73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2076	b2e.exe
5028	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5028	cpuminer-sse2.exe
5028	cpuminer-sse2.exe
5028	cpuminer-sse2.exe
5028	cpuminer-sse2.exe
5028	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2000-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2076	2000	batexe.exe	48
PID 2000 wrote to memory of 2076	2000	batexe.exe	48
PID 2000 wrote to memory of 2076	2000	batexe.exe	48
PID 2076 wrote to memory of 1424	2076	b2e.exe	65
PID 2076 wrote to memory of 1424	2076	b2e.exe	65
PID 2076 wrote to memory of 1424	2076	b2e.exe	65
PID 1424 wrote to memory of 5028	1424	cmd.exe	64
PID 1424 wrote to memory of 5028	1424	cmd.exe	64

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F4F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424

C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\b2e.exe

Filesize
448KB

MD5
b4f950446e73c381a61bd6803ccaadfd

SHA1
f2ca7e25a29cb7eb27cbdb6763057a52076ee0b9

SHA256
3d720258beb2e46665f82ee9af404d49abb968a4e6c1a78e760f9da18b296408

SHA512
396e4829c11fac7a1402acfaccf0b80ee1c96d65362d1cf3eba089d1407304da01a63eb8f6230dd70144d57d8573a095f3c4cb3436659fdef4af0e0cf344fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\b2e.exe

Filesize
241KB

MD5
cbc5d4eea2cbcc6a776ee899cea8081d

SHA1
a255ebf6d74fd6a10c3e23fb2ec745897b35f2e6

SHA256
144bccf7d63ad8d3be6a879528a09c7805eab421579a1abb0f6ca6581579ffbb

SHA512
fe6289cb990942e54faef38a610a0e177371e370ff83d38d11f6f4459113374ddc652d0945c9ff934c63d3a4c9104645b49aaea1139b55203ee559c38eb29423

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F4F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
139KB

MD5
29b656528d7f0bb47c887fde84b081ff

SHA1
da62e80550f6ee9a7c03486375ada90e7ba92451

SHA256
303793819bc9219879d0c918f3220709bd68dc72aad15c088b108b6769b1e885

SHA512
e4197e06d31866b624a76dee12000b32d91653b416224445064a8e0c3e4732576ed3c7b6886b5f24dde4fdd3bf9682e160297bd0e1e5869abe05bb802d233d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
263KB

MD5
707ca6192d67404ac95259a474b04c45

SHA1
99d86030b20510889cbcc53caee8fbb9395d5db9

SHA256
abd6573ec7e95aec59d9be8b14e456b9d8e899b800eef41444b59ef18658fbf4

SHA512
c2491b7bba6e4d0c8bf7d5847b82cde89c96ddf9e182e453384a9e128dd06df1ef130ad0e2af94a9e018a41c615b77f8bf402c2c917d8015afd05d56065b1ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
193KB

MD5
fb92685012242b8398c03df959041df0

SHA1
c3d3c5e99c747792a7edcf60a6cf24d7156dc317

SHA256
690c1b0e19004670b45bcc6eb1f1282ed86eae4563b989f53ee5f7cd0c6a532c

SHA512
244fbc4e95870012e65bf1fb6ddaf6ee5a779dc632c1a1b3954bb472909bcea5f9cf6c49205b8df5eba3b8e2b26699c075312890214ea036b0a45b2182471087

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
140KB

MD5
91aa11ae3705606c597adfd5658d06c7

SHA1
e4ea715675d3d40b16f5b3a25ba40fc5b33eb8f6

SHA256
0b6be77007ec4f06525f90cf1394fc494ccd1bbf21d77caa3a13bf28d780635f

SHA512
d83c54eee9e1740d1db0d342428e0ec0bd34d2126f0f667f4e5fa2323254815fdd9d693f2621986aca1b149061e5a72795987a7f5d2db7265f57addc649d11e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
159KB

MD5
a3a8116a1888e860809b484fcf76c22e

SHA1
f91d3726aac1723af51af548db99af178ed1b0ef

SHA256
293733e97081ad5a640aa3b412d27f6061d7845da292eafcab5cd2686ae91074

SHA512
b1cb46a4d492b3bbe8da7b1f0f01230d562f3a099d01b7eb85c8e01f870bc097cac1df0e21cc0e04ededd2b2dc4b90219465d2ffc3dc8d63b1218ea2b4cfdeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
407KB

MD5
584c1ea1d0143fe2902647f508a9076f

SHA1
21b391afbe43a16b3ee3d1e431e97d49d877314e

SHA256
0671d383248d2c5e7534633884e762fa43bb0a560594366852c42fbb0b87f7ef

SHA512
ce0b5d3dd421dea41937098f401ff326659b06590ab2373c88f672de2308a67b64b74a6ef2aebe199ca582ec867b3d9dccd1dbe6edcbe9a334700e50d02ed0e8

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
206KB

MD5
740b519791ab526d69fabe3ecf233bfc

SHA1
a0989f6a1f9e760ec0ad3d74aaa4bd119fc2e09d

SHA256
f81590fe1f4de8fb49a4c518418c1660fc642ce7c399d15df616184917765bd4

SHA512
0f206b819d89466eb9062d0027005c222c89e85d71a1905036128130c9e8689a584d99225938ad9c2c85da13a009856b2b21f6945e24ef993e6d76d7e5f049d1

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
96KB

MD5
f2e5187c81d343b10113d4d33026cc98

SHA1
e1c4cfa2467938b18950ea30e05237427b4dd1f6

SHA256
80042392d22a53977669c8dee203877e0b9a2df2ae184f879f03810a70bf6d11

SHA512
f68a67a7ff7a533036375abf6ad472057cb748e566680b73211751308fdea40c93700f9a8340d2dd04abd40a44a8324df351609b55bf80fadb7db4b707027c95

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
146KB

MD5
69f7e31452d7a86e33cb5591a3e0f2ee

SHA1
9e42c98b1bcc148bb2e37fc12469114e7246ee62

SHA256
d7c85d2301ecba6bb2cd9c0366b5df502203e3d217c9dc08712b7501cc2e0c92

SHA512
d6a860188920778549ea8fbda5ad52a0151a759e0ce3091cd44a8621cc246c04ee7495bc1e942761708508d059c924dc9331b6bb831f1cd5c5cab04635d5dc14

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
186KB

MD5
b703da59abc9bbb14070fd98491e45e2

SHA1
a392ec1e64d9fddd1badecba98f7c62461bc73dd

SHA256
6b243241eae27cfab7cce20a5a042b3f9289489ab624d888f247ed522acdd756

SHA512
66a112b1a5b0bdd81d55ad918a75da2ea79902436253dad28a55f42ed0d725c43227081c1fb0456f3fc9d9632cac4e405c60a773409f6c57eca60ba4437e48d1

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
136KB

MD5
0b3c838194400f83600d8daedde1442b

SHA1
8491294dea6128e6dc50476b3fbcf4d4500d8e47

SHA256
9be8ba60d56e99a979faf18c49310ff616640405ee16f4fc2eb1b8d9f2efc52a

SHA512
4e065f3caa36e483a4acc0c344f84fb15dd98265c780c53d100be3f7891e8057f71eae45784f8319b0bf9d6a3fed49e6bf8c53ec15194b649ae9b4b091018389

Download Submit
memory/2000-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2076-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2076-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5028-42-0x0000000050D10000-0x0000000050DA8000-memory.dmp

Filesize
608KB

Download
memory/5028-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5028-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5028-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5028-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5028-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download