73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3392	b2e.exe
4892	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe
4892	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4520-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 3392	4520	batexe.exe	76
PID 4520 wrote to memory of 3392	4520	batexe.exe	76
PID 4520 wrote to memory of 3392	4520	batexe.exe	76
PID 3392 wrote to memory of 2236	3392	b2e.exe	79
PID 3392 wrote to memory of 2236	3392	b2e.exe	79
PID 3392 wrote to memory of 2236	3392	b2e.exe	79
PID 2236 wrote to memory of 4892	2236	cmd.exe	80
PID 2236 wrote to memory of 4892	2236	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9172.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe

Filesize
2.1MB

MD5
6da43bc89beb3d314fd0f765c6dc0571

SHA1
38eb36a3699c840d29d5f58d3d683f8d5b600c5d

SHA256
8b7f21fd9e38ee4a60100fc4c595495118c2f2be534091f67a8bd0ba7d51e388

SHA512
43cfc7bebec884be9f53f08dc3b3baaf397032891cb8876c4f4900ce7fc3bfcbb240158e45242b6c7555eee4196d815495653593eaf5427c8fdc728c22111f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\b2e.exe

Filesize
3.1MB

MD5
b0ae4e005f2d1f341b24a42926ee5b19

SHA1
25d3ab55eaf0f0c5ac196b0c788121907442b15f

SHA256
c87c92b870b32ee15c55db4bca33e16cb452f0aff1dc29ef215681312b080c74

SHA512
eb9cce1f9840726cfb3dade07ca2e4f8c561222f1e40fe75ebda83af103e70707bec58f36e0777c60f2274549410dce5d20559aab7b3e7856c79d3f6fb41e5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\9172.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
73118edb1cd9d36c209709d8696fff89

SHA1
dd49474be8b4302651c400ff6c51198990772568

SHA256
061bcbd256d04f90cf13d5ff63b7a1a7bf71737d69ae7c61b24edd2a50f525cf

SHA512
1817a0c33ff4f439a14e203eecd2b96cf3fb3ef29961a2f9260186b1ea99b8f4b768263238f6d1280ce2a62c54f3623e35d264bb2c2de23853ecc36d2233c84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
629f2562ef784b3c47c8f42407602eb7

SHA1
cb8a18f09a70e078f477643bef5e732a155ef72f

SHA256
82dd1d17f9c4bd2b509a5fe80c2740fc2025599125fe3d4e050d59953132bc6d

SHA512
1c5baf503fea4f5bb03493ac625b829953213e7a014b640a9c103f40fd5bb471837b23d9d7974087c043ac558a0108f6675ebc6d3c24da70e12bf56308c35dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
945KB

MD5
73d28d9ed5e900ca400a867aaa075eb3

SHA1
78c445266bdbb50228a799eab8331224196e7e95

SHA256
595ead78dccfa5afd31376f06e98d462f361ba8850ecf56e757fdc28c5ca34a8

SHA512
6fa06ce46c7004a5f346b683593b6e6b751053fdd2b25e00893bccf6e69bbaeccc3758c754b2dd802b141a3d16960ab9c447690a0b3b5ce09304b162508efd5f

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
699KB

MD5
8b664d3cd54e4f0097c7b09e73945256

SHA1
997b5e9aa09d5a73b622911f42b9c2f9d25cfd48

SHA256
ba219fb128c492a19b7e39a7233e4b5bc38029aec2428c2c29e43811763dd20b

SHA512
3f7c7092f41c4c9f4d16b6bef04e6a2c5476eb8fa9837f89546c6c784e922d0a3c98ca6dc4652affd650ef2d8ea8c375fd0545321373907e5a20067df9823ac1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
8893713de60e8f9e324b3321140e85b8

SHA1
b32bd0fa29cfcb8de24a015789ec8a6872f334bf

SHA256
930f9d298a6aacf824c339245121419a80b90138edb4478bc02872fa5ad32f8d

SHA512
776cd6253ba4d62383a42232beef7173ddde163e55bbd384590fd67b893b7ae64e34d5114502c5a1a4b0b972b6a4852fd4902daf290702b0730225599c0eeac9

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
925KB

MD5
c7cda39ce991e70a0eac24911447bd1b

SHA1
c2325384f4804b1b88872f1ab9543efa0b6f09fc

SHA256
c2214512b6977e597a3639b0263dd292eee430da5ee4725ee28b226f9ea45dec

SHA512
7d921cb2888e833d8400002ad4c05922f05a78f592f87813c4632a8eacf7c5b0349ef7a441303513307c6610c17fa8a9446979d4fe075bdfa7f10be847f20053

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3392-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3392-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4520-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4892-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4892-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/4892-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-43-0x0000000070380000-0x0000000070418000-memory.dmp

Filesize
608KB

Download
memory/4892-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4892-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download