73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22-02-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4956	b2e.exe
4840	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1248-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 4956	1248	batexe.exe	73
PID 1248 wrote to memory of 4956	1248	batexe.exe	73
PID 1248 wrote to memory of 4956	1248	batexe.exe	73
PID 4956 wrote to memory of 2088	4956	b2e.exe	74
PID 4956 wrote to memory of 2088	4956	b2e.exe	74
PID 4956 wrote to memory of 2088	4956	b2e.exe	74
PID 2088 wrote to memory of 4840	2088	cmd.exe	77
PID 2088 wrote to memory of 4840	2088	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\FEE2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\FEE2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\FEE2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\356.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\356.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE2.tmp\b2e.exe

Filesize
1.3MB

MD5
36a124ff293f9a38c6fbc938faf70db4

SHA1
37eebbff4115870a7ab3787480dc7c13fb785f5f

SHA256
bf7d9c9bd56f342ce3e84305cd7442b698e5b1030e2ba6373a0b5e907531e0c9

SHA512
d80411abbe7a68801522dfcf6e7f5ee715670973a20d8040495cbddcd77beed2cfeb20261e679b1152dc58626ba5f1777d9a753329a6d5c94113989fc16c804d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE2.tmp\b2e.exe

Filesize
1.2MB

MD5
e1435b56b3673367b44e11987ca3912a

SHA1
3dc27c782486272b0503823656bc7a597486c1a1

SHA256
9f40f0891466b9b1cee3eb99fdfd84b476b4f2b40430bc909daf65be85c3229e

SHA512
ae8d095ecd0b30ff33def34123d7a0e378df2f1443ebbfeb34925b5cdeef5589e98b9d2ee79fb466486e2db24d8528c7f1cbd50b983800df414ec11d4732b452

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
412KB

MD5
f19dc2277e883ba982a88595c1112aaf

SHA1
f1b0c2d9398208e4f0c8551366da93b7705610fb

SHA256
ec0306bd4d200cca7e24e1d6755c70c2ed37d7e3a26f190cf1097ed34187bfe4

SHA512
b64014503e3c95732634abf22126151a4a6f8754beb3a75b757a618cffc8935442846628ece8a6b9ec02ea0f00a3038e2c8c6463983e834ce54629516022dcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
524KB

MD5
06321f28327a56938befd62d850b3182

SHA1
6e10387db2d94ec24df713311e63c6d0a8ad7cb8

SHA256
02ed30b0feb30400c8cbfaf8b7cdc4e784203b45eb793baa83fde2fa29871748

SHA512
360ddee60dd0b1ae650cda62ae649d78b24143977a5f42dd712e6f7a246a40110a5f37eeecd20dff3a878bf7fb53fab2ff6b012af15e5d37de1242b8bf4ef2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
313KB

MD5
fd5fead3de5b71931c906ed45e327a71

SHA1
85afab2ba2db5a51c4caa662fb2bdcc393991d36

SHA256
fa1823f2d3415406faacc59e6054b71a643209c40070945db723bd5d31e2e75a

SHA512
b704f8ce811148c6f4a7326b8770a7080fc27f2a9fbcfd674cd5b5b34c3b6148f65a2c54559891a8e9a6fa681d91afee955caaf3da08e35806e227c6ff499173

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
410KB

MD5
e8d4d6f135d1e6f03edb0c350d2b65d6

SHA1
79bf2dc2bd98558144129203b90f155e88308dfa

SHA256
df91f6294628dc742c4114358b7781184cab8d295f06bf86dd41457630ac9e4c

SHA512
721c686138de560f5beb1ad404e7ceddbc50f29c60e3c5f3efbc98d49167bf40fab6fded9f955c73b5c516d0d970f9a70d9269c399da7eccd0a36ed90dbb6353

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
538KB

MD5
4a880c7c4ad3865c0e3906fd73e234ea

SHA1
16c5cac9b78f191b6fe4446895305d3abec6713c

SHA256
3fbd64db65c87373c58924134ffb957b6c9a07390aa0aec146279adcf07e4960

SHA512
10fabae3b70a8c9b27a8fa911eb5fd9bb4825dee819f817d353362c9771356c3585908cc11d02b1919854b6c108f785d71e23c10485ee8011dd2093892191a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
327KB

MD5
032a70e50a656524435918a7b3156556

SHA1
6746afb57b66b79ab37f405855f9148f66b965b6

SHA256
f6e7643aee7f9511f731094afc482dc9735e709647427dfdd60d45183d34fc11

SHA512
01076fe7e719d05d5b17bd4a2207b13af519a714ee5bbdef9de73cb33ee0d79142b4a30085308cc1c45e10b2f7a5e8b4f32fe65d54bb2a05eb6bf6b8f4f79b58

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
344KB

MD5
277e3cc8ec5b1eec1e6c55067706e8f2

SHA1
6f31b3c7cfa189d825eeda05128b49e8a1dde71e

SHA256
37d15ca4b4e82a429758225ff4168317d7fa4b2f4ade27f5a1f9bb796f36daf3

SHA512
eba589b6f438178a11d57e67466d750e8fc71dd00fcd01f8be247dfddc1fbfdf5a582255230910fcded4edcce56aec1e8be15a758b2f13b2d0a6f6abb1cf80ea

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
285KB

MD5
ae5f1bdb58cb840d1cd36d7d5185d09c

SHA1
d207e579bdf3631677129817f748d8778729dee3

SHA256
2615bdf5a8cca7141b12708763bcc610bdd3aa7f1dc8a339d68900835711390e

SHA512
baae653386e93317732b2da7cea65635f0a9fe68fde0ecc68f78f78c4203621adf863e0ca00f8074749440fccc7f5c3822ffcf80b41ff47030347f2c704c7611

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
380KB

MD5
31ce773b2cf6c245c5d1d2d715a37c60

SHA1
60be5f58bc878bd36cc4c02b1847b849d3127b60

SHA256
aa099720c54aa099f3918c0db68b2e65658459d9d47c02877de24b193d54997b

SHA512
006ee5b477775b21d5d56f418b489a09814f32497a4122080492d66d02a65e5991c319576dbf94ab7af969497336edba5fb4274f7f47c6d1e25c9c2ff6447d4e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
351KB

MD5
ec539cde468339da8bef7987cd1aab23

SHA1
162ec651561412c1476fc192f2333e0804b69224

SHA256
9ce54ed76b49bb10656212d23b2cec4c96e7737a1463b15a2946e04c37fa1f36

SHA512
38221d1921954d81244e81759d7ed109e8527a209d04d80df503fb5bba2796f8b9e30bffd9bd195000389f827588bca53dcdd176ec4fba04fa00bc09ea970d04

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
332KB

MD5
619062eefbad45a389150f8bec12c8ce

SHA1
b2a51c1b770991dc6e2e7f75166cfccef3233229

SHA256
ce9064801f424927b71a9bacb40e88f9575094ae231846e0ecdd30a4c592b766

SHA512
ab786000116eddcd569da60d8ae7bda01479b43f271ccb4025219242d21b936d11991dbc9cc55f44201a4cfdfcdc8a58abeed4c387600ec0affcf01adc692b09

Download Submit
memory/1248-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4840-43-0x00000000660A0000-0x0000000066138000-memory.dmp

Filesize
608KB

Download
memory/4840-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4840-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4840-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-44-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/4840-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4956-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4956-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download