73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 03:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4768	b2e.exe
2680	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2680	cpuminer-sse2.exe
2680	cpuminer-sse2.exe
2680	cpuminer-sse2.exe
2680	cpuminer-sse2.exe
2680	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3952-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4768	3952	batexe.exe	73
PID 3952 wrote to memory of 4768	3952	batexe.exe	73
PID 3952 wrote to memory of 4768	3952	batexe.exe	73
PID 4768 wrote to memory of 380	4768	b2e.exe	74
PID 4768 wrote to memory of 380	4768	b2e.exe	74
PID 4768 wrote to memory of 380	4768	b2e.exe	74
PID 380 wrote to memory of 2680	380	cmd.exe	77
PID 380 wrote to memory of 2680	380	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\A354.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A354.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A354.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A827.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A354.tmp\b2e.exe

Filesize
192KB

MD5
6ac4b534a8945150025756c2f85dd2d4

SHA1
4f8633cd78b9248d5885e75ff1b26ef27a196ad1

SHA256
2e07e008a86c33e31905b1f49b18245261ad08ed3463c6750d63502e1e20e43d

SHA512
303f0cd104441235da58583af1597994df43d0a2d55d6245e89fc7d8f2509915525925277636214722e922f2939c93ba95627d54a18105d6cfa8e606b2f3c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\A354.tmp\b2e.exe

Filesize
3.1MB

MD5
bca8c467df66fcb86bc5fd5254816917

SHA1
7e630f497e0f72ed5a6812698ff171ca638f174c

SHA256
cb6746e6dfe3139ec13e762f76e663fa06192d24b0054a384248566d2804c3ab

SHA512
ed1a714e39f36e26eb6b7ff92beb51b5cd6a0440f8ecaf19edc6960b9f015496924080513c4c123adccc075b9c5fa223f5cf2b365a17b8048ed3c50474a99eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A827.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
809KB

MD5
57bf0b14026c9a778abf4274e334015c

SHA1
3fca79be8ccb939c7617493ebafba1aed9c09483

SHA256
edc7f4d38af1ced56a6858af0e4efc3fe5f5bf1d69a89d60c51969d557a8d86b

SHA512
266f2beacb21dad365ee518878c0c174dd30aa6b40fff2fb2c3f151bb480ef1df8821d494ad05cb1484d76f0bc0763e7d62aa11fda65131d49c741a1326c6bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
850KB

MD5
d41634b5b3c7234f44c9401790117725

SHA1
9eea5e4d826ad7c1032e82131db6ddb84b1dc0cf

SHA256
5674502ca0e36136f24965117bf6543898173965b62eb1a1325bf07e51a88e1d

SHA512
7124dbd213fc63dc2012ca25ed5cbd700eb2627fa5bbd84be61bed75e7a17657c88cc8e7f17b4aec8eaa1d2cbb1a98c855074b9870709558aa18b7790daf2e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
605KB

MD5
05db7f4d9bd0f6404f680614d81f33d7

SHA1
0ee3332d5aa0492dc3316b4b3e11dd58e2de52bd

SHA256
e22965c33b73ed024d00facd8d47677d5924b3692d7423cfd62ce867e4c5a8c0

SHA512
7a9f82940f9c3ea9935377adaa91b30e39eff143ff51e876687a17b9488ad3fa71bbe88b8f1550a7861a65f824fd1985dc5b8219efc8adc83c159946c00b6400

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
242KB

MD5
4ce43388037d3d9326df518b4f6757cc

SHA1
d4444dd8c00a24e2567b2ec0d16398f27e37588d

SHA256
8ccbb0663382c5526fe60d08dde053dd002c2ca01d93f8cd80828cffa7dea835

SHA512
61b79bbd366a33bfc2ed982cf71b10300f09d0525a81b4533db9712f18ed99f74c2f76c05ecae047dd1290cb4bd556e29594e9ed41de7110dd29986a77171e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
469KB

MD5
91f412f798cf9948d6496aedf01553d0

SHA1
c3afe2cf4037ad89013324eecb80f21ee9aefffa

SHA256
5dcb99acad280f3daa0165a91265ca2ade53262e4c855c6ce3ee3006433b6827

SHA512
c941fe1fa82f1f9ef1faa1d8865dd409b2405b3a00c7bbe8fbb9d4573aee14c5b6bee680b864480a0ceb54bc441ebb19f3929b6ef39de00c78e0dcb0d7764e53

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
556KB

MD5
8426a75842198c0ad23e2ba3c6f39bea

SHA1
bb7002a329963290c91b310df294787c262cb61e

SHA256
1e6caa9593a43fde82f12793c7adb0e036a56ab95dd7e479cd3678d0940e3110

SHA512
76cd7e120ca4c5759ea4aa5d5cdaa33b88779fe037c9cd45db47c05de64eb4cb8ee2349b84a965ddbdf94777992b7bcc527ff19241125c189e10829e90e564c1

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
376KB

MD5
4329596d6cec608970e5092ac821a696

SHA1
5b22141bec127eb4897e72e2942b43adb7e28a31

SHA256
a94a72297f6a2bccc75c9f26062538c563b7670399517323bb5bbb7c5003d219

SHA512
ec4b148bf2bbdf9093f44dcebcb20ca2a3f11756390cf35ff08072ff84a0c44b348e7a55079e81d8954c30cd7d8c2bff2d0803409d908321d10648187268860a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
375KB

MD5
939ce070d2693f22153f8eaa8391d3fb

SHA1
65f9befbd519085c198ad9b4d61100368f4ae750

SHA256
5eceb4780adf45b739d3caf7c479dcf78a2d02338009718ba02d462800f74fc8

SHA512
1ee31f513ab14431190c76abf084b15012a10cc72d903ee35c91377c5ea127e632d546e719596eaf1f04e81bd93fd1261e47650cb5fcc6dc33e2e9f08dc850b5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
366KB

MD5
68c80cba6d0aa40ad0955d9835d24470

SHA1
c8a39cf31fe714fda270047089edf9012d1b26f2

SHA256
3664d42a3071f4b36b695dd79a91536dec6a4ea59ab906e767335c6fcb3f49a7

SHA512
23b4391e95c56d160f6ef8edd74dd1604a4ff6e2f684c0d70292b6c9e71f8a551bb6ddf0edd571c29124580f9ba8187e972fa2da12b959cdf94281615a8b293d

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2680-43-0x000000005F240000-0x000000005F2D8000-memory.dmp

Filesize
608KB

Download
memory/2680-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2680-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2680-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/2680-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2680-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3952-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4768-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4768-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download