73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4400	b2e.exe
3136	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe
3136	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4204-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4204 wrote to memory of 4400	4204	batexe.exe	75
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 4400 wrote to memory of 2736	4400	b2e.exe	76
PID 2736 wrote to memory of 3136	2736	cmd.exe	79
PID 2736 wrote to memory of 3136	2736	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\C9D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C9D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C9D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1170.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1170.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9D.tmp\b2e.exe

Filesize
501KB

MD5
086ae7c356754d56aec21e3144158c90

SHA1
372110a700d9ca3767ff1a44dd508c8603f51e57

SHA256
d7b6e8cce2ee07dbfffd5492117fc6bc00ae5b3b54fa46df0e69049f7bd8dd50

SHA512
d9ab8b7a6f2dd9e820db1cf3483c15f0cc88d972e29f5ae959f5e5f46b39173b719892be99b48070eec532e6233d600c4753c8d067d97f3658554f06d3da10c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9D.tmp\b2e.exe

Filesize
388KB

MD5
e8fcfb9de79d2dfbf6073d96855c0807

SHA1
93801a2980d9671c5b10e14df53a9e5fb096599e

SHA256
bdd46aa03fa7561faaa494cba451296ef7d62a3fe7afc09a3bb204b9e61ea65b

SHA512
9e5183a7d6dbe49e012f269198810e3d0bd696d6d7915a9b0371fdc981801c090df1cf6689c674e2db1f3d74e44ec19ee0d11ed54edbb38340ed42d24d368657

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
369KB

MD5
d2fb391fed55ea4b8539a03a7e239a4d

SHA1
a6f7e63556b39f768b8f2e2f11e27997c4680209

SHA256
770a5df18278ba986862087408046c169da89dadb7a050a478673d1ddae5f641

SHA512
4fc9cd7476b982c9b9eaab63c94fca3a2c8ca9af08799e27232ae0313a4830af062cc665b9dad41fabee8cbf0d533daddd72d8a67b3752c97892c3f72de031bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
559KB

MD5
2fa0e1cd32d231887af75e66ffe77a92

SHA1
33cc3f06f9d6e2d9ff723a6891128bf79348832c

SHA256
037011f909b828e2ddd0df67451ec522c80fec7ab9b3a42d1e77be018a0419ca

SHA512
7973cdeb9a9a023a527f5c62217a0ea0d6aa6c9144b49d1337a279ab08054b85d4dbfd477b0c8283457594c61c828886853d335de16a2efdf877ce4366aa65e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
163KB

MD5
992d6bb53742bbd87a7592cf9902fff7

SHA1
9a2fd5e9048abe21e1048a2e80afd84f453563ac

SHA256
9693e7df39980af4f6a9cf193ffb357dfcaba9b8108625bf76a8464782ed4e29

SHA512
92520bf5760ef73e1d24e7fbeedc660d689e2b1e2c0bf3afa06c51836703d1d40f76d22244129733da4185ef70db1ad2df82cd3c5a72e1eed10b68efb8f62a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
429KB

MD5
34beaac5efce799bd34d3bedb51e18ce

SHA1
49f290a6464e7ea0f12afda83cee14852e6d0418

SHA256
afe80e02b005e1d50cd62b5b322bdbcc1fd3ebdbcf7bf2fc97bbe800ac192bb3

SHA512
0309db7a7efea9d678c139b59800a5976287c28b9e1902d7ed8811d661de862590d847a52b9a1d6c337ca277afbddf96b34b2efe77b9520a846e33c9d9693781

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
363KB

MD5
12340d7e27edd4cd4fca8f64fd7c56c8

SHA1
5905764abdfd5fb66641c98855aaa6b3b59bcbaf

SHA256
ecfc96159fec592e7d53d33eaa7ca72d7df4341f942f4ab48de5b05adb44d57b

SHA512
5e4261a52c5637e843986c1c06b9cd4e81b103f1dfe91646906136f644733408d95e830e4559ae4583e1c742a2b172fe66a005e01d95534d91bad7d488445b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
252KB

MD5
475cf79471ecffb6b4f7af5171ad4ca2

SHA1
69d5f95ae2ccfc6d5b3bd37d2ccbde018c018842

SHA256
314d4bd1932c36d7dd0a8362a519224128045c6384afc9e7612191b7b458b5ea

SHA512
458a1119dee70fabb34d6045409a54b3600945ebf5409ee70156ef7293a3143f85b4692181da40a588bd9e9af6841c970af7cbccc6f647045f58d13e1818a00e

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
149KB

MD5
7635d4f6569224e241d1262eb987a832

SHA1
543e3300747ac247a53c08b8d449c28a57f8448e

SHA256
bb56037a9dc2298712acd04aadbb2988941511a7ae23e53669df707e245fcd45

SHA512
1923c648f4c53fda55bbc30f954ec7eef99e2f963520fd1e286415e02688e6771d7611a4d9a5ad2e02604e94506d54bb5e4d2ebc12c2a144b3ae5ae096bc0b65

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
246KB

MD5
950501e622c8f81d88c9214cd59361b8

SHA1
be901e515bc2daec74ecb7635d3df3fdaf56d21a

SHA256
f15eede113d3246307f19302a45f9da5a1f4a2b22a6c3875f81121cdb3105a8a

SHA512
e867105a743e8cc78b78dbfbb6ac666f32a0ef24905b52c9f486371b6612fa96decad5857af12f05afe1af85ee2893cd01009eb6d401715ddc6005b7653d44b0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
352KB

MD5
f18c9d75b4fb5856b190e9fe67cbe518

SHA1
49f506a5171a5fbaa61e1c4dff1d848f28536813

SHA256
9e7d7c66137594e26963a93568e1b99a4c07361bc7f40dd6bfccd5f3500b38a4

SHA512
70872e6371ae4ceb2c02838611effedafd894482b55bcec81c7d698b087c85826ceedf8085c347f2186a2ef4947026e6c4c0608705b56039092cda85d06751b4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
181KB

MD5
c4de4077da58746359bb9bc7a7b6679a

SHA1
2ca5ff315081883e0c493e3697a839f62a78ff34

SHA256
c5b53003e57db4928b83ebf42161cedd0c06fa7d3200f7790b8ff60271714404

SHA512
3fe0d8d577eba34f2043a4729885097a9b96ea35bad660a51305aa9b9d8fc135ad36e07854db45bab5ea0efd2b4277e4cc0dd0d89faed992687e15d95ee57461

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
435KB

MD5
c90ffcd03214d407c7f77ea10e3b35ae

SHA1
a15d0d304fa3eb5d765ddbeff52e5638c68b60ab

SHA256
e38b6ab2fd52efcea8dc53fbccc65726f5290b8163179822b18da1a1b2a1b880

SHA512
91561d5704c455c9ea5943a1db362a48f3e70feb480120b008b610413a454ed9020c1f0ca14d7ce410fed767c27a29eada7ccbbc760bdf20eb507bb1169010a6

Download Submit
memory/3136-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3136-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-43-0x0000000070ED0000-0x0000000070F68000-memory.dmp

Filesize
608KB

Download
memory/3136-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3136-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-44-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/3136-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3136-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4400-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4400-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download