73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
308s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1252	b2e.exe
3260	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe
3260	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1480-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1252	1480	batexe.exe	74
PID 1480 wrote to memory of 1252	1480	batexe.exe	74
PID 1480 wrote to memory of 1252	1480	batexe.exe	74
PID 1252 wrote to memory of 544	1252	b2e.exe	75
PID 1252 wrote to memory of 544	1252	b2e.exe	75
PID 1252 wrote to memory of 544	1252	b2e.exe	75
PID 544 wrote to memory of 3260	544	cmd.exe	78
PID 544 wrote to memory of 3260	544	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\245C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\245C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\245C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\299B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\245C.tmp\b2e.exe

Filesize
1.9MB

MD5
b5ae88e85e1084225ce0118ce701db12

SHA1
d4b5002d16549f82c16ef027005c52a58ec9d8c9

SHA256
0a02515a7262451015ed48e82191dfffcb03d31b76f1c8fca7ba337acfef9fe8

SHA512
5dafba51677f3348a2f19eeaa82142c9aeacba7b4e4d3a6c28bfaba21622842b30086a3036979f16da7a241419ca4c47752cd58a0e42f7c68aada32f59c48e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\245C.tmp\b2e.exe

Filesize
1.0MB

MD5
33944d6ead33ed643982caf02982b269

SHA1
9264ad597c43ecf6eb8762fe9d3711fec25048fb

SHA256
b8bd9f5acdcfd16ee3ea40b3830762c654245df05419a2dd078935ffa3d69364

SHA512
4edb393e02b70dfdd3213d9bbef42aaef9b07f6b247ec8f2afcde401014755d542ad18dd5ae432af59ac5ec0527a8e5d1493901bc59fe55c701e6ed061490a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\299B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
667KB

MD5
8e9588300f062e81e4346d28c3fec882

SHA1
b6c3c93066d52c3055d31974562e9561c4c4f9b3

SHA256
750018bb424694c0f2324e0f242523e509867750ed20b90b8a58c6d943345444

SHA512
d65cb03f1d9b298675d1563fd15ab28566b71a62d62d477b8ca027407c7e26d504ad0ba0b9c837c19c7f9df51ba1a72a9e1bc45f55e9fa6bfec8e5b4923d7a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
614KB

MD5
ad97da8b545321668bffd04a36f3a244

SHA1
454240b3ce42cbd1d2baabfdaf670d8e44fa403f

SHA256
4e5a97af54f32f9ff7a5ccea48269d28d52f3f6375edf6c41c90a10d15a8c32f

SHA512
cd4b921fdec8d27ff8586c16f80747be01c1a6be2131f533fb7c9b70e702e33f9c4e934593a73d19fb22bb4b321cf58d55786e9e7882addb9f86de716866499a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
427KB

MD5
3b293cba50d003f9e5421827bfbf96c2

SHA1
93b15447c58d3b89d6808cf13a5ec669e8bccdce

SHA256
879a9c5215638ecf6ea7120afc996f2b24275a4ef53eaca15d9f50e8a8ba21b8

SHA512
8b2cfc714b936547de8a71b8894e4facdb55a3713963041d0a1e541bba601a59340751a6fc4abcff08eb817bded44c9df9fd106894103ce543c2d31e5b93950b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
701KB

MD5
84beccd68a2451173bdf2df373ba41ec

SHA1
deefda73572b65662a5a88d59cbbb96e80e5e3f0

SHA256
8e09922bcc48fe7c91c062f76e7382b6fb1242dc5575174e42468c7854e51078

SHA512
9f0f09c5ae316fc2b83c2175ce86545c12b4a0a6a495249df7f6369988ac86d11f9508c035e9988c076265aac04cb4f3551490dd7e217dfb3c54197df9f7df1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
627KB

MD5
c774207f0e774957239e8d125bdfe8a1

SHA1
6e94e9c8afc82b49987206cec429a11ba4e8c9da

SHA256
8874e9f8f70c520dd061ea6fa45af025b95ed6e0fa85c13120409a1f40ce33df

SHA512
c46fb835febffd24f584795db32103ef30685d0618a97866f9688326d567ba6761b2dfe4390a8ef0033deb8d6dc0eb69898c2c4125d882eef5208dc899d2c2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
583KB

MD5
7b82b4375e3e23073d10b06ff01f78d2

SHA1
2a61dd3ab42b8f34b1b761bb0e9f788dc564cbce

SHA256
af2afdb342de1e0b00f0e12dee7919b05b701bd40b12a2d799d28d5f1b5ed581

SHA512
a3ad2f9e499b02dd1458ba03d5c4a3ea02e2db5d823895fcc4c8afa2ccb687cd5a010d7fedad1f74e57d2c2aa9b33cf6b9c93deec95d516fe691e4a936c2b0a3

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
584KB

MD5
88308f816feea07ff02a9482e0ba8489

SHA1
2d17294f4295d77150aedc8a1b8b57375fcf280d

SHA256
470885da366db979f8d35601f1f95db5dbb388d79c3cf52bcd7f2a2a4ae43a4a

SHA512
0f071b8579b33865f1219ae380d0180c8cebd4f9c28a8ecba99f9dea38ac500b8a7a3ab69443b0f3c448b1641a3b4dfcfe841cb7e2bd07f24cf66bf3caf17d2c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
515KB

MD5
f21ededde743b3e4ce25e8df6b65acfd

SHA1
9948ae56acb6694d7997c2490bf3020da3986951

SHA256
c1951f5daff160a782e363bc09fcaf17170ee4794088e1470925f604351a046e

SHA512
02ecda8186074ac847d85f7e0a2d2c7ec99f6b4ab655cfb7b05c3a6721b65313178a5e544e6d6a07b4bff80578fbd76609d7b64f1576b1afd4b41d130d1ecf5f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
426KB

MD5
873763db25289bd82e5cda43d8fd7ba5

SHA1
fd51b2e5a5a55d4df6f0ffff900c8bda8b635d69

SHA256
5dccba5c7889c57fb277f4ec4f26fd19bbb57cce832b4854a37a17b8eec43ac1

SHA512
515d6dbbcfcf23c31a755ebbc41289c239e3542d22b64fbeaeb263c94353e01ac648f522fc6c92e39c74522ffa9f9945bd7bc6f415e2a04d7414ce4c79fae1c0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
654KB

MD5
75aa7fa575410530047b82b1533d9d7f

SHA1
1b7832513c5401b1e973d19d1087364f9c017d7f

SHA256
b1904854bfb1d33b68fdd64ebf2e1aebc7a1827ca6fe43c74ee469e6370230d0

SHA512
1585759678231f9f994a3708f9287f643e7c240443a33794eb0d61f964a3e3d3a9ce3d8d3ee00d26ae458fb3615350c038359348cfcec77d9ffd83fcc3b4d5f0

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
474KB

MD5
173395de2ea499b6ed69e28df64b3fa1

SHA1
da5f8278fe554541a0d0b17a465e6b9bc17c5b9d

SHA256
fb611a98e60fac5c8adb589aeb6f5e5f80358cf085cc602095ba52c3e267eae3

SHA512
0fa49180c4b25d9aec5b98f861016137cd876e539df55f7c09f2e1dd8c8702afc2deecb77277295ce3741b716b18762ce3775d40061c5b5c7b0ba712e140f2ba

Download Submit
memory/1252-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1252-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1480-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3260-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3260-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/3260-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3260-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3260-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3260-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download