73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
310s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19-02-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4400	b2e.exe
3136	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4204-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 2736 wrote to memory of 3136	2736	cmd.exe	79
PID 2736 wrote to memory of 3136	2736	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\13E1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\13E1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\13E1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1B53.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13E1.tmp\b2e.exe

Filesize
393KB

MD5
c15017001bffbb9e8324c1ed80f6ef00

SHA1
532cadca686256f0af020e0e0fe53273d0f65c4a

SHA256
471d11082d889b177c8b5ec7b9f0cbd7f0f1c08d2eba3f6f74110ae2644912e2

SHA512
c16de2bbaf8ce617ac694095e99a2839e3c2ad29a6523ee3efb1bc36fee4608e53d3999e6d6dd8feac6fe2d266ab41c20a9e2631f27d927a4ff049add76bc06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\13E1.tmp\b2e.exe

Filesize
619KB

MD5
ff66023050bdb684b03581d33e3a031a

SHA1
391f8d7b9cde26582efd95eefbfefa8ceff54961

SHA256
6c69eb2efa46a566a520f62f4af6d40277b51558ecf3039dd9d93a8dc542a2de

SHA512
7c83f3aee3f7b9adf945dbf56d54393f0a19363f8ee5aaf37800b60f9af4c60f260d60c57eca7142670d37c6e6c99f7fedba8b4d9c76076ee6556adbcf68fec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B53.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
54KB

MD5
10d9764c3223735aa2de3d6c04a5463f

SHA1
358bae135db7ace2caad3423e5a67dfa3bb23cf7

SHA256
04483bc51fcdc6ce19a8d17dba81fc1caf061bd5bb11973fddd7cdd01c292cd0

SHA512
e37a28313c30b94cab652c0446d036dde1c1e0c1d604f7876a23fbbc63eec3f9ce9a8185a3d326ceb9ec568b93d3676bf84b201a729ed6b46f94f011b8d982b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
399KB

MD5
988a7ef29243d9912b0aa6f7e983f5ef

SHA1
37d21f20ef98cc66563280b922515d9e910c6419

SHA256
cc5f8fc8001f653f14afae94d304115f034cb220a68286b1e78a2c342b510409

SHA512
c55e354b95ae045c8bdc512e5b277dcd7ea8dbe449941332c760ab44621300bcaf59936cf28404ae4685ba52e8b91db023fb780d7dbef4c400e3d96d6c8d1e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
455KB

MD5
c0b807fc1b3f8e5ddb03659e677917ee

SHA1
33c5152fc8f34c1dc3092b3a739d1d8a3eb7bb64

SHA256
bfdbc045a5e287073628ac7d2eaa1ec0ad996e3282c551a49493455560666854

SHA512
4b599969e6402c62a5628cdfea1b43674a1758abd564d20fb34f07a6e7ace05d7b18b3f17cf834fdb451f8a89987ebbf856910ec343d9aa242eb20ca447cdf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
478KB

MD5
e9b9e0ab6e3ac521660c276926d97456

SHA1
c568d81a49e752083c2a5f1ff522434d76c7fafa

SHA256
0b942250012d6dcdc084eb5dfe10043203f542fd88e9736f50367a3fa34dfaf6

SHA512
af5309bc85d16b1c1704a660a1cbaa51a10eda5971772d7e3d38e3a6f5935916b8d48337e8fea7201e50fd818276b408be8a80096ce3de6b46063eb34d0ba892

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
472KB

MD5
6d1ee83a5f05df8a1b16b2165d380886

SHA1
20f3a3dc16d1a8dee7796da2af23b0ed97b5cc21

SHA256
1f375277f0edca4c9639cbbaedb30bb0d39de613b97ea2ade0a34d456448d7bc

SHA512
ee2c7e87e38189ba891e212e5f4d0baf72cf56ca36228c6195905ad08bc2745b72bebfd4dd3b5c1ad7779922d44a72362df72844c4312d64d12d15ab9150ba09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
205KB

MD5
e4cf26d7c58651067f97c7fa8a1f6d9a

SHA1
08ea421b91d539f3214ceb4d643de9d8d54bef2f

SHA256
074f4a33604632dd5f8fd63f27c1be988d81b8880306de5016887b1e2bc44f0d

SHA512
10173bed4bd3022b7ee1df8c8be9284559e88ab00a2e0e843a9ff6c8d5fb93d3031b11f1829f57fc2e7627fdce658b65f67b8f9b82c4abce2ef2b74b6818d4bb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
648KB

MD5
44178af66b56e7680b6f0a3023a90f0d

SHA1
ec5731f9a77a88eaf733de1cb6720d706e58dc9f

SHA256
7afc50b157d978a2279968bdb03daf774be6da0b747623d2ddc66391fbd5bc78

SHA512
c10c948f1df955fa57a4306b9e6b6b4b24c34cb19863147d1f26256fe7886abb3c531f000f08d57615d21f2dddc93e89fbc6b79be226af8d57334635506b8262

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
430KB

MD5
a8cd6bf047c5b37ee39def697647b7b1

SHA1
1c59a6e808b2d57aeef6a89fb1873fb198607c08

SHA256
3f067346e6401f27f8ac5ca75c1e66607a7986aa8dee4780d5f2088dc7f63765

SHA512
0d5275f68f968b6b213c12fe6038f6038930e15c9544ad0498ca1e39541cfe71c6a6883c278273460fdc41b3d52fe7b83ce1abe932e011e2bee845b1d7d9a9f1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
420KB

MD5
84a2e154e7b778f68c6e077027345ff8

SHA1
ae3ee7f123b5023fb27e2557a0eb2f79f2619e07

SHA256
70825625eb8d0f504d774bd2846997fa8048dacde5979b65e988e4cbef0431ba

SHA512
022880b7f5984e31900be868106c32341019c43fa8d10e678398a1c44df659a89f9f254fdab45841223b55527e0920d48af65dd774941b9123cad38bba657b05

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
593KB

MD5
21b99545f06a3799477c4c7d7dd5ae83

SHA1
76187ef414720ab103bd803b8ddb45e38cb23aae

SHA256
04095661cc5d80df5537f710513a5f7ab45e997422cf561c47e01695124eb483

SHA512
22ee905d0ec183dc82157f3a8b09428d329e522f6c29ada8c5f676d351253f1757f7d5b5135175e86ba0921c6d885adb6e0425cf315465a2a942decb8b9fd0b7

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
332KB

MD5
c1d223cc2d4aa092539442e1892b4c62

SHA1
8b5e7b0eeb3c52e3faeda4ea989f992a2da20e4e

SHA256
b45fb05c10f175ca789dddb7665fdf3538902d4e7b697ca95d0570cb035c76c0

SHA512
5f6746254c564d1a4710752d57c96a7d6b5f4ebae0ce74bc4b369081902c234a695ab7e0548dd5d6c533705c07c70a4d81e04cfd72da8d01eabbacb96b1e335b

Download Submit
memory/3136-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3136-42-0x0000000070ED0000-0x0000000070F68000-memory.dmp

Filesize
608KB

Download
memory/3136-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3136-44-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/3136-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4400-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4400-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download