73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
1568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1208-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 1568	2336	cmd.exe	76
PID 2336 wrote to memory of 1568	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\D2A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D2A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D2A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1289.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1289.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2A.tmp\b2e.exe

Filesize
800KB

MD5
10d1e6292096be7394fe6bbd8820cbf3

SHA1
87db82d8da5cbbb4d71595f5a9959bbac3e4ee39

SHA256
7bc802a9cb6f82746285ab9fab39b82120befbf75dc9d8e5b3653a57a8778011

SHA512
5c0abc00a96882fdc08652d843c42db7ecda0c24c7aafa01b676711ea8549dbf961f306b3a73c83747c1568cf033514b7a758e74b2ef04ef4f0fe09f84936fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2A.tmp\b2e.exe

Filesize
3.9MB

MD5
cdc6460cb35ce5d9f73f63bc9773586b

SHA1
2b227431587364d63b5460b87fd5da88f6afe947

SHA256
f8f4ae802d793b79e4bc16c5957f765c9d300b79b9195a12c87f9b721fc2dc40

SHA512
5c525078b75c44ce010cbbd0d9116184528e25b12887365923bb9591eb1180395e1bcd6299361f822a0acbef2498c861827006bcbab04fa07137f15faafacbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
315KB

MD5
7e6346221728a96d17813bae26785e8c

SHA1
89b669c45c706f4911991746711e2d8f4b5f368a

SHA256
a9bdd59e02f888d2fdbdae065deb0259ac5523f0f314e8de26e33f0a8b11df8c

SHA512
357a6da29ba138bc218877f448f4bb9660edd5bf40ebc26a02485859c55cdba778e1e09d4ecb39fccdd2b7932384fb59c6c4d006642416c9ccbb05b516ee6397

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
434KB

MD5
bbbea104232472369baea11ad036db03

SHA1
fed804587644ed1ee50d301a819b6111e3fc34df

SHA256
d20d04d2457bf6b4d95d6cb082c59a0d609ef68e6644b98a0d97bf8df2e603a8

SHA512
b8ef36a4a3f0b192e6c64992877c35a13be67d25d0c3d9e3bc3e05255827b9a2932e96e763032644a220f88b7ba51f1d1b06a868ede955aacea1d4519142326e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
368KB

MD5
7352848a20eb67a26201670557712600

SHA1
52906198afc0647eccbd61368a0b44da0daf3aee

SHA256
f2130fbce868baaa64570e59019bc73450ade8057de00fc816cfaf4260a09416

SHA512
c5da9cfcf3f87ca8af3c729fcf6b9a9c9dc52d91f3ba5d6f582d43220299d7c5d0a192a3f5fbc2ad8d18317de2afffcce5c18494a5f9541aa57cfd513fd558c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
154KB

MD5
61c3e2812e424e809a77c374493d9e1b

SHA1
1a558e90d4695551bbee55df275a9372f9daaf66

SHA256
10b05eee90572505ed7aa8c4a1272dac97dc0b1627139dabc19b5c4bc1021c95

SHA512
23118cf434ae8b2802e991a6a2836fb62f77a65a2509471eb6ffcf727605a23b9984119f5fdd52a2c4a5d9d06db1b7caf1da12e0ca82901d2b9b2538b04605c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
390KB

MD5
742b0a65f815a896487830e248ec1781

SHA1
88faf230525da34d5d4299d30fad0a10a8eae1cb

SHA256
dfbbe4f9f15f72eab041f8fdf322444866baa42be20e3211c843eb6ce191f18e

SHA512
9a58b06dbd3a2d0fe0b1edc1ca1f217f7a385cec2ca8b7f77b2b2b278e8da589a86a29affd7fe3c13a2ae0bd613a11c8d1349e735191a0316cbc0d8526693289

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
288KB

MD5
8a9ad479b0b8a38383f61dda486af16f

SHA1
14af154e4caa3b4d0be56007c5455b14fc218a5f

SHA256
481e4f9fe5f97afe1ba9de62665a2369bfc76fed2ad19dfdd88627a04ba7e921

SHA512
a92f3d8a70dcc9fccf8401f02f2d5d397e33b9be8bc92c2d16a4be3fa4f9ea6cf7741eb3484d9057c2f3283ca923e88f4f437b7cf7863ed33fac0506dba16f24

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
454KB

MD5
2325d562d485475effc77bb0da3affce

SHA1
f99e2916be99e281f8bdb78732d38901fb2eed19

SHA256
67551a436af516741d2391f208bd22e3c1bdbcd72c1c51061dde6d606ff2ff5a

SHA512
7189a384d9b997da86423f2b349823e038d1889fe69f2c0b239fdb6ec26852b205335dcdb6108cdbfb732c29ccba9a9d86f005caf6b5a76b537b023bcb79fb8e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
381KB

MD5
67c66ae698515d1cdd0345aba3cce164

SHA1
4abd960826a04c437913a1cbb1338cb9be4d7710

SHA256
e03e42ee5866e29bee892cb831aeaf796cc4295e2587ada6961cd72db934f23c

SHA512
df986b0f224e49c0bc9aa8d356bb047cac7bd7a086fc6f7501eb497e01ccacd358c805facb63b289a18f74e5abc05ea231ade15dbff92702a4fc170c5baa1039

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
311KB

MD5
e03518aa6b8a7a03f61335b1548680ba

SHA1
c666387769717e7e37eba643b150830d5aca3d2d

SHA256
4635632440dbac73ecc277758a097ebd98923c47b00a472bdc16229163980404

SHA512
a945df47dfcbcd9594e107f54399f2f64bb229d2e64461b97f383d32efc6e33fbf00e49e21e00bf196c339a6a8aa62a523485a0e57fc40d5dbd4f94dc1631bb9

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
296KB

MD5
1ee3d8012c9b2a1dc49c8569c7cc7b18

SHA1
77eb3e2424550719217f440e5ef4e1a32df19540

SHA256
45d0ecd5cd8bca4626446658fb715e7bb2fc1869be17894c0cfdb47ca1c9b6c4

SHA512
be1a8a1e6cc0b0200a177a2ad5a6a98391f8dbcefba30979a4b3d1dc6fa06746420af7af65ef0204704e4053708f5389dbab1fd708d8297862365770f263275f

Download Submit
memory/1208-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1568-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1568-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/1568-44-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/1568-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download