73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
310s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1964	b2e.exe
3804	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3804	cpuminer-sse2.exe
3804	cpuminer-sse2.exe
3804	cpuminer-sse2.exe
3804	cpuminer-sse2.exe
3804	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4456-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 1964	4456	batexe.exe	73
PID 4456 wrote to memory of 1964	4456	batexe.exe	73
PID 4456 wrote to memory of 1964	4456	batexe.exe	73
PID 1964 wrote to memory of 1008	1964	b2e.exe	74
PID 1964 wrote to memory of 1008	1964	b2e.exe	74
PID 1964 wrote to memory of 1008	1964	b2e.exe	74
PID 1008 wrote to memory of 3804	1008	cmd.exe	77
PID 1008 wrote to memory of 3804	1008	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA4A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\b2e.exe

Filesize
3.3MB

MD5
3fa63f0b0c371674ed59563251bf22d0

SHA1
27bff17626430c59e7f5c16d75cf433b80296e1e

SHA256
b143bd57c72c491ef518bfba5da4d44abff2c6a3a59b6cd5bc6e59b2cf0d4f51

SHA512
cde971f9f7092094ecd87fd349b9260bef67c0dc252bded9719eaf995617262b89db60bea26ccbf7320af3dc7f641d45dfea6f311ba322116b41a0ca1defae62

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\b2e.exe

Filesize
5.3MB

MD5
2b44cd828e009db7b74115ae175c6178

SHA1
2e9280c9593508f8053bfcae8268e7440f691b5b

SHA256
1d5e04994e7510d45a55186661ad314ba8fcdbee06a58face8d5370612cc3f9a

SHA512
889618184def8832ec15ee40c2931bc60fcdfd9a6614b972a03effee284a40300f78d39beaff98d718074b1201b98062e484ab44da50484d0ec2735dd97e4a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA4A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
955KB

MD5
687861be61cd67e8ac5e50585251e5c6

SHA1
148e63864ba411f7dba0d5a79aa594c2461f43cb

SHA256
ba642d642dafd888365e8f3f73a6140ee42a523bda94d4eb7c148e9495907180

SHA512
4f2038d15afc9fce2066774bbfd2f870497642d62282a484f08cb032f8b165f10e811f2a2b0c19da496a728c4519ad7b2ccefa3630102f672adcd30c5635fdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
917KB

MD5
77f3dd5ae8f9cba07b4c233de40dc54c

SHA1
6bad4743361db6e7e6c39de09f833186e30b930b

SHA256
f13f8e2082b5ebc4af1d5ec5d940b4a6c482d9f57479c87efdcdfc007529aa18

SHA512
d214a8afd05c123ce47201b796e95970d5aa6730ef17b28bd8a09210c592b58fbe588b919b444e5bc77a35fc64aa56db93634deefa071f1ee98a2df4ea6c1682

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
913KB

MD5
610afaeb34dbdfb8a84e0fa359fe9e95

SHA1
72c03f06a764e1f54120138db339a6570539b1f9

SHA256
5cfe1f85dd203a52ef0e9654b0fb2456502103bda71fb00047d39cc1dd62c3bc

SHA512
5cab7e38e7ec316a6dc1b14db6586c43c7d8ec37fb3f812820a8764bfac2a5957eaeb386018fc63075609ccee5cfb45d764ac2c0bab845e0f9658756b9b7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
842KB

MD5
631ae88c89199c021cfce9a353ab37e4

SHA1
92823c2f47f9f86696e93837a33c16934ef006bc

SHA256
7b6f9fcb4d307f4a7dcc9c29e40ffb3662ab1a38c8e9f501c35f3d7c6e5dddd9

SHA512
6b1e638e4fddaae29ee4668f22f13b3e3d5933f5e8896a438da1606862d6d8ca82f5443a78c7edfa9e53621fbaecc14bdaa625fc247ec82aac83c1f9c9ee0cb5

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
900KB

MD5
dd167a05c46fdd19006de1d0ba0d97ac

SHA1
cbf25eb24c9dcefb64c43700f8748c4ee5cc9645

SHA256
20a42b7987d1e63cda9e7f8a7ab3dd17f5ba8125402ae1daf4775051bea1de5a

SHA512
9cde67d28a7cd3b50d8b34f66c037a2aec87ea1340e53bc29badc4170c257ce3c2e265859e7d47b4d068fa2d1376cbaaa9e77631c05a2b5ba42a293dc02ea41d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
ceb1ee23d68e973e400b41e7324c71b6

SHA1
0ad5540864cf9bcbf52870ba72566625ca54e67a

SHA256
66f2f5bd30986e28a4c43ed44264cc56f63bd7a3ecd6aeb5845ac7bcd724aeee

SHA512
51ce4a101517339cb1f5c23fc953dde73f871cec2bde8ea5c9fad9376366d7b8aadaa8668ef2f7bf9d873e8817345e4e337a7a94c42c3ddf6a168377af060e9c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
987KB

MD5
cb037646e16af40c8c7dcb090ec15c10

SHA1
c4d2d84adbd4fe2b5fae127b4e391f654ff472eb

SHA256
3f2d6de8ee995c01d29e973616146a7561f0b39737bac9c3805e330b754fcb33

SHA512
ce7aed8a942c5b118d70d10886d081f93c506cae5c88d0841d6496f38205a556034f641b84f8068aae0b7fb88596d014169e119c96503eb4dd9bbba102afa00c

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1964-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1964-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3804-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-42-0x000000005F240000-0x000000005F2D8000-memory.dmp

Filesize
608KB

Download
memory/3804-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3804-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3804-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-103-0x000000005F240000-0x000000005F2D8000-memory.dmp

Filesize
608KB

Download
memory/3804-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3804-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4456-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download