73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2884	b2e.exe
2868	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4888-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2884	4888	batexe.exe	73
PID 4888 wrote to memory of 2884	4888	batexe.exe	73
PID 4888 wrote to memory of 2884	4888	batexe.exe	73
PID 2884 wrote to memory of 4524	2884	b2e.exe	74
PID 2884 wrote to memory of 4524	2884	b2e.exe	74
PID 2884 wrote to memory of 4524	2884	b2e.exe	74
PID 4524 wrote to memory of 2868	4524	cmd.exe	77
PID 4524 wrote to memory of 2868	4524	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B258.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe

Filesize
1.8MB

MD5
f51fe7ed64e17eb639e2b77a503596fc

SHA1
9de36c8a5bd8a21c006aabe8c222294852a802f1

SHA256
706fdab761081f7c0cbe20066009c226b25636178215be354891409ae09eecc7

SHA512
ffd4c6f3d081da80edc1bdcc52052d9965c854f7f4fe83e655da803a0fc5f9c261219ec8e12b45ba432cec0d740d314e2be5700a592e581b9f057bccfe516fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe

Filesize
1.8MB

MD5
fed226671f9daab029aaea0c1bf6c527

SHA1
bacded51e7bf4d82a756351748d561b93e5d56ba

SHA256
e7bed9d6ba6c3e79ef43fb8bf34f6748645e87d47c743fc8ead2ad2003a41304

SHA512
d25d032e623e053e35bf23ba71a5432f3ac3b31eeaf9810352d0561d05e8335837ed0afee8cc0008fb1915646912ca08f134ef9e4aac9170aa63d6a254b57fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B258.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
fedb45c33b855f69f17d7d3236a59ceb

SHA1
74b11012c1b38f5630764ba3bd1a4c5bab1ea89f

SHA256
0154b97f14f5568277b6b648d656e0c0390171dd5d91866cc28b7d74bfe81efa

SHA512
e7d986ef6a431b509fe1173a25a3df52ef97f52156be4abce18204fd578233e0d09e7a6e7a2ccb46dd1cf4c73a7cfb1d95f1c126a32dd60a1fdbcb785067b820

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
768KB

MD5
7511ee8c66d17030a4f24226caa425c7

SHA1
aa5bb6b2306f01ac82133f54ec36ca2491fb1911

SHA256
e9ad1acfa96a3be152713809498617dacb74878ed3ac3ed4e5b1455cf1fa5ac5

SHA512
4838197b397552aa7c22ca54d27ec420df0629689e111c40068480f5e37879bfbc89c84245ae8b0a6b4a16ee7d75197403153151eccbbe468b252f508e8466ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
576KB

MD5
bfba8ef054be5bee0da072ed080beac4

SHA1
090e6e60a6f0f1e351978e91b99e8dce8e63413f

SHA256
81f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4

SHA512
85a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
640KB

MD5
1bff0defeeb9f4bc5cf01e916a8d1379

SHA1
bdb668928be0a339e01e3aeeac813fd26b44b950

SHA256
d7f49e1dd346940049b753b856759608013f611624432c7ea57b0872239d35c0

SHA512
edb3e22bb4d6f3376d73ccd538a61292c5a086fc8ef9b8038b663c93d9ec991bdca297e3c6febb9d18fd16f5304e4fa532d603c68739598f4b65af320ffb3878

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
512KB

MD5
a5993c0dd7587f1716037dcfe1f63091

SHA1
9a4d23ce36f5fc5791692b47d977c0bf92842879

SHA256
568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3

SHA512
c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
12.8MB

MD5
0705f8f428132532187fa72948f5a803

SHA1
0a72c0278b0604b16ba9446b50ea149346a6d736

SHA256
5ff8d87005a5202c5d8ec5ce1841a7a8b75add5dcab3a1a069bc2bfbb8e59e80

SHA512
eb79a2c1ea2d4aa96f87ca3b7cab6c819711b2eb8f52770ff0ceb39b499639832c5bd813aab0047fad660fd6004d6ce779a6c2000a7bc4af913f314353715a27

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
12.2MB

MD5
860b792c843daf70002c849146d3775f

SHA1
b938ce9644cc076a0967199b490f6bfab4061cd9

SHA256
422b99eec32e98210b89383df1120c9d2c095d7e1ab8651d60289b1c474adcfb

SHA512
a07d5cd18b87f5180c9ea4c9d9955456af62f7bf333247799cbf5bf62859f9b0e1b8f4e61bd582e4bedac811f97c12a59d0aaf0859e34cdae28a1368e157cbc2

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
384KB

MD5
eec15153c344f43f1919cb379b9ee2f9

SHA1
3e4a09390ac885ea2797209603bcfa1ec6ff0cc6

SHA256
4e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222

SHA512
7cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908

Download Submit
memory/2868-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2868-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2868-43-0x0000000072E40000-0x0000000072ED8000-memory.dmp

Filesize
608KB

Download
memory/2868-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2868-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4888-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download