73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
292s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1224	b2e.exe
516	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
516	cpuminer-sse2.exe
516	cpuminer-sse2.exe
516	cpuminer-sse2.exe
516	cpuminer-sse2.exe
516	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1224	2180	batexe.exe	74
PID 2180 wrote to memory of 1224	2180	batexe.exe	74
PID 2180 wrote to memory of 1224	2180	batexe.exe	74
PID 1224 wrote to memory of 5112	1224	b2e.exe	75
PID 1224 wrote to memory of 5112	1224	b2e.exe	75
PID 1224 wrote to memory of 5112	1224	b2e.exe	75
PID 5112 wrote to memory of 516	5112	cmd.exe	78
PID 5112 wrote to memory of 516	5112	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\BC0C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BC0C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BC0C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BE8D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BC0C.tmp\b2e.exe

Filesize
6.9MB

MD5
494aef58e5e7dd80f43fdee5f90435cd

SHA1
f5047984316310491313c4da7dbccb139cdd1907

SHA256
802e236d84848d05d2f1bdc138ca9625e99a2b1684d45bead7d0df40cca0a6c4

SHA512
e9fb3d05b55cbed47ed29808307a629774506c8582865aae64899a55c244cdb1ed622189190319df3ad39474b14bd30379a3824fb4639082a4afa284716fb1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC0C.tmp\b2e.exe

Filesize
6.2MB

MD5
4a327b7ca9cbdb49e169ad49b95e4c6e

SHA1
8faf3a97187084056b157e3a4f0a8760e96aed56

SHA256
9d880a43136aa13054da95b37a10c8b44501635cbe1926e8bccf93519d5095bb

SHA512
09cac7e835c1892544a71b2ffd625f51573d499cde0fe35b3c31d8ae8a0553486bea3fdc7e46fe60747e0ae3247a01d82b713f96f4c27ad2a68e945bf398e987

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE8D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
f81c7325bd804cedeb292664363a4132

SHA1
7d83871d3528d9db031e52876d9b7bb26617b92e

SHA256
e78f996f336e2d2815ee06e5ecb7b40553c8a8b337e71ecd774dec4dae94514a

SHA512
cbd2b1b9e512ee038d0ec80928233141f2e4511c0b736e84e265621322d1fc5cecddfd3d0433714d108f9a7fc002b56fd9afa0dcff4b597723935079a008fe16

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
1071a30b8d125c6675156cc05e645fe0

SHA1
ea28e11d0f4799be9577e5657e6f977bb56ed2c3

SHA256
56e5d680822d2df7f274b712163e96af9e1bd851c26f4bcbd72df3dca3603add

SHA512
b96ebb6c120bd738ae16990988c5722baf540e050187675c3c61758eb2c08a9c879f760e63ccfc2121851d7151947ee37b07c3c74413857a6a0c0da547d5ab4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
1d72c734a0a7371e376a4a1460a49f7b

SHA1
5b93fa2170b101eaea57668e06664fd96993cb99

SHA256
e811d4e1037b3c3454b339e025c32e7c9cf443bba772304c15457d03f743f1ff

SHA512
3852eeeefc3b00133bc521ed331ca3595b78d25987ff9332d94f94d43f189498541e58813e6f2b420a7cc14666f4b1ded150b4f3cb3b0de3f9e5e8b8f3de45cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
485KB

MD5
dd8bcf6a3da553f37dde2e5155818077

SHA1
92aa0f06afbf10f01475d549ce0571346f369d74

SHA256
4bd6d4358cf5d014602a728cd2eb08b7b56990e33d0983695f73329ef6bd88fd

SHA512
7194e8256492dff14bf470c0cec6401e92845686b341fbf8171526adfd05bfaec3d59605f445db3879fd461c702463d40c07f15083eb2c3846ee5a897bf9d172

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
1b13c3c1d872950c05d5fb80a1632131

SHA1
1b17cebc9a607d44944dfc52ce7402e0da3d0793

SHA256
89cf04f8796326d55471b5e6553d6abecaf26a52f9efa0b0d84a57f11d789a97

SHA512
dff4917ebb8b1b434a4782e643c053219c827e4e9bd5d3969171da47f9a27a925d8c33e418b3d83430cb49433f73c20c257e0fb71a2c6de1998bbf61e3e1cc75

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
4ff38c30ac58e111003efc02a7e2a509

SHA1
e8aa835fb1e833a267fd71de8a2c547e8e1e3dec

SHA256
8e3eb4a98ca5c1e422e2a3dca268929f85c681385f5605f32ea90bfadde011ab

SHA512
96d6f78deb371d42ce05be67844c500d2b19ac2012e3ef1ab84992e60e91f8dca69151adf1924d808dc41ad5e99a0465a3445df3e06ac67dcd2834aa414d3daa

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
4ff6a857c959222fad49ff3e14adf404

SHA1
5f0bfe1941d6ad74fd3c6cda0dcfc7376092ed1a

SHA256
c1d2a81f6172465878db699289e167c609ca7c3b2888367bb6b4c38e59b9f812

SHA512
02074dd7023a1eb9653df317fa834597774127bbde8604399fd2f08be64aa0856feac9757a2d16504a4c2dda50daf5e0daab8bc61259faa0e12b01ba7502fbcd

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/516-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/516-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/516-43-0x0000000073DA0000-0x0000000073E38000-memory.dmp

Filesize
608KB

Download
memory/516-44-0x0000000000F10000-0x00000000027C5000-memory.dmp

Filesize
24.7MB

Download
memory/516-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/516-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1224-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1224-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2180-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download