73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
812	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 968 wrote to memory of 812	968	cmd.exe	77
PID 968 wrote to memory of 812	968	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\26EC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\26EC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\26EC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2C5A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26EC.tmp\b2e.exe

Filesize
1.5MB

MD5
2a089e8bf6578017b5c976d0dacec1b8

SHA1
111f721c4eb9edb2555114a6c8d95d0bac6bf333

SHA256
7c38ff410d155d55353f7c8d0ccda5c2f63a97eadff37a99228b2cff8efddb50

SHA512
5efbe1daa3034284f68f7045fbbd4e26276165f60dca93d455772d5727deaf9ebc059a8b7b0763c6d00243fc8bbff9a197556837e71a1ecfd71e6919b8a7ecfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\26EC.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C5A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
385KB

MD5
d1dc4440cf1fe9f42f7a5caf77de782f

SHA1
81dddf9aa8bc5c0c574d16fdc426afa2937bf0a8

SHA256
095b3d6081ca9d9c721260eb1d4d7d4f3adfa6c5ee9a77b4330e77a71f460c77

SHA512
dadbdd8a04aefe8dd018520e101865ccd175eaa7e8b5660c6fb4a59bf7bfdfc228b4a5f21814f7067ce4033508853dccf0c3a3ed72f4ef2db367aec93eef371b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
588KB

MD5
d9b54c00514d5a8c9d44bd002442d80d

SHA1
11d8247a92fa953155c656f773aec2ac0d8bc52d

SHA256
4cfcdeb0550e64356b31dcee97f29d0c4ceaf55d3c4d33e137f74a3ffdf4c1fe

SHA512
f37c94e57f7f68f6374ea599c5900475d7a105311a504c2386b726a242b821eaa90b8c695fa71e473149f56c64452087aca107c7ce4d59ed2b48f44469179992

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
531KB

MD5
d0574e5228f45951e9a207aa603d0733

SHA1
d3a09ec5b32e4528f528a2d1fb4ef6e3803ef7a5

SHA256
02e21e698fbd563efab7f3756defe40db4759964a13f806bab8c87bb264bb72f

SHA512
2a3a89d09f6e928f765771a23008ee268022cea219e7787989b13d9e0c1851cf9a4a3fa7bb1e41ad05d25ba5bbd8a15886c5b0ec2934b922f5f6a3476fcba854

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
349KB

MD5
e725b965f56c8a6329b2ea930913047f

SHA1
7b007705802dbc0eb67af88beed0bc00b7663837

SHA256
aeaefd5acad5b8973d1c442ba909083252141200cc17d6ac6a48f334e7710658

SHA512
dd355af0d9bb44e75ff9e45a3e13417877ce7e413eb5850aa96979d6aeb8699bfb2c4dceab46b6a0bfbdc8d943f7e2645d1d06e72362443c4e4c420a342f4f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
507KB

MD5
feec4df722f9744ebdab5e47e2d0d567

SHA1
b77bd6341a25a79817ac1c9aee7f88b1cca20850

SHA256
6419b0be4e22d509bb52f08cc207d5f5fb2ba356b44ec41b7c00ed400660bf57

SHA512
841616fbc2079aabf6c9746b30187af848be387e5705bf811eb8ddce4970145f6c79c1fae80a009a881b07f9a2f890c32372cf60931fad1859a92748b906ff89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
eec15153c344f43f1919cb379b9ee2f9

SHA1
3e4a09390ac885ea2797209603bcfa1ec6ff0cc6

SHA256
4e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222

SHA512
7cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
589KB

MD5
896778e805fd9e72373aab3c43df9237

SHA1
0ed9dfedce62922b1cd2023c4078ea97d642f756

SHA256
f2bd126fb14059a46f3f2a5ae811aebad60c86acbcbdd66b82886f102ad681f1

SHA512
d64ecf52922b1fa9e68280f6ce252b71fb59005a749fe7c1b5de4782d4f507ac1e50c52b8fec4b460e288948cf0cce385f4b819b1c842fd85c7147d3ef436d40

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
477KB

MD5
f15212540a65077c284979bdbdd8e3b3

SHA1
6f6b48e3f7e36d59f63ab872b3a8636c3ffd3156

SHA256
8b689f4686d36d4d13921904ecf3a10078060fdca92c96cdd5f18bfd1807461e

SHA512
ea003d4cbc7b248da56287d899090dba3111279c771e68bf97360a2db241f6361cf38fbdc22865ac1d4432c7e2ccc484e61980d89c27754561fd0bc7e8ace2e3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
645KB

MD5
eb94894d2f7486226b31ff1041a4cb7d

SHA1
59cd6910c33d6b6e452918d8dd26edb16b496f22

SHA256
df47f42a36a60d622259f310e96a7ba13d386f3e718eea887b8f6f450c1eb583

SHA512
f65e91cee6ed3c012162d97d30beb136966675bb82eca5e3c15dd817ec739202ebc7455eab26cd8e85486525cb4f578b06450cb0cb16219a55f377c3922b9e1c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
267KB

MD5
80041d729d8dec5efe00998dd0ed9267

SHA1
4eac87819ac7d620fc37c8eba3330dc707089455

SHA256
e4414ab9cd1ebf1ebf2fd9a07a97617be5f2b5bfb33f0ceb3959ff8b6a4c225b

SHA512
f2a03a78bb600a191d42a13eeed64eb97c7b79f4b65548f92d8746565c14adea595710af162221eb152d27308cd490107795be9b0b2be723b8ee83a3cbf0cf85

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
350KB

MD5
f8fb5aed8c112ee9f1cf94290eef67e0

SHA1
75f26e036e92d231fbac7a79ebdb09d2feb83edc

SHA256
d3c41f3179fc8fc60ac1532300bffc28a9f8c1d5da05f4280ddffa57417faf0f

SHA512
0104731192490a84637cc0e467577e4f4acc1220a3adb59f5a5c01368e731f2c22aea18336d0aa98575c9620990362c841047e3ebb1a5843cb8a4d4d60931a2f

Download Submit
memory/812-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/812-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/812-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/812-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/812-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1552-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4652-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download