73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3880	b2e.exe
3364	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3192-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3880	3192	batexe.exe	74
PID 3192 wrote to memory of 3880	3192	batexe.exe	74
PID 3192 wrote to memory of 3880	3192	batexe.exe	74
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 208 wrote to memory of 3364	208	cmd.exe	78
PID 208 wrote to memory of 3364	208	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1F3B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe

Filesize
2.1MB

MD5
39b4020ff92c7e7a36a7c2cfb99f7c45

SHA1
1bde47d175428c094ac26a3fbeacd1393319a430

SHA256
371c90084f0c0211bece998d453d88bd2a74d7f2898b54f3aa788e30dc34af77

SHA512
48e28a4d66e9b5bce4e259d536f3e453bb393f1b55fd9e68f3eb547c8e2e0f21cc439f700127b9e9ed912714af0ea7b90d41fb446767a0702c8d2a686d993f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe

Filesize
2.3MB

MD5
8f65ecd98ea621c9c8b220fe7df007fb

SHA1
d77d29aaa147602d2060fd6c383c67019c26c139

SHA256
b158d98377fd1d46eae496afa0ad02705e548abe06ac1ceb8d697ed5487bd399

SHA512
bab508b2a8db22a305ee6c1337e3498aeb534a3432db385b8334618d2207f03617b63f8965a1bba214f1b4544565b6aa44fcf60ad3c2c08816ac0eb874b28673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F3B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
459KB

MD5
ffc7caf7c775b2a8382688e594863f1f

SHA1
0be9bf3a9d66bc003b385bd7250c199addcb90e2

SHA256
ff70c1dc8630f3508a2981752db174c027f7ce70a54db2d303e557134bc17399

SHA512
c02239ed21b4389b884d328445622b19c49dd7efe03f037893054f2e3ff5339a59dc7de9b0aa45b87b91e8a058ca90dc8237fd825109d5c123fdc18a4051b352

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
509KB

MD5
954c7080267502f0921e9c86c20ac376

SHA1
bf04694cdccd5aeb076eaac212aa54436920022d

SHA256
7faa932228f5820424bd3795ccd7891b6d990b8231a809691da09adad06fe4b3

SHA512
a8753d9e5c2f25bba6ca8042cddb2568cd3ad8a94ecc2c9e30e03ce7506fdbdd7391ad1842b4fd82116c30500493b51b524a31b111c03226cb97b2b005d5a735

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
805KB

MD5
530b2b3a512c34e9bc3db35940cb5ed3

SHA1
f52af5cb487c2b92f74d3298d2c0fed6355aa025

SHA256
24e4f308007baf1b6bcbaba13a081337846b2765ec7c410e365bf1a0612e5043

SHA512
cd04b0383ff4a98ad736550c18169048ef193355c0e4daff4575ce806c2814e89d970ec89a3fb2197f50ac21df5e5da8c6e80f036b7d2f5913b5b16ef68aa667

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
657KB

MD5
1fadf9d25cb76bf350d621602a0e0c12

SHA1
2643924d054d42d6d6bfebd1f37489d2a5258bc9

SHA256
38f1a2e8e4e605de41516a62caeecebc9b2e48c23ac45eeb1507fdc3bf5f3cb0

SHA512
2d5fc69a479a55716af5b20f16801b07a486365bd0d1d175d1b4a6b0badd7bee0991535be0d6d1ec31c2b62eb1403bc06e67583b36902189794f97d852541b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
542KB

MD5
c0494535bbd62c8a917d2bae3b1735bf

SHA1
64eb7b207fc47644c900a332b492f936ec8fcf6f

SHA256
5844f8b271e7469414fb51f236f63e8633c07d63d966d5a5b3ea1889bef83813

SHA512
d3fcc3e920f153290fac235f53600590d16b70ff36c1a35f88a51315948bb3cf2c4b79923f2d8709695a034ac6d3388c7c7d769dbbbf7a892f6ed2add52cf7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
767KB

MD5
7419de2bbd987c45ac8bf8b4721c17f3

SHA1
527010e5f71997e350c027bf6cb91951eb46bcfc

SHA256
8a324b31270665b9cedea5cd58d6492cad2190838b761425e0c39ff4fbbe6ddc

SHA512
245eb61564c94d3de412bc8f7b692d65ded1b149c05d098c0f9f52f161fca8145de8d7d3409630c81da13b9f19d64fa806140478ea8f6e1f30379578f4b95d95

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
561KB

MD5
8df11f65e99c8b2463acf869a4997b64

SHA1
3e57317c9774928186fdc4afad4b0382f29475c2

SHA256
8f8da1bc74812d724bd9da5dd05ce9864be7459a56062805d21ed2896d5add9a

SHA512
242ebd2f2153453d526224f4b93bb6ef5850f2df8f3900e1d54f3b87b7ea939ef567fb0340cdd90ad05c31e817c351930eb7953a10525d60532d3464e0021109

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
567KB

MD5
1fa3cb665b0d4835eba9a843b3e76d5c

SHA1
e0793d4f28ed098a4a00db4cb65f09dcf4523e95

SHA256
4c2a7082b828b38df77c6ad8befa9c93c40a348e2263d998846bf615db901e5e

SHA512
d6573589cd5a08347986dff1c4c61313b3a51e6f9f145e3965bae19f6f8ab6af0d62e66c5d819352e63853c1ec0abc1b32c77a08d4a6ca2573cc38397b7bc758

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
777KB

MD5
65f53deec65095c878925a6c5b94923a

SHA1
7dc47f5c2e364f32a685c5a65de1e1d837ee307a

SHA256
4faef4102f307761be1f1e64bf9e42841a630b37b9839cdf0a0154a7ea1e1fe0

SHA512
9d400e4b4570e47bd2a52d58e51db06a93ccc417671f7c8f9236a49c1ddb9bcc1f763b5e43c1b4039fbe5aaa6a1f26d30fe8923aa2257add19a934860371990a

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
438KB

MD5
4f7a25edde466d3d21bc711d9cd6ca2a

SHA1
1aa0a17ea2218a96fab37d0fc4a0119c4b03330a

SHA256
619ceec24775ff5e8db4299aeb08bf85beba65705ac091b0bf700540e22690e4

SHA512
32d0e35b18ed67e4e8d8ba0764cd14f80c3bd561053394282c88f54fcb63224010b696aaaba10a2a0a48190835000b75254604090986e62ff0a7729a48bc6dfe

Download Submit
memory/3192-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3364-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3364-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/3364-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3364-44-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/3364-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3880-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3880-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download