73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3724	b2e.exe
5016	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4328-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 3724	4328	batexe.exe	73
PID 4328 wrote to memory of 3724	4328	batexe.exe	73
PID 4328 wrote to memory of 3724	4328	batexe.exe	73
PID 3724 wrote to memory of 2484	3724	b2e.exe	74
PID 3724 wrote to memory of 2484	3724	b2e.exe	74
PID 3724 wrote to memory of 2484	3724	b2e.exe	74
PID 2484 wrote to memory of 5016	2484	cmd.exe	77
PID 2484 wrote to memory of 5016	2484	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe

Filesize
4.1MB

MD5
9aea990b43683c047295861e78b667e7

SHA1
97f269eb13486efe95cb50bd66d60da6d35a9ad4

SHA256
e9fd5f583dd76b578fee77c2b26604cca115ef82d98813ed2b0b54e5c29eef62

SHA512
0725c6d5469cd800eab6890018cbcf2cff6ebf86b9e2d128801bcd498601b468459e63b1192bb14a766ddaad5552100cb109db6a7ffa1bf5f13fa811922db909

Download Submit
C:\Users\Admin\AppData\Local\Temp\9867.tmp\b2e.exe

Filesize
3.8MB

MD5
a98e69888d2946e2fc4cbf610982e3cf

SHA1
27f5628773a5c2ab47334220c6e1388f9f010832

SHA256
f70580e88460f373502c015c338ae2aefc985f6210ff64eddda9527d596df8d0

SHA512
6ab02f5481aa495bbf98e2b97873837523303a55b4c58b5276dd7397bf55b3660ba26472e73fca5f0ee746ca807c9363e54e2e62415224d9198cd524ef11f0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CEC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
405KB

MD5
932562c8a77554a9303a5d6ebae527c7

SHA1
35f136074abb07a70015a6baadd213ad078c54e4

SHA256
ea51b614e7b606cc38879cdc18fac35b6ace05e27f3c28b3726ec2e4aa3dfd38

SHA512
c9a56bfb7e7545a15179d5f8737d46550f83539b30faf6b0834e52c0b2dbff26ebcd0d53c3a41235fe000196144a5d3e7a771d777278d27a20cf4d7bb9d3639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
409KB

MD5
aa083d8d7fbc1e2b43279702d503af36

SHA1
ef58af113aa399c371b54ae9188ae1c9aa8764c0

SHA256
d825517116fe3895069e8ff7806175dcdb454bf48207139a6751b8b423769061

SHA512
8ffdcd69f4bfc5a5df30347de162799d1dea7ae2513260368c415621068acdfefb4b35a0964fe69b95d81f64e89c8af594d7c45494ed754b0268ad9427144216

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
423KB

MD5
654c7c984ec85b585df498e5694bf5c7

SHA1
7f58b844c6597de54b9b25c1361f68daeed858a8

SHA256
0f8c6db882f7303670160956ba7910b02589f29fb975052a14c3fedffff55770

SHA512
2b5e7b3fd40cf94bf5e1c803c867e17b3ee3bc224c67ac4842690da3bd10bcc1d2a97c72a62fd9a53382d6b183081639396af58a563e5e374f9c1b262e979596

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
487KB

MD5
49d208bb51fb5705d861577350f4809e

SHA1
5e55810643b13ce5edff1ab7da404a47dbb4cb8a

SHA256
0b373193a578ead71c438e0073e4541826d9a80aa048e847ac581789f62a9dbb

SHA512
622c578f0958d17457cdcaa72efd232dd4878380901b1b24b72c1c4a6651a7fe0dfc5d2ada24379c9534255dd8c47a4970f8b70d70bbcb2b77d7ef129de8c2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
584KB

MD5
7005ddb8622e51afb1054ce62f231b2c

SHA1
a31081b375c3c88fbb94375d1701a225ad534215

SHA256
3adc3dcba9feb93655dafa5e267428d51813c7e01c041a1a41911e3409b5be2e

SHA512
fed1ec1dc4a23a3da37a557e82bad9204c07751736301d8d5685ba98287f3c01aba12e9fb45ab83fc6b296adf65ebc72874aa0a3b5b50e9336cd922fd7c17116

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
390KB

MD5
22097fd44df381a09c7417d9ceecce32

SHA1
4589aee4edf56798fdd61bfe150c824f8e3fe5ff

SHA256
4865f3a68571d4c3b9409b53fcec0d647821c8aee3f4457715bcd17ce9673a33

SHA512
b63a04d5bf62abd46cbe7729afbcad769b016b51ccbd121b65c2891bc2fa73ce8f68f49ec9b2595db2f93d5cc1e8a20d3b5fea1ecb9278215679c0b5f7c5c5f4

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
320KB

MD5
e63bf5df87e2ea807dc353cc5aa9aab1

SHA1
69fc94bbebe878711cb133c3a1affb80c0bdecff

SHA256
2c9d6315f90367b959d3c32badd99bbc03eb808e4a46db72ccf2e81788b41533

SHA512
70f2b2a8a4c8ab23d81266cd23b75c27ced29a1eab8c80d95c57b595b10254b7229cc03b637716edbfad2a83827f2c557847b98d1de80256beec05c9512ee4bd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
407KB

MD5
7c73dc7d1d894b80ee5465c75b58314a

SHA1
9943b3cc0690d5440c9a70ec8858b6cf809afabb

SHA256
56a1f67e368d570df36af04141f51c7c647f4eccef0695d26c6c38c0acd8fd78

SHA512
8891d366ea82a906f166a8714fd41c185b95d6a0b84420f01ec50fe74e0800830d0e648426170384d2a071ac27254d3f161bbfbdda451a6ebc6f5040155d391f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
416KB

MD5
953b57bd8a52eca7a75a12da4c2b8962

SHA1
bdcdf752f3c22b181f6ac3231337c9546c049ffb

SHA256
41232f5e629caab4f20a6eebe5897ae4c4f331fcd552f419e01b362cde912c05

SHA512
0640fd7666cbbdc1db8b2db2704dcf7162812e97b0d60f5ee854707617b02b44a798709bad7730511c3e92ab436545cf5ea2aeda1e5726b43052ab74f9c0d80e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
260KB

MD5
ae353cd5fcfcbe4d0ce9ac99a7e5be38

SHA1
16dc1d0a3d4fc3b578108c527ab711c37911753d

SHA256
9f32b0dc22ee9ba6e99fac80a792a2429b00b45e33ea72638a58bd0ffb9d25e6

SHA512
6280b85ae43c0485f3d58fdb2e87cc7c532ace66fcbce2f92923b4244bdb430b89100ca10988c1030751c37f4a39cd362d15e85698d76d66cbe2971cca387da3

Download Submit
memory/3724-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3724-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4328-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5016-44-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/5016-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5016-42-0x00000000724C0000-0x0000000072558000-memory.dmp

Filesize
608KB

Download
memory/5016-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5016-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download