73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3252	b2e.exe
2628	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4772-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 3252	4772	batexe.exe	73
PID 4772 wrote to memory of 3252	4772	batexe.exe	73
PID 4772 wrote to memory of 3252	4772	batexe.exe	73
PID 3252 wrote to memory of 2228	3252	b2e.exe	74
PID 3252 wrote to memory of 2228	3252	b2e.exe	74
PID 3252 wrote to memory of 2228	3252	b2e.exe	74
PID 2228 wrote to memory of 2628	2228	cmd.exe	77
PID 2228 wrote to memory of 2628	2228	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\9839.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9839.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9839.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9839.tmp\b2e.exe

Filesize
5.9MB

MD5
8e3fc7c0328f4c68ac0ac035dfacbe67

SHA1
7cdc965850bc2039442f087913b5f350337cb50d

SHA256
ebc39bfd7c88d6d5e678da2ef352139c3b18ead29a4e73dbf3b8bacbaaadd202

SHA512
794c120bd6ad60829077231ecc5690d1bf777dd08166cc9061055a205e2e7ca7425daeaf8e0778eb4e7690c34451877d0982db17dff85dc079a34ad675ce058b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9839.tmp\b2e.exe

Filesize
3.6MB

MD5
9e1287665b531d2a80a0f91b14f444a8

SHA1
7cab47b98bce796b6069444303defc58943b3469

SHA256
48cce5b57638339cb4d878b1636697ca972c206b40c11c59b376ed87d44d4779

SHA512
b04f0c93744143a85186f86b019d2dac1400efcef536dba6fea714fd9fcce3dc5fcb615c84495bff4e0bd560a69101848f24ee81cf8a4b6b5d15a6db50fad5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
514KB

MD5
9474444a3b08304b7b855bacbe9fae5f

SHA1
7615b130feddb5231a2dba38118b89d40b90a5b9

SHA256
ad88e65482c9ee776c98b53540fc4e361207d84b661b68561e8eccb43b580fce

SHA512
056a41f8a8bde416db877e3ed2d421c08e089aa9281b73d9b4cef9348fe2becb36d5ed0a8052a069e21f29f1d611e353b5f7bce274d5931788e032a6d1ba5eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
509KB

MD5
c127bb45fd46f65079c93e402a3d2eb2

SHA1
76121cf3b61a723dc17f4909755e219dc3b7d9f6

SHA256
8d95807ac1261ef5c2eeb84cfe70c0e5779beeaf883132df498fce53f30b279a

SHA512
83f91964066796d8c7415310d480fb72ccbb2b57f0398313576cf3f57a65b0a617d1191e52eb573cd58f0df10613f28c94bef60a838abe3502307bb8a3bad20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
395KB

MD5
713ddcdb1da3c940a8df84eb4cf63bea

SHA1
b6099a12c279703d1b5b646d938e704406ab3ad7

SHA256
2218012b2a62ef35303f6268892b010b9740741f7e88c20a6dbda8199705c7b5

SHA512
867ad0c8bfced3c1bd067c87f75c7c2531ad0a1122e97a7a79e5a4aa4fbd7a82f49a64d0de6d3e37c94410ea74bc2b176b8790d509cf758b2599f88300c232b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
335KB

MD5
12dec28577bf127c0fd5cd9fb41f6f13

SHA1
7ea5da57d95dea8c073823d5530a7fcf7a0a8f31

SHA256
33d5e8aeb326b21f3bb5a20c8d4ee304a19d07e817e7c79edfe9c9db27ea5505

SHA512
14ec05a00e9d9352c6205e96fe8d91eebb824178ed94b6122a2a524fdc0d1a39f640cc5892fe89e1cbc847845087756caecbd1537e3bbe881a897123dd7dbfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
557KB

MD5
d77b37f5a04b5110fab98f3c43c3c124

SHA1
bbe98b0633689f800acddd2a87fd092d4150ff92

SHA256
b67de605a08fb171ca4f3563028e0b6346f96a37a52298fb284cd67fa930a4fe

SHA512
0d7d003f5089f13e8fb316e117f561b25176813f6149977967a135597c8ecbceb14f7602cd0da09def2bf8423f0ef668e457a5de1d300c932309cdb48ab7b25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
231KB

MD5
a3d45ac42815b677866bae9435c37f2a

SHA1
996185dafb825becf34446f2b1e7155236889075

SHA256
9d37f7bd4fe9833bdaae07604d63f2989635fd7eff1e440821f9ad8b3fc6cc75

SHA512
f54a5133dc76b4ff1a7af2488bb5c40ccce8e0ed6dfa7e8de595b1003a9227a6a0e41634b2aea0c2b98b43f39eef8564203e87b7255afcfe63ec5e8e21100cc3

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
277KB

MD5
87fd99659084555a89d67e626b796c98

SHA1
1279ded23635839c1e07bf4e0617a9c44825aea7

SHA256
ef91d41b3e2cdfac64b3aa3bdd7b9caf6f00b907897eb42d77da3adcd08dbbda

SHA512
42e127e726f062aac6e420193aec18ff9dab87ced432f960f275b8e78b3b137564a54dba11e2e53950f3b98330f810f505100b4fed7709d8c153643649c9ea6a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
199KB

MD5
57daa5e36008cd77d6768875ed223bcf

SHA1
b834561ef8a4d9094b1289db453fc5bf46bd0584

SHA256
a18542508a8e0884dbbe2cbf61474e18a7f281f85150afd01503c687f96eb786

SHA512
8c7f543eb052794f4af145f875e93f7834416720e4b969274c6827df9bd66f4499c961cdac4a74006604ce9d5d00fbdc5c51fabd6b47389d54b32a8a6d9009fb

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
154KB

MD5
db8f0e68e2af25c5c93a0ae15fea3f47

SHA1
6ad9140bd3e8d2b5a7753c8ce9c0cab9da8c559b

SHA256
fde85d2a4f48165036f8c1f3a1be7c5c26f97662ab891ddd273206060c677441

SHA512
c03dfe6d334ad2e034a48bd5c81fc3f7d94d4b144bc4ea07e5b0a71783e84312ca13142ada04fb02cc577a55b1c41f5615a9ad3b0faf22a1cc8d5014bf61ec63

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
189KB

MD5
95262a985aee66eee1e5fe0c185208cb

SHA1
8f66d63b54df68a47c28dcf93d1c83f85ae80ac2

SHA256
bda574846ad45c06e50809db7fdfed4ae6cd4baa55f5088d189d0e95e78b8c06

SHA512
f3294bac4c2455325ce211ea040b332470328d954a9e58193a39693dbf9522f449e3e381dab944c8b6e1644a247923e04efc7d58b8722dec52a20fdc2efeb1a5

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
194KB

MD5
5e54d6e269479cf6d43c5be43ca96214

SHA1
16eca6b42de0b227fb523f035e82180cd1c647cf

SHA256
c0a698dda72c8a62969dc88723bb3510e31f616d1409a2cd9f979cffcfbebda4

SHA512
594c9948d95624d64583bad609bafc7cfd6b30d39bb30455ba759f24d76f018a2913ee79328d8fb8ee0c66f5028a4ee840852b60bc89d9a0b00b450a069effa0

Download Submit
memory/2628-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2628-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2628-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2628-43-0x00000000724C0000-0x0000000072558000-memory.dmp

Filesize
608KB

Download
memory/2628-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3252-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4772-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download