73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 01:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2876	b2e.exe
4692	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4128-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 2876	4128	batexe.exe	60
PID 4128 wrote to memory of 2876	4128	batexe.exe	60
PID 4128 wrote to memory of 2876	4128	batexe.exe	60
PID 2876 wrote to memory of 4436	2876	b2e.exe	75
PID 2876 wrote to memory of 4436	2876	b2e.exe	75
PID 2876 wrote to memory of 4436	2876	b2e.exe	75
PID 4436 wrote to memory of 4692	4436	cmd.exe	78
PID 4436 wrote to memory of 4692	4436	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9153.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe

Filesize
600KB

MD5
918250f9c51e4c9c4caa9587d6eb9733

SHA1
a852dc79dbc3823eed24d1ddb8254419942610d3

SHA256
004f4fa8af83ff886975c2f13d39adf370ffdc5512a63a267825d23f63ff1af7

SHA512
0f92f0c25b8122061508a9e945f999dbc3ed221c4899b7b2c9320f6449d19f3609b891300e86e0899aa245ef67469cd48e5130b86e3beda7f7d64c26d56d0cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FAD.tmp\b2e.exe

Filesize
1KB

MD5
644ea7db8b958910e328b058644334e0

SHA1
953cc5ea66440ec9edf01d0fc3f89f5e6ff77160

SHA256
c2929d87c46da88cfcaa62cfa6ca6abfaee335048da449728a08b4281dc318c4

SHA512
e81fa2b83f892d21b482b496e7dc911bccba5a281639d303f29299b744369672cb05f3dd22eacea3b8b28cfe8ed021a63a00079bdd79d5f7e6ff1dac2e8655be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9153.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
500KB

MD5
e6fc0522fb0ef69d1d049e09aad8b45b

SHA1
54c25278a71e6bc1cd5da0b55d9a1176660b47b1

SHA256
d6ef7d7216ccfc5f27336865f2ebd6925940bb8757ffa621b833eef5a12c495a

SHA512
57113aeb18214d721b73f3c86e7017fe32ac7e2b12571179f49bbee599ca21813baeed6177860b879bfd9891c1486025e7951a252829a10ac35aa7344c4ade7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
578KB

MD5
33fa616dfb5f1d51236ecf525e33bd48

SHA1
0273c576535597e64d6a1cd9d47561e446d93d51

SHA256
1a49e3371ecab2b816eaa34670697feb2ef53c55603b318065f7c4027be6f5d8

SHA512
e340d29ec9feccafb14aea8962b187ae12cb5b21d857b2b57a85404c802d6ff45f4f1540f68865c6a5bce4495873711f6a15fe7fcf85d0383fdd07f4d3505e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
416KB

MD5
23742df36c57f16ad3ca4bdf8a7e8f16

SHA1
3b947c0354b95a8761c0936d5370e4178a7c8230

SHA256
29912cc1e08ca225016ba5e1486ebb705eb937bf2588d0ae15ef12a09b8e6fa4

SHA512
0bdb9ba282fc36220fd044827fdae5cd93f9efbe4f7af4a615ae5969985bf60c81e8e8e77641cf6300ca2ac51e29b18f5d6667acc5517b7cc96eea2b8a786380

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
649KB

MD5
600b0a8d6ca54a9cd5de9431c0763a3a

SHA1
28e5b2cce5637bfbf9eef9a624123c146c5011aa

SHA256
17d79c7e7dd3b598e48bb066977f6b7456dc4ccdf8870ae3f9854ac0575e4f03

SHA512
0df70adf8c8277c00763274cb8c6de708fa8ba2ec6f5cfa6e8d23bd268480c7cd0add6e98d6a6baf8be1efb64e22068cf71df2ef09df3e83c18ea0b03a7460e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
472KB

MD5
e5228d0bb74a2853fa31ec9fca4d179f

SHA1
0df4c059897342552f71c63195617db8dedc85a5

SHA256
e57bf47eed9ccde8e97d21d0598f9de86bfb93b713b74b73b337d533030de338

SHA512
2dbca9ab55298e970b2765ade974c009af9f8ff86aa5f10284628bd7b299a3e35a11e5d6190212ce64b728a2b1a43bba0f27350e5177120c3eb1ba6d63ee22d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
465KB

MD5
e934ef74fb61cf446e407a26bec4eda3

SHA1
40938b43cf7a02ee4e18617ad898dd13ef63075e

SHA256
00d21c639b05c71a2433b8f5f672bc5e98815852780288bbcad4d2b057c3a955

SHA512
fccccb14a4f3b7d9a47499a5c55330596c000a4e31ce03821d3b6a489c7898fb7add2213afd04714aa35085c9e9526d96f694f86bbd6c73edda1c0083246e3cf

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
394KB

MD5
625730760a0cca574c994c1d663f93b5

SHA1
d4d112c7f61fdd049e2184b52cc9ed6b799568a5

SHA256
2347811fcc2fb213e84ba91b2212cdb2ed76c274aaf6356335d71145b8a71249

SHA512
e5e69c64421d1f58782a4a7d3e5261b678477058fe4f7a8d71a45e56bc588e93f2d468c70f4278322a098b861c060bae55cff571dc5faa9292526aaac7be8709

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
505KB

MD5
996defeafd75db81007ca3a3e9f0a52c

SHA1
0f42db2136380b3528900fc403f7452e6997789d

SHA256
76442ceec4acb6b4e54d009c231e6917f0a339c3aeace7447a4332ba1e5d585f

SHA512
ec8155c108f2eb10deb93df65e99f0bd21b507004e297fcc7d7a38e12b9b79351c57ff706af87eba2a54ef1787279b1660f258273477c37a114e07e5e359af91

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
391KB

MD5
339a76822e098bb966ebc700bb381f73

SHA1
3464bb8999f6163f8fac6477b1b586b29f990bbb

SHA256
83e87af07db16be5d6e843ef546e9af59501cd42f5658773da9e05341cfc17be

SHA512
66ebdba7c995263254dc2e7c4695bd58a3830c7e6c26f8dea9d74147797d40bf1017b26d3fe3b40e17b45deceec1f80cab0006b426e69cbb20ef610018fdeb26

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
672KB

MD5
956097907763e5ba336f6c9d04857bf1

SHA1
3fd8c14979123c68c8be7f15a9ce31405ea27a25

SHA256
2c5ca12ebabaf5ff7c5f00fc07ec79b0213f2c11de41dac8693c8a5329c3d042

SHA512
64d7cc9f02fdfcf7a1dda522f0f4bf45973c10ec24dd41876921b78dee2eae59323853b008a394452e7a2911546d3598e8d1607d68002b0b90fed81b4f650e5f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
375KB

MD5
1aa3569703839255f29780446b1217e3

SHA1
03a2b199552e813dde0844fdb1c2d4dc7ebedc02

SHA256
4719bcad2731b7fa03796a21293420e081473374d672d845e467839be24230f8

SHA512
316fc60032b80e103e01f71e557890085fa6cc2a70cee37bb2fade57c5ff6d0ade54f144b779645969db0198aad8b60df7d2866e3766bc1533cb0b8a7354e35a

Download Submit
memory/2876-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2876-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4128-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4692-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4692-43-0x000000006D5C0000-0x000000006D658000-memory.dmp

Filesize
608KB

Download
memory/4692-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4692-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4692-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download