73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4488	b2e.exe
2640	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2640	cpuminer-sse2.exe
2640	cpuminer-sse2.exe
2640	cpuminer-sse2.exe
2640	cpuminer-sse2.exe
2640	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2100-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 4488	2100	batexe.exe	74
PID 2100 wrote to memory of 4488	2100	batexe.exe	74
PID 2100 wrote to memory of 4488	2100	batexe.exe	74
PID 4488 wrote to memory of 4628	4488	b2e.exe	76
PID 4488 wrote to memory of 4628	4488	b2e.exe	76
PID 4488 wrote to memory of 4628	4488	b2e.exe	76
PID 4628 wrote to memory of 2640	4628	cmd.exe	78
PID 4628 wrote to memory of 2640	4628	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\8184.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8184.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8184.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8388.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8184.tmp\b2e.exe

Filesize
3.0MB

MD5
a377021341a3095b45b504b5ba6747dd

SHA1
164ae9455ca7de0819d950f47b031a8b8514938b

SHA256
6b9dceaa45fc9ee69119ba1811770fdeab91a918606b0db4216e0a4ae0cf7bd4

SHA512
85670a2c7a3d4b30e0082fbaf47cb54553ff5e730ebf36d903ddb28bacc1dba47a4c7d498c78f3c33604701fece715342f955de79c9e46b47937ed18e8844d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\8184.tmp\b2e.exe

Filesize
3.1MB

MD5
a0ffb199cd9d577890121df8b0329f11

SHA1
0d5af5752a90a4bdbbb16660d87664a007545d3b

SHA256
62a9a49ed58429e3408749ff5f01e7e99c94051a87267385e8de7fba5ee0a428

SHA512
a318ff5a9a4f8e2e87e8d5d5f9c6824c7699866982d3c7c9aac342af2a0b56a377d84599f645d010874278001b6c64842d8295e5f08b750c9e3d7152b41ba940

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
508KB

MD5
b51768a689d0089a270221c567abc00b

SHA1
24612d8e86215fa75fb6b9170fae826ab9258c6f

SHA256
935de3b64433b709881e64a5bb0db41d389a3df501fea4f25a332999f8bd88c9

SHA512
c056c38eedab4897d7efee9e05dd3341cb401b330ddcb9405fbbb7f0b37913a7cce16eeff646e9d2339ec7e776cbeff7d4ffbf8da8e97863ac6c1e18728dee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
402KB

MD5
08487c1f1e7aa6506ef4f1dab8f7e7ae

SHA1
0a484fd9904248d415a432ce4d4a86d5da7b42bc

SHA256
4d2b4631fb158f42ca0b9b1e583325b00ba61ee92a3d58f44979948976a74bc9

SHA512
bf0c81747fdad97d1ce331e885f973d65241ce607342c6aed3143ab90537beec751b15017f8ae770195451a274504d1b960a67af9c92bea1bf255733ebeae975

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
552KB

MD5
da8d972b6fdf9e34cb80af4bcfb1b70e

SHA1
53d08d296c0a21b919735a2e5ea70a7a6ca6bb42

SHA256
f1d771477d83b83d151657a67b87fc2ff1b41ae68c1ecd2129b5b55473783929

SHA512
e1aed931846765876b4145adea636e3aae97354362c1eab4d09edf684f7d40e018572d056b5de002ad3cdc4b6767e72f4183383df73c2d3977ebc88b27077c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
607KB

MD5
4f4c41d5928cf448e55c026b04b26ded

SHA1
cb729aa8d86d31b4087057556a669381780ccda0

SHA256
52f7acd8b87d7c33f310671ef22dff0e048d0f649cce9c93dded9f195510163e

SHA512
0124e871f5fac004ababde61e8bc59f94f3b969bd90f9d1edbabc9bbcb7167a5c580985a6e42a85680fac43f101a274ea71ca32505a157480c79b2b17689b23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
492KB

MD5
ff53f72d703fc40047f4dfb670c9003f

SHA1
df919f5efdc8778b69e23698e8d833d0a2b4b37c

SHA256
3f10cf24814690b19576a24d2e5a8e698e9cf67cf402c6dc8409cba4fb09fee3

SHA512
7d87e2d3d4626453abea1aa5785642747262780ad34e5b660fb3975eaeb7efcf9b0eef3ddb6b942177e53e4b1689f4c7abbea0ae4030cf149feacd6f8ae455fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
542KB

MD5
9516cd4325592d3e1bb48f696a3edce0

SHA1
2edcb032152c9fc46f4fbb687fd50c2a45382bee

SHA256
57c78494c63cd31d40a4a2515b00e9a1d6204e52a81716bc9a66c158c7ce7283

SHA512
3b27d04246e877c351bbf92036a21f9db945757a37a601066962b653f1fa28a6ac3e374c208e01f7c8e07662b804680e727a40d2c4eefc9cfe20cdd0e15006fd

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
397KB

MD5
ea1c0dce19f23c49d28cd55bd86903f1

SHA1
d8c42dc8f27ee6cb1363c71f21c3f49f3cd8fba2

SHA256
83ca2d031b5c8c8e7ab1740c2f650d36d8cbc61108b19b02c2c25f75e9bf359c

SHA512
2e54f8ffd57d4a5591fb11f51f14f1b8515c87a34acba6797796d1c0567ce23cfa9b2076cf7ee537e21ec6213498429d2a325b684a634469d057640cc57ec805

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
409KB

MD5
dd405b19be4807eec940c0d221180e02

SHA1
262b27726d4a498fd1b54d6058a77adf61ccd425

SHA256
9b9ae5d3c729bc4485c45eaf65b7eaa96537e0161f6641e7497532812dd5015f

SHA512
017a7c2b8627eedebff9602646d357da1096279b91a0df1f3d6a88261d2067a83329f32999ba95e16a6f50938153250e99a7cfcbe6f7b64e6f4a869d48b4be20

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
374KB

MD5
a0009d57d381b4758d0df062f6fa1529

SHA1
499e18df180f79809428162d0171758782d15103

SHA256
02a9d867cdcbe4ff87e0e930435fb4005af2e1532ae22e03173303752591b3f4

SHA512
67bcfe211a3549fed95d605605efb1bf490519cc2b2d94555c3bc68d9cfd4a10884432a71a3c427f31a78031a166c0cf3f53da3e253833d983c9eaef1986bc3d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
399KB

MD5
61d4860f3310082f6d2a2d856e6c829f

SHA1
a6d0e7b9361cb044a7157db00505ce2418051e0c

SHA256
3d38c903e26dffaea9983bfd684acc17096308b6a00645028065c3f350826dc1

SHA512
46e81774074790314b8742a1bc3cdf75f58c0932de5d169dd23e10d64ea5605563c02c767a020fe0ef8d782715c013c9b6404085f1cce11b942720bb225d0e0b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
296KB

MD5
b14de0f6206a880d98af4ad9ed2ffad5

SHA1
4c7704972573f46ff6c219ada0ae7c55bb50c51c

SHA256
92b208fdfb5857006e4a0e3db131f80364444d8b8a7ec9b9b610728c4e5894c7

SHA512
e69e7b37c929b3edcda8b6a9f75c43b7c7468dc32c06f1bc88d5995223075b6fe8c0758a75978416f1faf4c3aabe256a32bf10d744aae85bf38c08f9806aedf9

Download Submit
memory/2100-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2640-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2640-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2640-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2640-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2640-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2640-44-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/2640-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2640-43-0x000000006B1D0000-0x000000006B268000-memory.dmp

Filesize
608KB

Download
memory/2640-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2640-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2640-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2640-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4488-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4488-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download