73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
308s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4952	b2e.exe
2296	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe
2296	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4192-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4952	4192	batexe.exe	74
PID 4192 wrote to memory of 4952	4192	batexe.exe	74
PID 4192 wrote to memory of 4952	4192	batexe.exe	74
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4968 wrote to memory of 2296	4968	cmd.exe	78
PID 4968 wrote to memory of 2296	4968	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\22C5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\22C5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\22C5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28A1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22C5.tmp\b2e.exe

Filesize
1.1MB

MD5
fae79f121a9a661c9dde03f368b08dd6

SHA1
8afe4cf571b1cc1ef11dca887b5401930ce1f7ec

SHA256
332984afd04b7d40803b6cc96aad9b5b414a2646737ae13deb76a416707825e6

SHA512
b8b72d00dd90227433180d525a1a4fd0ca9a9c64a1c31514913469aff29d6f87a66204afeda846a898c263f328c5b57322e019fc295f2352a228d10446729d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\22C5.tmp\b2e.exe

Filesize
1.2MB

MD5
ba89d7ce3b6ddb727f340d5a001c035a

SHA1
8f119afb0458322f61c7c19c8c77f67d44200923

SHA256
34c0a47006c01188da43ec9e587adc136edc0f3b85e2489306a8b63df77ea01f

SHA512
4fa6ab7dad35a77cab36ef68ee8807ca473285ba146ef998d8c83e6157674f4d9ae1b56bcd2c0e6a2117f96a788ad4e0333aef537b1afb9e7380c4fb08b0f299

Download Submit
C:\Users\Admin\AppData\Local\Temp\28A1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
269KB

MD5
26696a535d4314d2f2ff9fcf4762dc3d

SHA1
bc920a236159f636619efc91f5360e536ae54619

SHA256
e64586c984bdc913c9e1c1a5ae1483ff78b640e6845947e93235989c1b5afac9

SHA512
314285f9d994f56f59287ed736a33a1bb6432fddc817511d86ab6e4b7c95e122289937d378b082def7bd3df14963acb6c8415f66cced7cc72af930ce84158e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
527KB

MD5
df7e7e639f5f63325bceada545c55b41

SHA1
8da1eadebce79a6d1cd6e242a247642a0e9d04bd

SHA256
7e68ecdda3fef3d5484b9118e0e2e704ed39f00ac3b1d2828756a45120c6297b

SHA512
795432a177904875db6c3ec17a0099c3c3ac893708290e5de33b361922fe06479bc9e7f94f7950cdebd9013550684921902aab1cb27e996e822000fc522deb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
341KB

MD5
4e61af02605b844f062f11a380b1a6be

SHA1
4a0cb1a8dbb58d925370df3c4e9e2e595c84b61c

SHA256
48870f5a9070d4c91bf6c3acb836166a91fbc8d707a91ab7be30189887a70fac

SHA512
b950facdfad38e3053133cb0c24a46ee5c9680bd8b6f51d952f693d46cf6874deccfaaa921596d86208d06d6615de338e041cc291ccfab3d439f8a14cb97b3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
510KB

MD5
c317fe12c6dbb43951a7241f4648d1c0

SHA1
bef08bd5367c8f6a67c6afdbc482ea5030b3832f

SHA256
e5a55a79bdc4850957a6c2262f000c23612235c083ffadf029a0a16a8e98c295

SHA512
ef028063e9ff615905014f61a26525a262ce9198115ab64fa2907ec63ab43c5b25929fc74f7d785e0abbdf59dd17a93984b925d4cf0897b95d684f6c23e0620b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
456KB

MD5
dee42e9958c3a0270b4afbacf9d332e0

SHA1
02c6b5a28de882e9fbd56524d5d47c2a2b4513a0

SHA256
c6cbaa9bb81cdb908005f6b318038cfb36d70230fa86dea58e711787f766b419

SHA512
92155bcbef7c4c291d91f3de19994a36a026db26927ab34d558d274fdc2d4e8eeca27f0047be12759b7147f0bc1c2c4f4a5816464a6b708c8566c0a263cb3ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
408KB

MD5
4a0aa131dea1b10a44c6e04098eb4be5

SHA1
3747c48fa73d486d878b085605607a8ffc350a50

SHA256
204931cfc12b3f0fdaee62bf7db5244215c95d62b81245dfeba1c11b0b0aa095

SHA512
434db1537a92885caa1a268af1bdd5c4224f4259e9305e6680aad13ae62d11714c60a2e852ed1535d1c7afc18449aae33bca262eee7a07de3fbbebecdc3d7772

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
456KB

MD5
8ea04e357f0bcb17429d3bf3c7f61d5b

SHA1
6cd31ab011ba89b3d719e0a51466aa32411b3bfd

SHA256
afc71b1cb260ea24db6fd6a5c3acb452f50b90aafc6f64e2a858428100352ab6

SHA512
7ee7a9d4f619c098dc3c08faeede8af3f7a1cc9375dd1d87dbc5f9ab9a388414d5194c15ad73e8481213e89b46dea66ccc4950568ec4d129bcbb30714f2dd793

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
464KB

MD5
433cff28812962eac8501e6c0fd089f9

SHA1
bef6402f0a00916b191e1a3836804c5f001fdafc

SHA256
e8aa92ecbede9423a2303e500a938a332bb5890255f15182d6f16b4e9b3bc8bb

SHA512
a936b3be9a3eef3e51cfd58911b0276b6d83d478d1304473f8bc52b5e50e252b0c93ff7b7ff32f89be06c92419a4ac2a12e2ac64330e34751b26f949a0fe6895

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
272KB

MD5
1f211f4813216f7484b4e5b222ccb61f

SHA1
70aa331b5b0605eec7790ceaa4a8ea28dc790178

SHA256
cc172fddefdde545324ca4e4c22bb44ec715d759de7fd81971d248f7649e7838

SHA512
c20011c3c976626d4bdd7e907952f7517a683fd2b19bc1888aec9283762b7dc3017ae74bb306929bf1a4062e037d0bf6b7b92c76bdf4f47453f5c48b9dc090fc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
375KB

MD5
c3a080f3375bd051b2249e87dacca8e0

SHA1
81135ef6b89ec47e00d8dca8d6dc94c91f47e754

SHA256
26e0ae1ccc17af000340d08748b25621e0b185264ea3f2539965996c29acaacb

SHA512
5a868db3231e62c3cadebac24e2a23bff0f894012272ad38bc2d46b42cb6adc3d6bdec54b3495d673d9087028c983520209f0e87f0c8b3d67b13b54bb853a23b

Download Submit
memory/2296-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/2296-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2296-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2296-44-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/2296-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2296-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4192-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4952-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4952-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download