73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
60	b2e.exe
4748	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe
4748	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1416-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 60	1416	batexe.exe	75
PID 1416 wrote to memory of 60	1416	batexe.exe	75
PID 1416 wrote to memory of 60	1416	batexe.exe	75
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 2180 wrote to memory of 4748	2180	cmd.exe	79
PID 2180 wrote to memory of 4748	2180	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\76D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\76D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\76D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C30.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76D.tmp\b2e.exe

Filesize
434KB

MD5
4e6c9edc449c8529d42b712c95b922b8

SHA1
30aa80b2128be2048f7e1f34feb08f01de9d0d42

SHA256
f519d903c9b518ec8ce6086dab293466309c290bc5b77a6b443d8b1e50e7a431

SHA512
c1a9e71f5f011aa52f1506f86340b0a18d4d154ab30b829965433fab29c5015f3d60637ebe5e9c28f54c5a4a4293c9b7eabbc6573b8975d7014764bbc3128768

Download Submit
C:\Users\Admin\AppData\Local\Temp\76D.tmp\b2e.exe

Filesize
462KB

MD5
23552ed776e68fb72e66e4037107507e

SHA1
40e125e0bdb2e9ba6fa4ea488f5e978c7c0db2d1

SHA256
6242a1f42941cc4421dff9033dd253c0529c3a8e2c37bf3dff49f8b6cda661e8

SHA512
226f183cdf5d148cf8c9ee835fab3cec6b6318eaad984fcfb6864cd5b2b83a89059e7a29d7f7aaebb474cb56fbf98883cf96be862c9c94a05451fb389d66a973

Download Submit
C:\Users\Admin\AppData\Local\Temp\C30.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
672KB

MD5
32bb4768b3a631c27c53d05009ee8046

SHA1
5aafd86c0fb76690c1a78f9440b8a42e303832e4

SHA256
a91818cb977518b2c6472d8e88d4fe707d3fdfd01f6ad5c803eb5c7198257673

SHA512
4045eb97493ceade1660fff087ed6e57811781967e40a07174564bd22d4df6d9f8d0d386f285b8ac50d212aecdb250568af069af4f3cb50067ee5e9276d83f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
978KB

MD5
eb1135dbfeacf133ad461a2d64cf5de9

SHA1
d71e18f99f376a523295e07c353e66ecd85385f4

SHA256
c228cda5220a62cd5bf7df42ce269e5cce75bc35bfe4a93efaad34643f696772

SHA512
dfba59cab8f08ce7bb56b5437f393d9798aa18a915cbdb53364ebbe663628bc9952c211f78fa3f6e0535be6d4aacbc11b1e309c2e03c706f218ac89ce6706100

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
fd581abe650a1d8efaeab7fc9239e36a

SHA1
d3c84709185051363d5e7c2f1c3d3483a812adc7

SHA256
fa8838f7e9760ace7ccb92f20528f0b98330135500f19794099ea2080628a498

SHA512
474a399e0d29f7b67d8f60a8c1bab4da1e755151c2e989402bdba4b53fad05569e41fd399bcc748a0aa532d5525de1be84996f19d3e5586cff1c75950baf54f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
94a15ef1aa3b43292aa48ea3bf11273e

SHA1
476abe42e49acabc0017ef1e04dfc4ee11ff5099

SHA256
108bd1eb8ec878001cb46841d2e2ba54d7a60248e8bd099ae958e63915494afa

SHA512
a3e0b9c7a138351063195de86fc4ade683f892785aee5075abc6374065eabe8dd5c8ff6e606d4eba094e26c5ff7e88676df54a5cf4179cae821afab90d3124b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
703KB

MD5
7220f069b730c5b7150829e801babceb

SHA1
68a4a4dee8ee6b939978e704dc310efe569bc2ab

SHA256
d4967efe9ff7728deca722ebd73f48fce5242494c3abb1a74aab16f5b9cddd05

SHA512
e08badb6ad167390d727f6d8bb03f421b8c99417b74e5eac8c6416d6a89ec2b0575c6de49b3e8d3178f75f48f1e2262e4a3a17aaa99c2c4f2bdc7679f5a04d30

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
955KB

MD5
a02fb33c5613d7b7cf0399db81568a5d

SHA1
9c176ca58e018be3fd8be401dc6539ea4bc410d8

SHA256
756b6ce80581825dd3962d8db236e04c2890b1ee1159733c723f9293f94ac4ab

SHA512
b2247f7c175157e1f48cd03fe8e7ee470b7b32ad31a68201aed7da00150adfa65afa8b6c6da573be678df808344d15fd11b1ea2e6759bbd661599241e49737cf

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
840KB

MD5
0552d2f786e9e7f94342bea72b1288ce

SHA1
839cacf7ca939a4945366a16c5d9821876571623

SHA256
1a3462e7b6dcd1f71d73667b49826feb034d76b243438825147db9fa90dfd1ea

SHA512
6f285d46b90af8ca35d2da96211ee4d7a5dbb6648f309968a201ad670b395848bd8e54dda441ba52e51a8b8710b15ec048e2a6ba1f2dcebd8ce8f0bdd2432f13

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
738KB

MD5
d947de9ba941aabe39e9b2e328a02ec7

SHA1
cbdc60b281c6d866f583830fa698e28ff7eaf835

SHA256
ee6ff63fd981143956c20d5d7f865daf02e746b21d479d1075b845b15085f33a

SHA512
58ef4dad8787c0d8cf7b86399387eaa6de7a02409e289d25dff29751e2370e940d239c829650a70eacd0aa5132ab82866f195ab9761a7fb55e3f8abfb9fe1bdb

Download Submit
memory/60-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/60-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1416-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4748-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/4748-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/4748-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4748-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4748-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4748-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download