73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21-02-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4172	b2e.exe
3372	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/716-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 4172	716	batexe.exe	74
PID 716 wrote to memory of 4172	716	batexe.exe	74
PID 716 wrote to memory of 4172	716	batexe.exe	74
PID 4172 wrote to memory of 3736	4172	b2e.exe	75
PID 4172 wrote to memory of 3736	4172	b2e.exe	75
PID 4172 wrote to memory of 3736	4172	b2e.exe	75
PID 3736 wrote to memory of 3372	3736	cmd.exe	78
PID 3736 wrote to memory of 3372	3736	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Local\Temp\1A1B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1A1B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1A1B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1EED.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A1B.tmp\b2e.exe

Filesize
2.4MB

MD5
000f75482a8f3c361e1ef9b58a16ee5f

SHA1
4e67fd460b9fa59dc5c1147833ad2f40f94d0279

SHA256
5143fc3449d84ea5cf510321dc92e2e28e68385863a6b07da646a406b53a875e

SHA512
fe72c633e123cea33c480746a4534fe6228f2c1f6184edbc75c144a201fb556ba0d68415c2abaa9c844a39bb900300f24476e38a4e13825829da54d629eaf152

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A1B.tmp\b2e.exe

Filesize
2.5MB

MD5
77046d60bd6a1fb3fa64dd048f447fb9

SHA1
6faa7077f3139a5b851df701e6f92de35dc4e1b1

SHA256
f6bcf1949024cbd9d15316cd001e51e1c5b21a60cde11486eea1edc5bb046780

SHA512
78594c3f2f5282a4a5414d5e057d428c205390495a51866c3fe801cd1ce4f7dcbd17ae48a7ecb8c7685a730259f4597f6024608ca4541754a14c05e4ccbc892d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EED.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
550KB

MD5
4f03a1eb8f866d14394d4ea29e8c74d2

SHA1
f1d600470c18357c6a47f7f12a804372d4e0c1b7

SHA256
4228712e6714a856ba8bd78367b867579e74278f86bb81097a8b0f50bcacf84b

SHA512
2094a5623f63cfbcc7343f7d020d01503c8517a2b3681a606f5f4080c6420e231b77c74e99ce4c3fc5a6ba4dc34b1c3e7a4a340d13d1b9d033102ef44dbd4cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
11KB

MD5
d06f72a2c4f5c902f92629f769f3943e

SHA1
ade88f0b230616664a5e623b7dd2af090ecc678c

SHA256
2debcdf80aa6be6bb2910413a353c5bae501a129302049a9c3f6618cd6a116c1

SHA512
98a1a06c45a7e7708d61eb88c3587ed81760b5553c8bb1cf9fa82462236675e6e512d70a5e33a12d74622212625ba220a18aba48ec3ab08a005131130e589dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
770KB

MD5
b3f33689a96bcc9d43318a2532d3e36d

SHA1
ac99a39f0608bd03049f09e603906ae5aafc460a

SHA256
ad706c346b88aaf3346143c25f6313f3a3d0c140e1d1e3db06ebc9afb6dceebc

SHA512
fb0b6bf57d7f2f8a096baf004549ef4e6cd5cd3f2fe010999edadb375c68ee1003d4a9943c4e76c5fd0c14609996c0df741faa3b02cbb8a0241b5151db7cb79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
672KB

MD5
9843f33d7493f29de09f0c6ab9b7169d

SHA1
ddacc647ea1c95a4a82cd1d251f9089ef291d74a

SHA256
0facbf2042d9a9a0a59ef94138c2934c5ed2dad08509ea03528c051e4abbcd80

SHA512
09a3c3141bd1871d75a9a83a1e5b401a20fa1580da025d5cc68a9c6dc11fc71aa02a97947001a77cd9eb76c0ab38816a978ce51383541d6641385d754c761421

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
871KB

MD5
9de0c131c65c2196d2952794b7b3ceeb

SHA1
fc8c1b161deb511d0f08cd4c8b9766b67c290e0c

SHA256
8bd91722fb405e939097f91b3d98c311e77d378da7f5973331bcb408df8c1dce

SHA512
cc0e1c13a1bc9eceecc71eacce48b8bf8ddb2a06342d67a0a657a47e94d92cbdfe4fa4ac60ecb3bed097c6d1c28fdec61ed4789e4a6e4700e4e088a535404458

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
5KB

MD5
e7ddbb9bee33320643cd61cf6ee081d5

SHA1
9eace568b8462911cd6c7c7afd3ef7d960f0742d

SHA256
585e9c84da28f1dd4f5c61fa20cb0db16891b11735047b9f30bb1a7209cfded9

SHA512
3eaad3965b359c31f15a45cd241f8736df99ac0474466981bf8c4f5a0c0a25d53dc23efb289aee0a0f82866abfbbdbd99e26d0651fea8c33eb27f5d67bc5cf87

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
533KB

MD5
ffc876e38b923625670e4a1f2a34c669

SHA1
2652e94bb88b02567bc99f5be36dd0ec57b5ff66

SHA256
b064452f5d2c1a4d20fa7e7a2dd99b7f3ba8242f75d948010abfdec14e0a7ea7

SHA512
ad6175fe3f3cc6e186e5ad844afe2826544debd28d64502e8f2530f03ef5f1cbba12025b65cbd192873c90664de15ce2f19d43a353842dac149fd9a2f019e2b8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
596KB

MD5
ad061e24556e11b593c703d4ac2c297a

SHA1
253fedc3d7ad21c8da77175710f821fa158fd226

SHA256
55af5e548c1df0b02ae8db11985d431ac454814233f13fba7a8efd1bc191b594

SHA512
ef6f6a03ba51f8b0be3e085f9d94d9b59f51e23f7bd7ed1d30c16c95628ae1511fd93e1014a5585d3ce28c79322afc89b4fe7f14f2b81d7be013a1903ed60d5d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
937KB

MD5
32d6997aced3560ba1c613edfa5d7167

SHA1
0797c2934da089b263e06887c323008607ebf39f

SHA256
dc26e57a6a793bb0e683363d3a5b8e7b4b43cab911f68790b52731a45e187699

SHA512
59c5ece6a2afe89aa95213f4c826578f5810e9fb56bc7a9fc7c1e87237c8cf98dd6278591101945db6e07f7e423a33192dfc59e6b4c0cadbc9ded8ed169301ff

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/716-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3372-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3372-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3372-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/3372-44-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/3372-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4172-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4172-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download