73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 17:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4784	b2e.exe
812	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1596-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4784	1596	batexe.exe	73
PID 1596 wrote to memory of 4784	1596	batexe.exe	73
PID 1596 wrote to memory of 4784	1596	batexe.exe	73
PID 4784 wrote to memory of 968	4784	b2e.exe	74
PID 4784 wrote to memory of 968	4784	b2e.exe	74
PID 4784 wrote to memory of 968	4784	b2e.exe	74
PID 968 wrote to memory of 812	968	cmd.exe	77
PID 968 wrote to memory of 812	968	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\2B70.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2B70.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2B70.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\388F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2B70.tmp\b2e.exe

Filesize
412KB

MD5
d2264888f49d6ae6192c9ded8c84aa89

SHA1
0bc4cab1c7587e6119a38504fa5ff51bcacd3c00

SHA256
b91a1280d068bf74a759f175f94a6257d470743dea44dc796fadf3d58b183c66

SHA512
7351e51041cd6f0865ed27c18ec86f9d2d15fabf7738c291a0c3119bc1ecce662bd36b1a37227074c3f2e36bbef908026324dd91646d80bc4d9964dffbbfb81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B70.tmp\b2e.exe

Filesize
2.6MB

MD5
faf00de708e939425162ab95237ca456

SHA1
c780707ca1faa9a15678170ad8b228ffcd7555d1

SHA256
eaa7bd96c6ded53727ec0c5caa59aa6a3715ef48cb41c87b138c3f47201764b3

SHA512
d9ab13af1202ed3112b47661aadbdda971752e0e29835a5c7ffda6eb3ecf84c4d4d89cc493ae19bb2ae03b65579535dce36cc9acaf71bae5506bcc898b3594cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\388F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
100KB

MD5
ad30758fe6de3e5d5437662516c4ba9f

SHA1
cef5eab5655986895b53d7413709d5d5827374f6

SHA256
0ddbe702a76a14b4a0cf7b1e5d8438f4a49e639ce8989647d026c0abd6aa553d

SHA512
b5db62af3d6cfd851c8968045715dabbf37f504ba03a97fd4688fe6dcd20b399f00c377d3c3d4be9ad632e217af61a2fa9e0b4291c33ee72c569c3bce5b84677

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
208KB

MD5
cc28ab2fdfa8582dd21cb1bfde323341

SHA1
715dd92cdba0415d94be1010fa3a2a8cf180d38c

SHA256
0dac0140ae90f322c0d73978da94217790cb6480afca93908628873d159e5dba

SHA512
a9e525f5398aeaadf13f9428a93de3fd3c34aefa70ee4c78c55aaee7c18791b01ba5f019a62f96fb473a6944d37271da94c689cfc7d4d60e0c52dfbdb7eaed8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
94KB

MD5
193ee309ac44aba828c054be65beb574

SHA1
4af09b1e2b20debaec1a905603009f48cf66fed1

SHA256
a57716aa4792c49b4f8ba9ecd0eb6b7b042f10d013d11581bd2674f2da369fb8

SHA512
3420b3d96c96618c783c0e6831006ef1eb442a7515c7a8b1556e0f46a9af8f7efbdf1ddf81e64d96cae1cb3dfacc7a43455d1a17012c307a196206f654b5a09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
201KB

MD5
d6fae21f330332857b868fc9373e9694

SHA1
5c1f84d59a9aece480d22a5f484ab9ed2d739466

SHA256
366b180cda29b86b0759f26646dfd742e21819747b815756aa7554b7d9d93074

SHA512
f603fa919b9cc7125b245e4cdf7600bedd0f0db1257d2014114291241fc8fa6605b29a73f90397840442d9662978914802754e8b756a62525b846e8aa645e7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
48KB

MD5
0db9c6cf1574eacd69a230d2ad05c3d6

SHA1
8de323d982aec087d13d09a0538d1593ba9d05a9

SHA256
13ab908dbf427b88069c7147cffb324d83bed9f8f3ba622d6c582edc64dd677b

SHA512
b9c4c7c36c42b4dac07e199e6c7994d2f48cd8c23748297286396f27e1d5e2a55d52f68d9558a9a643561b614e387fa51b08ac3486005abe1008ae66a5799707

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
111KB

MD5
08e5f87fb8b7c8699950b13c6f893129

SHA1
8d43ef8204d42fa773fb2d8e58e96356221a84b9

SHA256
cd93bd1f657fa6b49bd1ece2ef2e91cf33f85444d4e379399d226e1a59d4d10e

SHA512
59d761c40c52247ba72e72b6822320f253869750dc3ab208c59d6471d5f7f479f805b80b8505ca8a1ad81bd23019cf3848b9f98a072966c9ce11769f536e5d4c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
242KB

MD5
7b33ff978640bcfc307bad389ec7d881

SHA1
1564a289a2287c83e1cf18365cf3ccad2e24b96b

SHA256
58e17379b8185e366a20ccb4bd9119e6cb2678ea4d27fd338a6bd6501fa2ec99

SHA512
5158ecf50bfdbca0fabacb912028ddfdde84b69197916cdc3cabe177800c68ff90d635d5d1baad01e4aa9dac1fcce719bee40bbec567ed083442501c5ac4c96d

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
119KB

MD5
272a11ef26035161ed79b84d643ce52a

SHA1
72fe7fe9897e23fc40209a9a2e8c586b71edd9d0

SHA256
88061cb4f42c79f37213a9140af23170d612443dd520ac3d3da92bbdcc692449

SHA512
ed7099a554cc22efd9472828fe89f01ec8255d6822d13c1eb947b985d7f11508dd0051a4e32ceb826d8dbf42c608f0322a5459c2a68a681c3269118545df8021

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
108KB

MD5
b5101e0fa781d7a48ef80df3c41c3622

SHA1
d9b048eac2c72453f3a782f7d9c722e207b21976

SHA256
d7fefbefd1c0ff29bac7880ec326df97875bcbd6aefa7e6886336e1d7e9be2e0

SHA512
8a61f7b02f7b28af25f185147ae1e3305e18ba62796fd69ea72d2b3de098b57e9d2b1b0503fd08921f57c68467df4827973948d21ea6825e45b5db43964ab8f3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
95KB

MD5
01bf301002d979af5babf3b3688c30ab

SHA1
1b68e41c3e7101ac095c8d00c1734cd15936a0fc

SHA256
14b5324ccdf1c29489f6494de1e5b7e3a37368a525f037847b8d8f4884b5f640

SHA512
f798c0d6d0606c7a11f4d046ccc197dc7862b8d3d45d949efa9c375f3af04059a32b876d96940da0307d72b09fb41a8eb123bfc8be1c421d250f6279b459f78e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
memory/812-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/812-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/812-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/812-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/812-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4784-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4784-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download