73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20-02-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2664	b2e.exe
3676	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1480-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2664	1480	batexe.exe	74
PID 1480 wrote to memory of 2664	1480	batexe.exe	74
PID 1480 wrote to memory of 2664	1480	batexe.exe	74
PID 2664 wrote to memory of 3476	2664	b2e.exe	75
PID 2664 wrote to memory of 3476	2664	b2e.exe	75
PID 2664 wrote to memory of 3476	2664	b2e.exe	75
PID 3476 wrote to memory of 3676	3476	cmd.exe	78
PID 3476 wrote to memory of 3676	3476	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\2100.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2100.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2100.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\267E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2100.tmp\b2e.exe

Filesize
192KB

MD5
6ac4b534a8945150025756c2f85dd2d4

SHA1
4f8633cd78b9248d5885e75ff1b26ef27a196ad1

SHA256
2e07e008a86c33e31905b1f49b18245261ad08ed3463c6750d63502e1e20e43d

SHA512
303f0cd104441235da58583af1597994df43d0a2d55d6245e89fc7d8f2509915525925277636214722e922f2939c93ba95627d54a18105d6cfa8e606b2f3c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\267E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
420KB

MD5
7d51d2f1bd238d466e85139b6adf0ce6

SHA1
b065b9c20f5a3fbe0c372cf2b08153e1fcc04e2b

SHA256
0d9da5cee3305250cde2df09bce66297bb14382230279c3cb553a586324a9c2d

SHA512
c56aa338eb9cc764f152568650ede4b65f4582ea6fbb76f26443a5bb4e57c792a0ebd9a1f1b40bb3d4ac9969acc59ec86cabada692503e0f843aa979ebfc379a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
600KB

MD5
8076ae33dfb098ae46193a257ea0436f

SHA1
16fa20ac57529ffc28fb669894f9bcc1c5755a45

SHA256
b61e02c0bcb9ac548da003947a44629d478164e7154389ea72646d0d1c6b70cc

SHA512
a963b3c7bd21ba80b6430559c596292ec603d3d8541413bc8b0614c9513510bb730405014497751172e1c116dc48feb6f8ff0df6949cdecdeb5c2251cc26391d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
536KB

MD5
5bdea2b5e26e1950dd17a652ccc083c6

SHA1
382706249edc78bc8c0bc6d55570809590842833

SHA256
21a8ff0acc1f536ae46c433a840b1d2101e9df705bb4537832dbd5afc6683e84

SHA512
e69036c8f88b48d0e31f924d4b2aa9189acc8f4a509e79a7d08cd2d7979db8b73f00c21b9d642c060e570277b0a5bbdc427a53f3eb64b477737d1d159568490b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
375KB

MD5
601ac31380ccd90add19f8f06ce805f1

SHA1
48cc6bbe6179589e28af23324426efc71a056470

SHA256
92bd87eb75165e6ddd5d55f7085d65c1ae446e810ee2a3fbc538f1ba9fe18ba8

SHA512
c012eb7541e1762bcb01df205b5032ecc7df89b02b93eacddf7e79336228486e03341a32507e2bfb1422fd35166f4b55677567a4c8972054669d61d95a556fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
332KB

MD5
020b067b6cdba38269ea1c54f996dba5

SHA1
4816637e69656da745b938bbc438727974427fb8

SHA256
5e7aca0d617992df07d9cb878db7cbd990bdaaef6df080c991e8961023d8689f

SHA512
1c56708f5e493cf6aaebfa807707c9e55780ec1c1ae55ea10873e4dc3b7b9776ac5684b9ed6b7854ffd298b8db5d1197f9472093bb8a575bd5595e8aa3d01b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
308KB

MD5
5135f6bb0e1026bb5c7850bc6193f11b

SHA1
73ac15f9afce9d0b20de9954f56a3558ffbbdc55

SHA256
eda2b0985d6dd4e714e680f3b1d3e9c0da1bb8a192e2eb26d44eb5e86584cb71

SHA512
e367884c204c513e96921b63e1772775bc6af6b9a61f14e15e4215df73bfbed008b3dc09311aaee9358c028b4b1ff35e68d87190bc2578dbb4fe304c30ceee71

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
441KB

MD5
05dd54fe169659fdc0b652e8d753506c

SHA1
53a17782903452943dda6472eae1a8720315801c

SHA256
8c69ddbc48d6a8b72f527a2b9b17bf18cbad7c8110bab2ca1ed181002573c788

SHA512
e18749155b65dfcd1752d2b93b5951e3d98f2cf5be1f2fbee29218107c30ab311592de8bb642a08f4faeb8984593cb80e9a5187ca4bfed4005316f93961a9484

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
326KB

MD5
5b2a65aec668eddc1abbe8de4bcdcf47

SHA1
9c18f987f299b20b1fc1ab0a85c83a1889ad9f48

SHA256
ea6331312ca6c3732728e4aa6e0b2668aef9ad7048d66218342818f5748f71e5

SHA512
840a03853c92ea21fe8b1ceb5179ac71718a22235737b7035ef4fcbd18e101444345202f291e34cfe8096bd5ab923e0516e2d36761b78fb645fcb2405a3e0340

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
198KB

MD5
e9768a9e1b70710fb50b2e1f9ed3f5f8

SHA1
9ffe85ddc92522db05455be406756f50ffc7ae86

SHA256
497d942108a7d5bdd7e32cb34e82a015d3246abce6c12d78501a0c5d680f8495

SHA512
f9e04d832cac67faba34300fe93d3f2d436d8a5b3a78a64bd8f4a81cf41042bfe9186cf18a685c7325939a365e048e1bf1f47c5c8b5244cec21cd311b7e3c027

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
460KB

MD5
10d8200906e791b3031ef83afe6a5130

SHA1
031e8e104fd33729a3813b80485a056d05bb57d3

SHA256
3987f35dff865b12e9446a7f7b14a753106912020d896b2df018b505502627db

SHA512
655ff9f463a4d7f61e5b95f7fbd9ee38b436f5e777071430ab8da488b99d08801a4122b00cede663112eb129be04e421585ec16de65e26cfc6b4e91fdb68c208

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
356KB

MD5
77aa9e8a52ce9f8ca588f9209ab06463

SHA1
196f6a4a5b27db5c40f44043e264db2c1cb81ad6

SHA256
fecfa9a728e2710fdf4c160f0b8a00cebbb8c53e72b0bde6091cc46d4bea4e6e

SHA512
53b86f175c5a22e71ff3b8a4197cdccb19e8dc19af2c2d44f134f7447e01bbed42347e5a15ece0fa99b369a06eece3efa0c77a6906474cfb49ce448881879d1a

Download Submit
memory/1480-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2664-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2664-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3676-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/3676-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3676-44-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/3676-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3676-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download