73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
295s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 02:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3768	b2e.exe
5004	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5004	cpuminer-sse2.exe
5004	cpuminer-sse2.exe
5004	cpuminer-sse2.exe
5004	cpuminer-sse2.exe
5004	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4116-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3768	4116	batexe.exe	75
PID 4116 wrote to memory of 3768	4116	batexe.exe	75
PID 4116 wrote to memory of 3768	4116	batexe.exe	75
PID 3768 wrote to memory of 5108	3768	b2e.exe	76
PID 3768 wrote to memory of 5108	3768	b2e.exe	76
PID 3768 wrote to memory of 5108	3768	b2e.exe	76
PID 5108 wrote to memory of 5004	5108	cmd.exe	79
PID 5108 wrote to memory of 5004	5108	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CF94.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\b2e.exe

Filesize
1.7MB

MD5
7b9e19cbeef48d1436f80636d98f1e29

SHA1
211ab3ec2dbf56621bfa6e7b4af51f6d59ed7e22

SHA256
ab3065d4cd6d2916257227617fba70a92bdb7b65f474d9a3b5a7910c6791775d

SHA512
cd561dbc1747d3f5e1a799a1d6f13d71150e273835ecfd1f84b00e742b04a23b41daf83db404ef527c1531f665bd6e74a4fc62bc84759208b958a4803063bdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\b2e.exe

Filesize
1.1MB

MD5
a43a8e689cd5eb2690d211c1d48e729a

SHA1
92acd696234142bf22c8b5f1c1af459f38dc3bf4

SHA256
de564130f2706db8cccf91eb5cda9c55b9cb1cf5c775c3eee2d27c4c63ae5adc

SHA512
d804a9846c745cebd70e25fc740f2d8ab555e3b66ec9a1199539d08a0bf9c7cc4d2122eb5fb65ad6192835649fc0cc55f08ea2572c131c6b1931be3d30991182

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF94.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
46e1c7531774dee6a7125727095ea354

SHA1
2248bc2bd821aded068d2e5e55f5e7271b50ab91

SHA256
cecc229ea9e416207638b67d03bc6846fa188a14fe1c9e75028afb48ff4e2081

SHA512
fa9dc86df3e0a8f7b2579785c03717a43eec14beab8ca3176f73d4ecb0716d047241ab30cd53518e7acd645e9f8282a20552a6fa33824c34afc5c5210cc69f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
eec15153c344f43f1919cb379b9ee2f9

SHA1
3e4a09390ac885ea2797209603bcfa1ec6ff0cc6

SHA256
4e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222

SHA512
7cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
384KB

MD5
d1d1f36cdbccda3b96e8c164afb74526

SHA1
91bafcd404c8568c9a195ec8cbf9592ea9e17e8b

SHA256
ea6e726150aa9a8dcf9ccb6a991440b451f9f2dcc46d93cb35971556879d1d03

SHA512
2306e6578ba2217b4f32913e1ac35e0547723b873c11244e96affd05457945373c621ea16a82e1e3aa1a177e3059efc40c8585118c63a3ea145524c51d1d18c9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
320KB

MD5
e748e3357af6e4674ff8962691273b0d

SHA1
0acfc30d68a1ef7c6790a79270864448f70f0aa8

SHA256
84ff770c784909548dbca7bd2a24c8e82338b142f2d4893023e25c52f70e8d14

SHA512
0bd15154698983c85b46810d8fef9092f4d0725882421d6db61f168873af967808c467b924dcb8ee72aaad6e10202edab14916580fc442e14b9d8c85f9d07dcc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
memory/3768-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3768-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4116-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5004-43-0x0000000067740000-0x00000000677D8000-memory.dmp

Filesize
608KB

Download
memory/5004-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5004-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5004-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5004-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5004-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download