73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 17:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2984	b2e.exe
2884	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2884	cpuminer-sse2.exe
2884	cpuminer-sse2.exe
2884	cpuminer-sse2.exe
2884	cpuminer-sse2.exe
2884	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4816-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2984	4816	batexe.exe	75
PID 4816 wrote to memory of 2984	4816	batexe.exe	75
PID 4816 wrote to memory of 2984	4816	batexe.exe	75
PID 2984 wrote to memory of 4152	2984	b2e.exe	76
PID 2984 wrote to memory of 4152	2984	b2e.exe	76
PID 2984 wrote to memory of 4152	2984	b2e.exe	76
PID 4152 wrote to memory of 2884	4152	cmd.exe	79
PID 4152 wrote to memory of 2884	4152	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\1B15.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1B15.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1B15.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2074.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B15.tmp\b2e.exe

Filesize
140KB

MD5
1790b0e61acd664fe081c22625bac900

SHA1
07eaeb9065987715ed58e0050d5065029a419356

SHA256
b77582f628241cf27684d442c9b18e556139b49bb3b9025760b4e74f9e822e84

SHA512
ff203045d2035d08af815481f78549548570cc93b8555b3357b822201dfd2812aff9d9118ee4bd04cf4b14ab47f7940ddca55929a11635961017d562d8f2c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B15.tmp\b2e.exe

Filesize
91KB

MD5
5fc3f00660f6c6a317b9f51681c54e6a

SHA1
9ce6a5b2413cfc22e4abdb4e3546c19d74aa4607

SHA256
ae02ba1cb4a3a3097b095b3eaab3fb68e3d86ffe3fae830706b1f66460ea304b

SHA512
449ea9e7fc9321f869c7b27594ef03be561fd57134e0df414fb1c9db0c0bc2205ce3d1d18a41620272ecd5fb0d390ab14112d813c797d948453107bffa65c334

Download Submit
C:\Users\Admin\AppData\Local\Temp\2074.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
592KB

MD5
ea83236d657070255b64e6f21ff34d8d

SHA1
03e29cd05a8df4561d4297232bed021d8cc62c84

SHA256
23db7ca557b15e491da2ba597a67e3717710522cadfd9a68b58beacfb3e7d2c7

SHA512
b72f8fd14f8357a5d5680f48a61b0c588012b90a45ecc2f573a340b26db13fb1537a124dd2a4771d63d5e41942521e105eb194ccd96ef3977591daad388de57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
734KB

MD5
eb1c994845cd3d46e3c8b886b8efe030

SHA1
a4204c88200b51a3297cb944cdf6872ba644684a

SHA256
c4fdd3b695d7dc35a842f8305a036d6ba6070abc8630d0c183979de5fefcdaa1

SHA512
b4a3ccab6d80e0bb6488fa84c076047943ee6aae63504b9311daf886bee1120e1c8fdddd95725f32b3fe272b9042177af82a5c4faca9bc9b701f43eda4f2b06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
377KB

MD5
6b290dbb5d6b89ade7ab24afb7397626

SHA1
e8371d0d1003619ef2075439758377d3d4172425

SHA256
1aac04d7ae2253375e8fc063f5b44be965df2c19614098eb1b8c0bc62c512445

SHA512
b5c61e2288369391a5a64dd7a6cf42b116abef0883ca3d40ad8a4f7027b9883ff7c9740b9b53dafbb8b7628e613d00450f63dc2ab1c5a2dd2705004a3017f575

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
669KB

MD5
739ae6ce04ee859c0da77ccd085cf6f9

SHA1
598edd492af5c86674c8c2efc803ec9c65c293b4

SHA256
e43edaddd51220da176130053d97cda53331dd600a781800ee721e2eb403305d

SHA512
499e88e0ba7c4fc54d28b3a2b8700b22ed1e3a32a5b7399ce18e1b87680f091e7381556c1557b50b51e0cc0fcefbd073f493c5187aef51018d1b8f7cbbd32718

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
287KB

MD5
3ba8d2f5f61fd14d03c982a565716680

SHA1
eda6f0abaaa1b54b5939e237d63f0ec00a6080f0

SHA256
58537e4c7ed38904e71936d220e256de506e4d9b8defde9b518de4ccaa91687b

SHA512
8634e75146c969f579cf4970d2d907feeab39007e1fa438f3d0d1c4cacb7b87d28d9312320bb2a80821da77455bcef730a54eef33a6405e29d58e03738aabcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
482KB

MD5
f593a259f1ad147dabe08748f29d2f7b

SHA1
588eb9ceb3c1dc5cade0d8dfcb6fa04ca6dd0d48

SHA256
9175263c2ae16e60ff76b157d28ff97260b7762b2a9989550622cd4f0a3e351a

SHA512
297a53f28fcac15119e0094b72fab7eaedafe90c933bee75b0dcb308e62913090cb5506f87b06c4c0f69466d8f3127eebbe663ab7c401987a3ea065fc7053960

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
599KB

MD5
8102f755929d722c602ae3d49f253813

SHA1
488e20dcf6bd61c4db2ffc29f2a3d6694f90656e

SHA256
431697be4f5dd4fa043660fe84d2ff5db08c0faa819782a31b63437d2de67347

SHA512
ec3dde6547edad382529899940259cfec949bca66b85cd9d24aea6fe3dd905d08879d8c5d87f052aa1c7528f86a55d6c24c4c91a2d8e072fb4fd042a83fe88a6

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
634KB

MD5
700f6aca0cb1a9271ddd836205f67102

SHA1
2599ae5991d221f4fd00719e43e9681babb8f9e6

SHA256
95b4cb20071b6c06e3871ba809d477f05877c7111e990d7b9b4a064a43d1979e

SHA512
ed731e728e629c8fce7bb2f42e4ea92ea98e4fd4a8cac3cdb4bdade4bffe33ad0cfa05245f2ad4ca766cd22814e5eed83ce087762db91bc5feec6289a216b330

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
544KB

MD5
78d11fee1fd9a1b1d2c1f12988f40aab

SHA1
a45c2e45b76e0796d327063d834c4babeeff3d16

SHA256
417327137953c16171e9b1f7888743caf3ce0306a2b9cd69ce6f822675e17d46

SHA512
9d3a7f63f47478efc04681f8e7e1a55413b33c19b03e7e8ac05e50f322a793794534e4e16aa73f99cbeb17359a4b8d8bf4886e7b12ea8f69b981d2024b07167a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
684KB

MD5
8a3c7f0f2388144247bcd098e23758b6

SHA1
d359c7709e82aad5d245ff7454bea5141f83b4f1

SHA256
253931dbef766d1da3f944f82631117f408514e62ac63f187d3f5af6b8aaff3b

SHA512
a5d90454b0f39af18c140fdf90366c4f97c6cc10207e72f277c5ac92afea929df49ce806244a0daa6ddbc21434dd124328fb9c11b0063726b14338d833416109

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
420KB

MD5
8afe70a6a3ef913a3bfb0327b99929ff

SHA1
4882f2bce37e60f04c0a4fb35902ef76a2c4aec0

SHA256
8b7042b378b8f6fb899072512d80532f66e424a5d2ff7d9120d43864f0975148

SHA512
9c2c3f2aa3a37b382fa9316fbbf3d44cc566a561afcc686587f27413abc83f6b1fa4e47a28bcb313254793cec4cd099908a1660972fd3a79ffd6d7543fc9e42a

Download Submit
memory/2884-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2884-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-43-0x0000000061DB0000-0x0000000061E48000-memory.dmp

Filesize
608KB

Download
memory/2884-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2884-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/2884-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2884-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2984-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4816-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download