73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3372	b2e.exe
5096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2876-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3372	2876	batexe.exe	74
PID 2876 wrote to memory of 3372	2876	batexe.exe	74
PID 2876 wrote to memory of 3372	2876	batexe.exe	74
PID 3372 wrote to memory of 1836	3372	b2e.exe	75
PID 3372 wrote to memory of 1836	3372	b2e.exe	75
PID 3372 wrote to memory of 1836	3372	b2e.exe	75
PID 1836 wrote to memory of 5096	1836	cmd.exe	78
PID 1836 wrote to memory of 5096	1836	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\9981.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9981.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9981.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B36.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9981.tmp\b2e.exe

Filesize
10.1MB

MD5
0bb027e79fd3a3a15231fc456af0996d

SHA1
76bbfdeb6472a8dd30c672043c58a4c9c74062fd

SHA256
ab1029dc04f8c8125f4fe23a1a12ee4ea0812d4ceb2aebab13907ffc2791e693

SHA512
1409bea5af0220f3462be616afe8dd5849e945fedcbeb738d70e60820ac04f9df1215717d65bd84c3beeeb560447eefdd43743e1792e6709d726d645979146b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9981.tmp\b2e.exe

Filesize
12.7MB

MD5
9b9f582d50b55bfe99f9e47cc712cfff

SHA1
65ae5afc6f875c854c21a9a531f46b28c6ab4555

SHA256
2bdf69a46da83947ec182681c954a5201ecec4ff06371ba93d1ab616329ce0e4

SHA512
c56144bdf9f45a78f773e844e8415e2424f899e10516f9edb65b4eaf9c2e4bad24b66082c5d519442fb388fb6dd9da1ff08bf25e958367735c2529bf4ecb428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B36.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
51a57c612d315cd4202df8e75c1013da

SHA1
e58bc6db0f4c9dd680e300cdc660210316ebcf19

SHA256
7652861f498ad81f347beb2197d0ecd193ddf5645d018e533e840c0765b22b8f

SHA512
cb9b55ca097de0bbec9360f7450cceee0d7c307feb81f59ef0b6caada1cf2862d494a52e3c8eb33a8d894be076298433dbe83ff936feea953c560accfcadb675

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
832KB

MD5
9b527cc7775e3fefc75ebd6cf497b81b

SHA1
7405b4528854589bc404f55c0e591d2e534d8d63

SHA256
eb4270d5203fe07ee63a7161093d69577ada5ad4ca659a6181d63953a69bca72

SHA512
6471f61ebc78e6ab30cce7cb444c582a8a24cbcbff1a8cc3d22d20d299d53c6377127e76bcc2a1e2c9108cd65d6fb89d42ddf89b04140c8e225f5115984a4b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
68359ef53ff86ff50c8e6256d0593d50

SHA1
4267ab22202b6a0fdd31506082dbd91f8f276e9b

SHA256
448b2a19e60e06bc0a90a228193021f8fb8bdb77098b70f267fa8fb403ace80f

SHA512
6c1f4be78191e76c4deddebb97c58326b8c03ad4af5d69fcd7a5db6e7253a9355d248fb08d53ae3ae4a5dc5ac08b23de807c5999c2eb903ffe5852e6217e4470

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
89e8278b8485a299cd9dd900f7ed572f

SHA1
d6f764d1d98c9970428e4c8666b0577a27e24499

SHA256
6d2277a07639b4960bfbf03d1b81623ff5ca7323dda87fe1e2aabdda6be4f7d3

SHA512
4f3fd13c2adae5cd61fd906f9ee81585692c794b68b4f886b2530a1e759e0854e4ef28f3e881f3c4552b60565003e0e5025be57f131d70b6c392e1041e5fff40

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
640KB

MD5
1bff0defeeb9f4bc5cf01e916a8d1379

SHA1
bdb668928be0a339e01e3aeeac813fd26b44b950

SHA256
d7f49e1dd346940049b753b856759608013f611624432c7ea57b0872239d35c0

SHA512
edb3e22bb4d6f3376d73ccd538a61292c5a086fc8ef9b8038b663c93d9ec991bdca297e3c6febb9d18fd16f5304e4fa532d603c68739598f4b65af320ffb3878

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
833KB

MD5
5d2fe1c2df7ff70d606e691587169e47

SHA1
89668531e37a9cfdb5bf8a354d89df9e283d3179

SHA256
79a91c80442526fe3f8b1ccfbda87bfa4da6ddc6944fdaa5dc699b7b629fcc93

SHA512
f6d626f5196bef03cf997df7b7737fc3e411ecb509d904d1bfe111df6d1ce7b18901ed0a6077b0bd58962afd46e89537f15e2173f143f45856c6c96041d46ae0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
641KB

MD5
4d1902e0a5a030ca3c2243ef2db428ea

SHA1
b11091156e3bf657a4b809176e43c86927edd6a9

SHA256
8aca7253c1614cf4a174f18da7ff5d04f6c61f8fce069a6013ad288ea37aac42

SHA512
a341cb5acf319de5f2d0ca8a7f5727fd32cdf0547993eaf56c0ac0e78ff52b13fe11ddb2f47834ddae7143dc8a48a6fadb9ca6287755ee5080b849187a3bb9a6

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2876-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3372-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3372-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5096-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-43-0x000000006B2E0000-0x000000006B378000-memory.dmp

Filesize
608KB

Download
memory/5096-44-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/5096-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5096-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5096-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download