73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3780	b2e.exe
5080	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe
5080	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4000-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 3780	4000	batexe.exe	73
PID 4000 wrote to memory of 3780	4000	batexe.exe	73
PID 4000 wrote to memory of 3780	4000	batexe.exe	73
PID 3780 wrote to memory of 2396	3780	b2e.exe	74
PID 3780 wrote to memory of 2396	3780	b2e.exe	74
PID 3780 wrote to memory of 2396	3780	b2e.exe	74
PID 2396 wrote to memory of 5080	2396	cmd.exe	77
PID 2396 wrote to memory of 5080	2396	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\C61F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C61F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C61F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C61F.tmp\b2e.exe

Filesize
3.0MB

MD5
42e52d2aa6e0aa4e0a6cb435f3e72e32

SHA1
904d518be9644114eda76add80ccf585ee238731

SHA256
4f8c614822cb12e7405d484d8ef1c5796fe1002f4e20867e761623d6108bd5ed

SHA512
c5bdbe9278322b817f6744ed51e93d2a5a32b7285a5d8506bd7d6578fd432f43caec54c5ae81074a06b8c2b4a36ad5ee4bb6e817698252ec8df1406ee68916e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C61F.tmp\b2e.exe

Filesize
2.7MB

MD5
c750b3d7ba2c8e7227e2291ac3737db6

SHA1
c94be97580483c7b01b7e357cf361508fa3c12f3

SHA256
08b1129060f4e12348673c26b1e5d5686b889f110c692396958c2e21cb068128

SHA512
8bed1a58fd5034b74d5db953b4a34faaa63cd458839eb86c8f9c6eb8f2220cb817274af5d0008e0155b2066a73cbd1d8d37abba950a285647eb701d9901304ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
890KB

MD5
ff36c99984e58c45990bd31a7b2a3a10

SHA1
cc4ce9a6ef4904a3ac02c6ee673014f252890db6

SHA256
0194b36359d02e9948f6e127894187d6477759afa81a714e48426aea690ef7a7

SHA512
2be2c83695921bf37d63b0ca6b95f74e9c386d62a7196f61d846b4a11d76dd23ec31fef4145801acf66143348b36b30ed07a52a1ae5968d5779cd8fa91b293c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
490KB

MD5
33c662e660755eddadd1ae53256abfa8

SHA1
6f3e0b3c43820acf3547c15a248dde8f8ea39d9a

SHA256
763d96c2ad1765dae769bba3770efc34603a721b66702a63f10aa1659fd59417

SHA512
d3110159f1bacf01d70b982aefff614cf90b752531dc24bc27b20635a5587ba73bf00be45dc74be76183fcb5356c7423ea606837209bfea4b2ac34fcff0049c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
395KB

MD5
7e52178eaff380e1a851e924a3cd8666

SHA1
fa50df0ae001fa627fc58571ce3b4e39a05eb9ca

SHA256
fa556601ed933b107837fd098c7df6a152af624eaba256c0b41702a938e4f272

SHA512
e00651ea4660c7636cebe61c1cf12ecb4921e5d604d45b68aaa094f062f399259d1aec6ed70e9107fb608e3fd62b7ce5dc316bf69efd6c38b9e1e9d27cd727d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
896KB

MD5
4ece07a08273d0d0db84220926c3d32f

SHA1
d90712e2e643311a963676e87f6afad0c421d895

SHA256
d82c02350e5ca5ebe35d4349a16c3c9986aaecd8be71c05a00b1af09039a4cf3

SHA512
fa010b4c3c0e6d38bb281b4541c0e8b124e05d2feaa6dc11cb6e9c1d85145d5885a5cd61c1bca283f2d9f30295b197343311306acc9d5393aef64793067cdcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
295KB

MD5
c334ebc5e03a54616727f8905f0cdd9d

SHA1
bbb6cfb6ac64590f98fb45d7892ba9392948b274

SHA256
5838b2457963df5bba611602064db516e9600182e19a55d295ef2093f1b8779c

SHA512
5f88b0f43b5ea9b5434fcd7ec308bc8cc1fb053f0e9165e00c1d2b7be91957e44c84f6f6e42dd6348b7eb8cdb4a3c5477cb5012bf229c9b926abd6ea65fddad6

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
624KB

MD5
39b5ac16a57c955d3388a5635be08ce8

SHA1
4241fe408a8d65c0d892f61c6401859cd6b6c5bd

SHA256
465e7b25e9c6ad5d005dfced8a8cb8f9880688f5f9752aca952ce40e100bba61

SHA512
fde5002039fcfab0d006ecae98bd8c4186c6a2f9287f7ff8bc306ab37e2b1c863d0533d8a3407d23ab8a45f96df4e376aea8310803821352453ee7443784e971

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
520KB

MD5
3d898c90c928381c7dbb5f38563f45ad

SHA1
e994ec1a518ece9b1ecef255e88340e9c179215d

SHA256
55561ef88654af345b836bb5cb45e40e16eb14ac3282af6b0ea4e24b1d7e93b5

SHA512
a0f5060b617604b75ed543fdbbc3d6171e03ebe46b03cf1b60b8909cf4eedada92c0866dc00ab5f1430a7543eafaa55af0dd51e32ec4d09011e051710be3e7b4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
78KB

MD5
1403c58e0d7eb1b0b4f09ddc4fc7ff74

SHA1
60d6ba60490b98d75ca167db8ebb079221b486ae

SHA256
a23cb57eb73f98991bed5df3bc3aa68a43ee52a9d4ca25c85c2530246c1f7e77

SHA512
f5f16225c4a89d76134a9c81602b6b2af46691fb3670d1c2d21bcab8b85f8f99d69b24eb307342a07e75cbd0e348a096b81369c7530e863dde77e3b4dbaaf47b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
432KB

MD5
dc7f2cd840772e8cd46a25b25cfbabbb

SHA1
7f96430863bbfd6f32023babd6bec692cffa863c

SHA256
4fe8caea92f0152181a44615d8e6d4683cdb0f5ef761fac387af16fb2e5dc7bf

SHA512
f5c8691b6b3c01058cb6a8d3ff532d204eda9c482cc4ab721b27cf29ceb23d7dcf07cb3c4341cab58c3eb4fcfd5c8d882cca030147ed9837f19d6e867bb6bdab

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
205KB

MD5
667af1c0fb30d5c7e3b4b61dbd908925

SHA1
956ac4f10709dc914aec48857f99f7cd9c48661b

SHA256
20889eadc2e34deb73e2f129d78ab3442ef0a5db0042c20ffc4c214444a5ba9f

SHA512
be40c03e06c2e31bb1f56fd4214daf09f2021c6517c946cf6a921c67ecb05f86652340ad6aceaa19d60b1e6df13b5a98defa3059d55aea47ac4e529ee9714c59

Download Submit
memory/3780-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3780-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4000-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5080-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5080-42-0x00000000519F0000-0x0000000051A88000-memory.dmp

Filesize
608KB

Download
memory/5080-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5080-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5080-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5080-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download