73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20-02-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4784	b2e.exe
4392	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4392	cpuminer-sse2.exe
4392	cpuminer-sse2.exe
4392	cpuminer-sse2.exe
4392	cpuminer-sse2.exe
4392	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4696-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4784	4696	batexe.exe	75
PID 4696 wrote to memory of 4784	4696	batexe.exe	75
PID 4696 wrote to memory of 4784	4696	batexe.exe	75
PID 4784 wrote to memory of 228	4784	b2e.exe	76
PID 4784 wrote to memory of 228	4784	b2e.exe	76
PID 4784 wrote to memory of 228	4784	b2e.exe	76
PID 228 wrote to memory of 4392	228	cmd.exe	79
PID 228 wrote to memory of 4392	228	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\CBD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\CBD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\CBD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13D1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13D1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBD.tmp\b2e.exe

Filesize
2.7MB

MD5
7977a9e47f5373ec08c5fe1f73399b8d

SHA1
420cf28ea15c3f2bc6ccc922382fd5c584a4e6ac

SHA256
1d3837adc76ccfa8a9fe1c01410acd00e3e0695ebd657b77a70dab6ff6221743

SHA512
f545aadb2031370e396982e6625d9b00532e4d958cc4a942a667ea990bdc94653e48919f1df44d285ceff05266b866e7d76c2d70964a8527f1cb8d35a8d2f9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBD.tmp\b2e.exe

Filesize
3.2MB

MD5
4495475d79f134b6bfca15b468335474

SHA1
77b41b4d08baeee4843f17c742c0017eb7573d75

SHA256
6383be467a85e17511d6b7a0e5f498385aba68bf4120f2dc92fc33ce8bd74fd7

SHA512
4ce296db6869c2b5e91b1f539f92e68db8cd7d255e3184dad04292457c3d24e28c62044e4cbaa8e76f048bb0b132ef09af3b8aaa94ce420faaa56f3c30c4f17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
eb9e2986ae19dc1c154766cfc51730c9

SHA1
bbcc5ed61f0ce7f304516ba8d3a18bdb5d07ae11

SHA256
93f5765395826e491f24cefa705d7d7749a044f0527139f4b4ec5e103e81bff1

SHA512
433a96a3c63473ae654ec1f1c3ea751db932df2ddd98d7f08811f292c9e810f61aabb00cf0fd7518c189a2edfd5fad61bcfdef5add0844ad4b4713cfa6690fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
847KB

MD5
5ceeb028a53e867bd75e54650c6339a9

SHA1
24b84bef8ea6c3f4abaf6b5b5ea6ce0b8cfc4e46

SHA256
5c6590744decb00636813700f607ad10a50c4247c2744c7e18d04c0f639a8435

SHA512
5d753bf8ae12fecb513c6f287f84f1deec9d5067a27abe54ead0cc2dcdb9ea456d2ff55c5f935bdf4450adb1f872e3bd97e0cafa9a02900ddbce3863cd65a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
859KB

MD5
df02c26456ef7afeb5b122f2939c4466

SHA1
63641f7bf60958c79505255ea5b0f6dfbb3bcab8

SHA256
818828db13c4bbb29615ce57d93ab24ea5114e5e1c08a17920544a89ebabc42c

SHA512
3cb85e9199f440a3f7b7fc40148a25671acbfe4c0072b11ec24ffa3595b551ccdcbfd8d8ae0ae27ac377319a8b9e994f5a99484f95d35cd385cd3432df4a1190

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
929KB

MD5
8c52c64e26b5904e5d5132319d9ec54d

SHA1
64798ed2e2dfc8c5d0a5c1e95693a99640000de6

SHA256
648f92fc14ab4bfce05e0f1346c1a700a10a5eafbf3fd7cb1f4f2770e9f2a930

SHA512
768d3634294b1b80acd984c5e16491970677d1113d7b2471c4f79b6d55c88e10cdba3c7702bf3b5187da96371be8c79cc53d223b2a7127c83380a0698262632b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
516KB

MD5
99d1401027be2fdf7f70d479eaaac6ae

SHA1
a13b9c2c891efaec943092a75c9055ccd850cf12

SHA256
b86f08aac03c2719b113ae9c618d23977c16e81a8f0e1de1cde708cdd8067f23

SHA512
cc2c2f9de3e6f975b90d9eca24306f8cb0bbe1f95d525e27c4405ef2027dbab1470e2ac0d7cc227b6b4bd4e29a587185a9b0aa1ac6e754f4881678d6b9b3fb57

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
771KB

MD5
fb051de11ef75ed1f79005198f821776

SHA1
7ff3f4cb7b68871e0cb09b2e16c74dde9ffafc25

SHA256
88b70d0e66f3de53b285185f36b4da7147696ba62404442c8b34cd95715c915d

SHA512
35932280012f56f7a176c33abe5ccf23ddafb6f08f338406f13e75c8b8e20ff17c2497f5452852ed4ecb7ae3557aeb12fb9c28ef254be688b71ea34df4dbb373

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
731KB

MD5
ab73c10acdddf650b8b1eafc6ae606d1

SHA1
c418075d2c892ab74faa63167028c50610da8be9

SHA256
c8560ca3ecbe539a38c5db9691c7ba5a434ecb7840e2c86442a5ef164431221c

SHA512
5b511730f21282738d47c2dd14f9d06c95450921ad333e916f5c9a08f3c92eca90421efca47f1dd89f4937172a41d03eb1d8ffabe4e0a756c78c4b2b93c2e3ee

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
820KB

MD5
833b8bd6e9dddced0295303cf59ad57c

SHA1
02a2efe73a384077e9cd783d8a85e891666c2622

SHA256
36d26d63f9fadac2223580ccc30dec836d61ca568263ba188fec93d41cd59190

SHA512
0735618d016c5f19dba168216c4f48de993254497076bd0c1ca02bd49057cf2a53ed09d5339c60a11428cb61990d8308e835edc61f781b088eb58754825d8ff5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
540KB

MD5
92beadf5fff5998d1b3903986bbaf557

SHA1
2fb1d252d111b0fbb9127d12798e85182e963a34

SHA256
6c7c842c3587ae5f5106172f1a8eaf82d48c0611a90d32d44a92933e599f54b9

SHA512
0795ff0564fb9900d9a2e32bff6dd6509a86bfa82fd69cbf149b9a5e6d5465faa68aeba045cd1fcff1e6b8fab7789beddce42e5d3d2501e9e7d37470ded02f21

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/4392-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/4392-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4392-43-0x0000000070ED0000-0x0000000070F68000-memory.dmp

Filesize
608KB

Download
memory/4392-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4392-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4392-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4784-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4784-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download