73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
4968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe
4968	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1208-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 1208 wrote to memory of 3060	1208	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 4968	2336	cmd.exe	76
PID 2336 wrote to memory of 4968	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\1141.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1141.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1141.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\170D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1141.tmp\b2e.exe

Filesize
128KB

MD5
272c54a9b6cdfa558e23cc257343048a

SHA1
7f26d86cf2a3625ce3e70c9cfc9b0cc075b8d5aa

SHA256
1d7e7ea2934d091cb7ab81c31e31b4015e05a9f86b213f9d78b0297c88fb3415

SHA512
5139de29262ba7091e5ab0529232912aea9ca34fdeb16165021d3ccaba1d351abc59f2130eaa6af8c3c0510db5f649095f7043ea837267dc9eb4ce0169fa18ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1141.tmp\b2e.exe

Filesize
45KB

MD5
b18d433903cc7d27e007137ef3208742

SHA1
ddce425c16697b9e9070d8066e35adf5b3d4a5fc

SHA256
0bad5eed7bc919484f54fd6096104a69f54c06a098d6d0233be82dd42ad18777

SHA512
e9177c022542be063b6398c9e21c5d213399010e2df56bc58ed038a3e6c292402129f03bda61a4a844e8d0c2246cb50e060efe72482265e2661c27b226cd1a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\170D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
502KB

MD5
ab1a0105a851bd135f5afbee943355e5

SHA1
15ee71e6c1e0378c0836886e48706c1eeab6ba3f

SHA256
ad1d8eeab460a9e237a96e40ac7e6fa5edacebacc2d5037ffb99a18e1b67fec2

SHA512
ea782c4f30d5c18c8022cf58107ed346571c636056d19f66d0ea952714074c206c16b5a5caf1e61c17c3ce1b4680933cb78a2442859d4809ddb8b1646a0ce45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
564KB

MD5
f39b711b04b50f47464356a82d51e358

SHA1
a5171df8b9c51ba7178ed43b1206be78fa4bec34

SHA256
5fb77d47f0819baff5d68353d30c4b23414bf4f6beb914302df6618951543683

SHA512
a6b6f85cf54d97cb7d7381540a3eb817624729e9c8593843b5b34167e1b0aaaf09aba3440d962edc1098477bb6b794fc155735da751340cfd8d69b368aaf7196

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
306KB

MD5
95b0367851c0b93b423f6584fe9b108c

SHA1
c416451955bb843dcb3c18c3fa2141fe9320c9a0

SHA256
ff38c079c4eb645cdf67fd53999bf002a852a65f960c927038d00224b48a3b53

SHA512
a35bcb81f556d9bc7b06a1832571a3372a88d0263b517131ecc5b3c9f7fdb1311c9a4a7715a0bce7a3cb9d3d27e346931885bf5a50b5a3e436ffc6cf0649d1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
478KB

MD5
2de37bae1c20c363f2063627eeee37dd

SHA1
587f500f183ea5a33f5f2acd7d58382eb5c614ac

SHA256
597241aafa9f5de96389a233b36a24728703399bda95994aa3de9ce24ecdb576

SHA512
9e8a2b61bf999b4e5bcee22dd6cc9fa462b972a0541e523fd8cccb439ae878dbe0abac0bc16abf4953bc3aa4896cf4d7caefa6ef4a03e7ebd1a73fefbda5b174

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
381KB

MD5
1fde68888fac68f7c1eb7b1ada951c92

SHA1
090141afaed29a74957a995921cb1513d9777b93

SHA256
ee54f047d29ae20101d5a7f7543df52734e8b2b328f98dba305a1d603238abfa

SHA512
559d7410658c73963c6d1561198d6bd82a0964451986891e6ec1d6a3be787c55bbe3fdfc3acf889c65667ebf0acd5a8903602abc52622fd075dd3438dff5b81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
360KB

MD5
667fc2d0b1f8edf13979eee6e4fec3dd

SHA1
2acbf03aac231731d518798c706c22cdc0b22b56

SHA256
be5e259dfefe741279b911c87ec6a5fb6d280db23718c7c1dd089d934dc040f1

SHA512
53004299fced38da523552e288d25657d020c9454d1a4b6f21269333ecf2e2ded8f3f35ab054134927af5b3328353b340d965735cc032c156f918a862b895820

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
506KB

MD5
1da12dc1dead60a2aac42388fe08c73d

SHA1
94fe6128c41e326d82a8161fdcf24f71c75844c4

SHA256
15271de51b0371ac87bc9ee01f184be9bc89bdfbdebb6cb49a3195af0c673519

SHA512
763f489f172514f59d170ed84acdb553851f51105c5c9197ccb1a0713997415a1715a3f2fb25bd54c05f875a9176bb1479e6394538dbea255eda170d18df3020

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
473KB

MD5
75b44738a512cc1e83fd3fdd7e9bf0c8

SHA1
a52f4f33cd0b6b6ff192d4fbd899ff9b29c05470

SHA256
3fbe62fe3a96a3af2b482ecb47de56094030cbcc8df3d5a85ac180ff350d34c9

SHA512
c47b598605af4ba46ffaed76a137657dba7f181fa5a15c824f8ba9210300f9687df4fc499f3ed07257e0a835440511df86bc6847a848a3ce12dac74ead480a4e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
441KB

MD5
1414f70fa3dd325cd38cbf06538f6546

SHA1
580f5738047f8faaee2cf2b782f8e99ba5d5e9a8

SHA256
5bf33261fb5294b986ac733a45e6be1e53170dfaaa2538b2fdb12a868a80f24b

SHA512
3875a3ffe16f4fafbb337a1b01702008524ef06a8ae5cee935ec4dcb48f1c40736b9db2dba4ad75f15c42d3e5e5c0828498e1d4e51e473659794a037295f9a72

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
423KB

MD5
5e35fc0709a93059ef008adaef69a21a

SHA1
5363530b5781c0a5bfdec2707dbfdd583df362f2

SHA256
530860e9089fc78007daa41516500552e6b6a91db1f2adeeca1d5e08cd406bbb

SHA512
aaebaa360679d26fc379c1a9b3d7fb55204b370cf70a66eadfab2952a9d11ed8585f54cc581943f9796d0c0c693191457496a4f313442b52be4b5f34b6bc4dff

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1208-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3060-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4968-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4968-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4968-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/4968-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4968-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4968-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download