73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 03:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4972	b2e.exe
1944	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2300-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4972	2300	batexe.exe	74
PID 2300 wrote to memory of 4972	2300	batexe.exe	74
PID 2300 wrote to memory of 4972	2300	batexe.exe	74
PID 4972 wrote to memory of 508	4972	b2e.exe	75
PID 4972 wrote to memory of 508	4972	b2e.exe	75
PID 4972 wrote to memory of 508	4972	b2e.exe	75
PID 508 wrote to memory of 1944	508	cmd.exe	78
PID 508 wrote to memory of 1944	508	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\956A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe

Filesize
12.7MB

MD5
9b9f582d50b55bfe99f9e47cc712cfff

SHA1
65ae5afc6f875c854c21a9a531f46b28c6ab4555

SHA256
2bdf69a46da83947ec182681c954a5201ecec4ff06371ba93d1ab616329ce0e4

SHA512
c56144bdf9f45a78f773e844e8415e2424f899e10516f9edb65b4eaf9c2e4bad24b66082c5d519442fb388fb6dd9da1ff08bf25e958367735c2529bf4ecb428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe

Filesize
12.0MB

MD5
3fb42af0a31edebde8b029ec814a6312

SHA1
7bcc0d6244bb177172da0916f980939598053b95

SHA256
293a1be575dd5b5da6f966c7c7f37a4d0c177a0248ad03f89716267695e67aaf

SHA512
517edbec8994274e960ca7dd4dae4ef3f366798160ff8bb1b19e6ecb6ba2eaca6627c567a82f1914173c2ec7dbf120afb021e32318cd89a51ce5f1f675a7606f

Download Submit
C:\Users\Admin\AppData\Local\Temp\956A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.0MB

MD5
f32d67ab8a73167e43b962b0416eb0df

SHA1
aad4008a7b09ce01a14f0807eddf5622ad0087b0

SHA256
c19be207133d1f690bc378db3ab620639f2e99ff6de31939313b1609e3a5d86b

SHA512
a79c1b3df3f43669b376252389cd3ce75a3a2113006c631f64b22ba70657bb8e06866b641350e63040496960273ee3d58a9ffa006261e70a323e93f83098d080

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
d1cac0853fe8f0bc4885e4d6d4685468

SHA1
3e4562664820744cdebdc79f1053f58266c3ae36

SHA256
e5d45aa076303b770a53b90d7c93adf11cd362ae5f4e89fa6a991c1b0dee3c1d

SHA512
42658adc4b15da4265a8773b1faf667f530e9951e5d2361fa8846559670e8906964a21f2b862b749f5c1821fb73ca04b7bd7604e4e6a6bb910147a09e561376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.7MB

MD5
2a9687bc1f199801c06dd62baf145261

SHA1
d884d2c083876e6b8c3e1d0d0c9f40ce14cf6e64

SHA256
96fae908c68187f64b9c5aec6486667c6746b0e2b95b4669565c94071cc82461

SHA512
4d2f3e861ef95dca2c2bbcf484d65becc0c8eec477ba10af234e461246f47161d8e5dca512049ce479564652390bde54af3a419f489f9578d3407e348c35cd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
445KB

MD5
397d7841cd51d67016a7a217e1aae966

SHA1
c5216c379f370520ede1211c97f8ba6caa8d34af

SHA256
38c320de0c4e4ccdb2d15ef3c47c85aacf8229c3f7b791503fee12d6306c7895

SHA512
5ca2c6a68431418ff50b4ef7034c14e816d018bc2a7fc20abb96e7afa241d94429842dcd68c8df6cb7c1c29738e08643cf4609312bd2d6ea2407c6f8662a24e5

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
703KB

MD5
b580447e3399ab31914fef16c7ab5ef4

SHA1
ea319f7e747de4f7a46201d1ad428671126e4a4a

SHA256
cc177a9ef2ed45c99704d78901471f5124342f43c0c7ff61416ae5e6dce8e68f

SHA512
71574e6c78e0c9140f9bbd90e07fc8ab5be3cb50dad2dede40442ceff6d98ac7d1b47657d28d8d57f03c390df52ffd9591e27ecf645618c14313d193d29d9b2e

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
793KB

MD5
d7fe18f80bb1702040193feba11347ca

SHA1
4bdc6cfc9c0e05b6166f1ba8aa28e8c529b8dc9d

SHA256
b77af2041d811e6855ce244dcf1544d5649ed97aad8261157d8099c1357caee2

SHA512
8811ae46f6880cb947aa99c6295e49c6d60ce71cf2a42073f16173f2fca101382e95d1e8e378465c6868b05340d8e0cd4f28ad5c00f3b33674f068a2ab9bd9cb

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
2571d62f399a1c59032dd532a77a4042

SHA1
79665178cec0fff3c569ce8d41073ac2d301216d

SHA256
b5be56e1c9f32398b33ec1e38b4aafca2fca3c8a9b77e3e6e884e67e60ff2e8e

SHA512
c45279f4fe301434798c958bb0359c0f6476972b0e5938f4712d3ce5edb9dadd6a3c44a8782f15343fc1b4e021cf18f13044e0c6f13612de756057bb87b4ecbc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
432KB

MD5
85369b67ce52d146cadc9274e555c06b

SHA1
71cc10ae43cc906adbd751a4ee10871ce32f55ec

SHA256
68ab39cf1b6e65094eb6835920e8836ff37c74488216239487f6aebebe40cf2f

SHA512
5bc00946a77787c369937d36bea4202efe883dbd6eeea8563d1ed3d7e8954e2970aeedf62be602921f144e40f87ebe0b516dc662d6d477b42078853f33ddd6c1

Download Submit
memory/1944-41-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-67-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1944-43-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1944-44-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1944-45-0x0000000077870000-0x0000000077908000-memory.dmp

Filesize
608KB

Download
memory/1944-46-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-52-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-57-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-62-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-38-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1944-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2300-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4972-51-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4972-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download