73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3372	b2e.exe
3108	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3372	2364	batexe.exe	76
PID 2364 wrote to memory of 3372	2364	batexe.exe	76
PID 2364 wrote to memory of 3372	2364	batexe.exe	76
PID 3372 wrote to memory of 2968	3372	b2e.exe	78
PID 3372 wrote to memory of 2968	3372	b2e.exe	78
PID 3372 wrote to memory of 2968	3372	b2e.exe	78
PID 2968 wrote to memory of 3108	2968	cmd.exe	80
PID 2968 wrote to memory of 3108	2968	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\920E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\920E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\920E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\947F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\920E.tmp\b2e.exe

Filesize
2.0MB

MD5
b1e10242d1f206669851407eba637435

SHA1
46b03045b5d26350883d864772d60ed78693e0ee

SHA256
d4fa06ba088ff7410d610bf50c6c9fda7a2e65a4afd3297c91f3f9f182aa9291

SHA512
8379eac1548a31c6287785c267e3969e895f309313be398ba3d9d78f3932f6c732139e700d15e6e4be5abd6947aa1562e52d87b1e34a68f6616a8e3deaf20006

Download Submit
C:\Users\Admin\AppData\Local\Temp\920E.tmp\b2e.exe

Filesize
2.2MB

MD5
ccf844c102dd731d8bc0a2cc834221a3

SHA1
5f517269d770b8ab167607761221f4d51980a43d

SHA256
52470ac26f849a577be5f5804116dbd65299c98b24a128038b78b0b718e70dd4

SHA512
8d7d502993f12b5c94d2167f40c4e6466d12cafd977643bb34b0c26d0af864d15de0764f6cfd5ed7e45d073f10dc617fe7f3a7527db34dfd0d667507f605556c

Download Submit
C:\Users\Admin\AppData\Local\Temp\947F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
563KB

MD5
4063d9d506cdbdc1407c37fb36ca2592

SHA1
05d1f5e51ba9f9d8138f0132557b3e32a72b0883

SHA256
faf831d13e998fac389fe6ca4e75bed12c61ce475c5b43b1c51e6531e2ca309d

SHA512
b4e4d88d5e8992adc5fca5049ac1f27e239d64e02e5fa916fb06edd53d0900192e818d3c0ae23968aef25bab23a55a81a458c58aab6950364eb3b2440baf97e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
600KB

MD5
3fd3bf752791b1d24e0201ad4131db41

SHA1
c0aefd433ba47adf7faad7263ba1cf44486e571b

SHA256
52b5548b31815bb3c9f7798c6568234c9d470a7022f921c8d17b7c25d422d0fd

SHA512
5cdf2915e1f0d10290a15207a4c535582df654f2fd1912e7cf0c88c54ff35e36db492a26a50fb50082f18463d3a6c0d152a2db2945e03ef37f9df798854b3fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
709KB

MD5
4b479d0f61930f4dc4937b134886f70e

SHA1
f560f33670462e0c7bfa906c2e6efd34f48dd5d9

SHA256
4e091f39cd277b9d0088f4cf93fc2363ef07931f2397fd2a3d564450abae4ac9

SHA512
39c028d7b742714438ef578dc6daedd6581f2d1647892d1110917025f75ab99e111dd0b20d69cb6d6e89d73c0e18f825eb3b7133d2df0073e1e141176eba1de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
485KB

MD5
2b2a77f8edb3c7949054f29bb8bc10f7

SHA1
bd18a31bd11aea2b2ff7aa34d4816a06b5517f3a

SHA256
d94462d8b28e07f4d83f35e9466b52728566c84cfee27b5273b651e6b64815b9

SHA512
0046e635a1bf953970b155c748a608b0dd1730ae5f93ef51cb5d1e56ccc74c2d88d1f94d8c9ce04c3d6fca99578f4d7240ba85b68584a19e6173dc913bb9cdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
392KB

MD5
86eba4b7815351e10b2185635ff2e4fc

SHA1
4d46fa09b4fcdc2bbe761e54574cb9b02f6980ae

SHA256
3b0f0d1c6231bad278187ecae37149b72ae9468388b0cbe40aeeaefd06ea05bc

SHA512
e9163bdbf81e8e14d0fbfa3ec2be96183178f1e4c8c884e0afffe90fc3114aadd1479f2328ca603f6f8fcce42821cd497b96955780cc70288c84bfad88a67fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
330KB

MD5
f1450b52e4cbde866eea0a56958304a6

SHA1
c73eb5d03866c73445d05904953ce8324668c21e

SHA256
60f4b1966b22678abad743d2816fb37cbbdf71c11e3433b1a810874dc7c20fc3

SHA512
cb7bdbfc2767d83778a8e7eae761a86626fb82882233a8d26886f88531b353a7523f35208b8a90323ea51bcb16974a1af3c1a6d1cc3cc6c8bbafbfa1837cc0cf

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
408KB

MD5
09e3eb66ccec68e9cc8c204c1db05098

SHA1
97c937104bc0f441c70d16d5937f3f71050c7297

SHA256
b860dcf2b370ede0b0440bfdfd41329bec53ea1203697c7737852c137291f75a

SHA512
434b5310884ae8390dd47ddd15e40a60b934a6a38fb1a348e1d3e812c1ae64eb1c18c31f0af49945fc9a65f0322f0245daba51ed5bde903e353f6ed134b995d6

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
592KB

MD5
3c0dff2b5f51e6f2f69ed7e8ab6d118b

SHA1
fb9d541b4f6da5fa39dd455b92bdc16514674b96

SHA256
646104e195360b2a5e633aa9e58af56982d2dfa3f1fd68ae36d566947a9569be

SHA512
f63ffff33856c9336745496ded62278e0a08e74f983fe2d1d717084b697f39d288acd98cf01c3923622b0690e55e7c91efce4d99d8987122ed5f1609faec69ac

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
382KB

MD5
6e43e25bb1a99db10178e523e5f96ecd

SHA1
9e231dec7f6c70e94e5ef1715d32f1313746e3b0

SHA256
c702ac8891cb1da789aec3b73df93a3ada75588acd7426aed177acdf9513f5a6

SHA512
0032274753171c5882932909cca49f65d9b4e5e3e9d603b59a433f7c1a5cbda70651ef951ee2554a6cd40c68824d1e72b8f50cf881fadc76309466b9b53fbb66

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
413KB

MD5
0806f613014168f91d239fa2040ce280

SHA1
9f42c482005d653491d273b6101a7588f1c96344

SHA256
9f19c62bbd25341da0bfb1bb9d03a5a480dd74ca9a88fc0f2737d0366f972384

SHA512
b4fc342b2a6f3f679158e82fdaa00a1444a979240814658a399e31d1b208e31c0b85b3716f68a1757831e2f974839e29ec4632bd5cd9907dfa27733367082462

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
443KB

MD5
7f7333a416e344c3c6e635f8e87decdb

SHA1
a298583ffd1dca47aa9515a18704fe67f7d9f764

SHA256
d1cb10e6fb5b12ecbdeb5f6da4631dcbe72a7c09935181831f96a5b6a727e14e

SHA512
1126bf2dbd6d9f877823db4a0af272675cf0cbc0e2abba266d714e8f8c855521f475639dad4607dcf60582908d289af5002fb7c7c0afd30ea88c57c4bbc02e48

Download Submit
memory/2364-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3108-44-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/3108-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3108-43-0x0000000070380000-0x0000000070418000-memory.dmp

Filesize
608KB

Download
memory/3108-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3108-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3372-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download