73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
1568	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe
1568	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3912-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3912 wrote to memory of 3060	3912	batexe.exe	72
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 3060 wrote to memory of 2336	3060	b2e.exe	73
PID 2336 wrote to memory of 1568	2336	cmd.exe	76
PID 2336 wrote to memory of 1568	2336	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\D88.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D88.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D88.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1306.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1306.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D88.tmp\b2e.exe

Filesize
1.7MB

MD5
4eb41c99441f5ceac6b5c8ad06071f97

SHA1
e576c647c0e02075973beeab4e4d16ff94bfbaee

SHA256
2094d1a8d31a9b07b3664609f5248db0ce66d9904a569321a045a0d50d6ef5a3

SHA512
b60cc3d4cd3922b61c0da829a7d1286273b64f76e0b56c294ab1242b1097031a32f71e33e6fc319264e410d113906bdd5885c63486a7551827051ff41726999c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D88.tmp\b2e.exe

Filesize
3.1MB

MD5
3669b4ed86e66a1075baa13cb478904a

SHA1
f80d864d7a515303bb88c310d63ad3c4b5c0f59d

SHA256
5fef94852e676d7e8a30485bb94124a5970ea4587cf75d5084d8e68a9000de9e

SHA512
814963a0871539d4a1cfc03309b89fb2e251f50128588386fbffebc7d1c9a3c87f5633a1ffa154b0e0875ee6ea400588a67e4e34ee3e171690af6c479f3631f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
783KB

MD5
f46316c0f8fba5fb45e238f9428d3bcd

SHA1
597d2139c03c6f9ab1b2d6d6eb336ef5b1d2dbdb

SHA256
b06212a2264e720a43b0883bbcd6a55f58b8229dc7966d00039b0641edb477ca

SHA512
00a3cf7bd22de23459f15ce6b523d6af6200f560211417c0922335b861c2ee5549738be3d73b3da9aa3b5924081f93fae8c1fde65fe73bebe80540bb6b2f9ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
645KB

MD5
8e8fc7d610896af2982e45d31702f9ac

SHA1
d14906165ed4d11bda4016ce8884fae7a833870c

SHA256
241cc08a2dace198f30bfb72e0eff4519314785270eeeb5c782ae6b4a3514fae

SHA512
7d14d471849e4fff12f8f6be4ce643065c281b07e805e804e6d9e43e60d2f479de1989e6a046350fb53c1a8ab52f9230ea472b559da3d29cf07f9e942eb95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
375KB

MD5
fb1b36d54acc1e1d27e8d8e7b1594f5d

SHA1
31ef414445f5a5d804da8d3629ef100a08839dd6

SHA256
5af9b320e09e7a02838466d6aba3f53555a247a38c2b73dfcee1ae395fe38701

SHA512
0868470d5f022e14f2e7a62e082388eab5f1a0e3de55870711c2c4f7c9a1e6b2de3491da2237e4250fbac63531777550ea532a3101d7d8b6119eda4f6a022d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
423KB

MD5
e8fe4ea81e7e49c50a6c73513c2faae7

SHA1
30525812bedc1ba3f69f0b0c51e1a433ece78124

SHA256
849536b4184adde9be7fdc1bb2c2dba4d0f7873e4cd1ff12e603cb97826e34aa

SHA512
f67e6497b2fef413f9331d877d1620a8f636295656019d461732c4d159b73f6906fb81f5a3cfa40ed92b35ab5e485af3bdc2e210d33a2bc244d2a974cff05312

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
647KB

MD5
3352d243a79689164e5944682575c8dc

SHA1
b7562401ab69392d58fd36386c2132bac554bf5b

SHA256
03a218d5d4b5f12aac9a59b19e08b7ee72ee468324f686f6fc2f8542dcb6e385

SHA512
e3bca648a0097a21d8a2cf16072c015c7528fe48140348c1b89be59fe57b4636d365f34f9fb95119c12b30f72c06e218b95729a5ea6c2514c6297d3777935dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
481KB

MD5
d440a06dd731ed67644bf90802099ded

SHA1
ce28bc8afad43fc5ca8a5585425f2cbd3b12237c

SHA256
d88b4e3fe5de01fcb6d80f788e50f34c96386c24aa857840cdd9455432c122c0

SHA512
29f89376ff19d6b1a0c5dfe67e28332d3125c303d202c8a6988a1140705613baa17cc7a2020eea758cab504d5acbb0685bb0bdbe63296166367f608735d007f3

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
517KB

MD5
b03ab11334a6a8b10e93711fc5fdd4c8

SHA1
62021fc9afc115d2f86234bb4a4774bb2524c677

SHA256
4c649398fd09ffb71ca5dfd51245d302cb43e76839cafab45269c9c8d4a46e55

SHA512
f76009e314c58d08fa3aac51947829f5b43ea02dc967dab11b47e6e543f2ff2cbb8a08b2cf232993458d87002e4efb98544edb7066d37d4ba127b1e10235115a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
488KB

MD5
7b8442d599e379c24977f02b4d72b84b

SHA1
a923e848fabd12ac38e001e4546ebf89048d7105

SHA256
0ec6c26f9ed5e39e1a5033ea2599efcc3cf69edb0ab11aa30b2cbe41360c2861

SHA512
fe1a68d4ff46fe758f064540f74b46847b9ae15d06ab7afc72da5ccfac2378c5913586736da8367710f0c8bb463b38b8ef33c88f1ebaba9ff50e0341feaa2083

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
569KB

MD5
d05fb83a6f9604f1afea0c6d7f505144

SHA1
23ef5d9add3b6a08408e1a941ce6b7153d730b6c

SHA256
ecd1969a67e064e932f2585abe9576412be3669e96418775fc0747e5d927c66b

SHA512
9ede23f717eed427d09f9191f2ee84aad31a09d81f58b8c39915c6f2d61218e039f6d3e5df331675293a3f3ad4f1e30a465d564f2ed0a2ae880ec5b396851cb7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
732KB

MD5
c2ad6cd2631999cf229acee6e7cefad9

SHA1
fd2b91223c2a296ce2388bce8cc215779cfb71ae

SHA256
4e958a2d71d03a072e8de134cc297fd4c7b00ffe42eab44fe62e4ae845b09dc4

SHA512
d5c2040ff0a8e8aa9878555efd87d169dd56824b808d745aac9ab49c90b7bf656c575958e464c017f8e164f97752d87ece2c6c84795bca12346a967f7dc22d07

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
447KB

MD5
23f08708fb855c154645b8a20804eda3

SHA1
af60be4dbc98a9e484a168173f09b34f6414799f

SHA256
a007a44c74ad33a9460510bee510dde9c788c59be09d20dddcad15c411183c3f

SHA512
80ae0e5cfe5e1e95593adfd22b1fbfeb92e7c6c69b33ee6bae9ee4fd908f1981164385525ee8fc43565ca0df6e94867336361006341c1eb18392857924252cbd

Download Submit
memory/1568-43-0x0000000074E60000-0x0000000074EF8000-memory.dmp

Filesize
608KB

Download
memory/1568-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1568-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/1568-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1568-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download