73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
1568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 1568	2336	cmd.exe	76
PID 2336 wrote to memory of 1568	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\D78.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D78.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D78.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12D7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12D7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D78.tmp\b2e.exe

Filesize
1.9MB

MD5
ff18590713cb07d81bf0ac11403644d5

SHA1
e64ef16737cc4f4eab8a9c671d41defcc73017e8

SHA256
6103f2b2b8714acc8fa54abc030303ce40dba9b025faa8cce465a381b518611f

SHA512
6693c7100d868afa9f9615627efa9815b7bf677367e585aff6c49db23bf5e630b2c58ca7abed6737cacac1b2b3dad9d5a8f309d0fc54512e8ade60bb11da69e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D78.tmp\b2e.exe

Filesize
1.9MB

MD5
5e9f4f915a07d939e46bb3adf1876765

SHA1
e8b9c7fba23c6d9211edb528c69238e12322f3d2

SHA256
23bbf612ed8847c57792841f2dde941bc99af5409ca40175017de8d18eb7dd86

SHA512
d8ef3afd9f2a94d68066dff10552a85c78d5a68eb60bf58963d23100a5def66b384df4fa0f25aa70b3a990f6b2cab84b44b3d90448439a461d49aae3299af0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
666KB

MD5
046e5cc65c6cc54d92e369cd4575e96d

SHA1
fc7358fe0f69e6962c9e89e6a6e905e97fa6e13f

SHA256
bb18ad6f4969168a8ea3ac614438b2c40e1fa1d1c1dee9ef7c1babd9ee72a294

SHA512
5c7f4045fadbaa99a9f90e0cb5c082291565353017a3aca0254603def874eb29352ff0c9bfbc5abe0617594afc8a7bf0690df19eaff0aa42ad2bf92ec7eb7e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
257KB

MD5
f172935ad95255727a26c1fdc0691c64

SHA1
a5ddbed250e18266a8996df18138f762d3161dd1

SHA256
f43a96680f7427d9abaaa0e04c7feac6e0222aa94cf4a889714182df89a6cdca

SHA512
1be3eec7a182ebf22d069d8d0608c4ac537efaa47b96fa333a60f6f01549460d96fd58db3d14f053a2cdc0b8c8576a0c3b33b108352fd81eb46087f2e32a566f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
668KB

MD5
aea912d42a6638d663efe64daa973dd7

SHA1
f11107129cc6dfeba24550bf6583fb5bf115f0de

SHA256
a97d752f74f9b78fbd6b9b4ba7ee5c0288f74a98d873add1fff2bccad9861afa

SHA512
466f9a2416286a092026a0fb3b5b9e8e8a302ed37ef7b07c45d6a52c06eafa4a188c95a641c8bde2c00349b32bf40f9ab28934d7aa77b6c7facbda1df21cf2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
526KB

MD5
b3f0d124bafb5f808571c0305ad0ac97

SHA1
c4675ff59f48d35b6ed911a5c43ceb62f87ec1f1

SHA256
d9a728c52df09d22e8cb1b8658409774195c5d5ba844beab1e4382a3ffa8e3ac

SHA512
214d3f81e8b180530549e743f152ed884f2479f874474eac1a73ef28cbbeecc06a5e3c4c505c0f3ebd5a6394cdb705f367e1e55cd9794a79d565bc4a4cec390d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
423KB

MD5
e1f615b6f576f12ed0c27cdab7b5a708

SHA1
836acb1a249cadf3ded0fc621b69d5dd7abdcb26

SHA256
8728e57c96b28f55ba61522103862ec050117d7699e37fe5100b4d837720075c

SHA512
527314e5c45e04c8b11fd60d847a48e97a51054b64bcaf605e6f9e26be3bec5ae1b549878f773e875789f916ddef51f743c2ae65b6d641c298fdd49ef13d9fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
550KB

MD5
9d83bab2c682892abe2adedf2fdfbd0d

SHA1
6fb06dd100d23bae3c2b7dc9c95c873ab03f64eb

SHA256
7d14d9039be7d8985a98ae183e3c2f205da79a17026f335c1ef066815c82bc74

SHA512
0eeee2b0edc7b6541eb3c68537acdaa14b4bd1880e6c441dc71c9ae259bf79710234a9589f74f28a42d04abe836b77dbce149fb0dff2c1ae5c73039ecd5b1d6a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
566KB

MD5
7c3514862733a583ccf5d7217dad9ce8

SHA1
ec50e4449131a6d61ab981cf6eaff09bfff94203

SHA256
9ca9e0ddefe2647ffb895d5f12f041dafe5e77fa66f5582668315f0be92ac52d

SHA512
b1e492c485e0515aca84886c1a2f919cc0ca04320fb0f0c7f77c3b116d6e65657d1bd4234557eb3114cdabbb562ff9135c94fa3ad9778e8d7e59d0096062ff71

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
382KB

MD5
e07b171263f6c65f25314987c2ec4508

SHA1
7009de97ce0d9c42c493f5375abeb0fbbb2c3bcc

SHA256
0e0ea3f1161ec6fb96387bbae9bd737e7d17298c40e30c8ad2ff9f1376bef3f6

SHA512
10ffc27a9656667a071270ebc11450ec21490353bf5b34aae925800d74419b78ec773d12801908201b34fc591b63659227387a2c9e7c2f334129fc88e8769e97

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
513KB

MD5
749f39cdaffb09acadd08dbee4557ea7

SHA1
98b0f65a222635b51b5b5eec9d0f7d340a252dfc

SHA256
c6f2b9bd3eef6191f4fbdced1cee18f022ad095f21a2e8e0c15dc5d29e8a95eb

SHA512
f06e25435c03c55a35cedfc44ca0f29ca03b9c7be8d425d80e0277b068ddf6237c21945c9e6a43dc40865b94174cbc3e4dfeaddda8f04859eea903146f5084c1

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
580KB

MD5
a8330be785505c1ac030fd6fbc6e5e99

SHA1
f717a632abb0e49dcdd47328007f23aacd9b3961

SHA256
51810ef57ebdb9507c09609cd3ab9a72d56eb3ed49df414c2d27e0c516d2d73b

SHA512
7d82940caf84dcaff0a11b4d23d78a813489a3ac865d76f5d9298a4f3bb769d40facbbbc9b77db688207ca3eb11bfb7e54fdc656c3db2e86fc88190f7d00a571

Download Submit
memory/1568-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/1568-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1568-44-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/1568-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download