1c7619fd52bf27222233eacef4

SHA512
d935ba4b9a76827ba67218033a3e35d3501a3243f97ccf9dbfe5a18afe92d57f0bb737c243f443bf397d83896b2664338454dd01dab3f5cc37f2a2358e8b3e4c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
295KB

MD5
d867c07534e565f50a13c37c1314f17f

SHA1
09848aefceaf5b794cfd6f7ea6859806cc2676d4

SHA256
e0686f413d6cc0a986b10db315b5fb6be7956828c2d97aa82d1ede7f5a6f000f

SHA512
dafaec60053b695dff3dedad0deb751140ac4b50e6779e8a75335632e24e3a97f96d85e67e4980ff3f491ef4e1343d3ef2b90e25ebff9f1a9b300791c3ba2812

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
715KB

MD5
8520f2b7e6033081c0f91c15cefe6324

SHA1
c53e3eea67fee102c1c6dbf9268273a05243b8df

SHA256
239c4a51420184ddb6f959871c570270aa793306f52a5baa526c0af6b40fe4f3

SHA512
a8f887c02ab6cef10845e4122a61a3de4f4d55cdfabc782011fd1140fe995219f5f600681edae2e20eb4dc429d4c4b2f6d6dce1b477cfc8883ba412f75311c28

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2028-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3108-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3108-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3108-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3108-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-43-0x000000005CFB0000-0x000000005D048000-memory.dmp

Filesize
608KB

Download
memory/3108-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4772-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download