73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4020	b2e.exe
4100	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4100	cpuminer-sse2.exe
4100	cpuminer-sse2.exe
4100	cpuminer-sse2.exe
4100	cpuminer-sse2.exe
4100	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/872-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 4020	872	batexe.exe	76
PID 872 wrote to memory of 4020	872	batexe.exe	76
PID 872 wrote to memory of 4020	872	batexe.exe	76
PID 4020 wrote to memory of 4488	4020	b2e.exe	77
PID 4020 wrote to memory of 4488	4020	b2e.exe	77
PID 4020 wrote to memory of 4488	4020	b2e.exe	77
PID 4488 wrote to memory of 4100	4488	cmd.exe	80
PID 4488 wrote to memory of 4100	4488	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\83F5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\83F5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\83F5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8618.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83F5.tmp\b2e.exe

Filesize
6.0MB

MD5
c4262db1c2b5c8e65176ece2dd52fbb1

SHA1
56dab0f4980b7d1955eea59161f72c06b958038b

SHA256
1ef20abf7374dc24e791e1590fa688c31a4b43e31ba7979bda83e3ababf14ec8

SHA512
ebfc907cf388dc4ac846d1ee144dbc2d4eec94ac6d38ee5a9834dfe6d8f28b880c357ccf7f64ccea7a4b3c94b229082d1f057645c91b1f0c9079dd161d42f264

Download Submit
C:\Users\Admin\AppData\Local\Temp\83F5.tmp\b2e.exe

Filesize
7.9MB

MD5
1fa450f030fb62b52d0e37ea767cc2d9

SHA1
c34655bd729704b9375a19f5c22ee8c057f89a9e

SHA256
3a61230ca7e6040265f5d66593607ed29ee52180cd3ae18de115c6de93adae79

SHA512
921dc9db237b7aa0c7d8562fd3b63cc72e075dcc0bf2559a9d4ee68c1e43d38cc210cfd015d050f2c29b50d958aae0e248b61c7987da5c919b7a95dc9711a1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8618.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
972KB

MD5
75208ff4769a94083ba5fd6f13d9d969

SHA1
ba9f3af5516d892cc5ea55c5c71ad9dd8355e2e8

SHA256
43256c326dd837f22ae1647dbcdb5d895518d16a72399cade2ff79ba4b2dd87d

SHA512
f1df87bcbaa77e078201a8533b365a0c123759253a8a309a73fb99696329ade2b670ceb3078519136cffead4d9954106da36c51ede9fa1fc9706f711aebe31a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
736KB

MD5
a49310f0b93edd7bb895122188f0f2bd

SHA1
62047da63a99c1581141f9873333fc3713f0ef2f

SHA256
ef433f813d0c455e84f624b92b4923f44e3337b46bb498e9b7a3132696d05846

SHA512
8c6ea1cfa89274333dac3ce9c3debb36c71f85f71bd77ac6d3981cc4ed65044b6ce2eacfa0620f10e3ef144e478fbaecd4eada72618aaee576983d86b27b594e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
bd70a3cab70c277ccdcccd474cf2d745

SHA1
a45abbd5114322f1ccad94222d60c5c887219396

SHA256
76cd32be3e16eae9c1cafede92b0a56eae76347a9b3c610b5c3d94b945c504a0

SHA512
b4d4a5b9ec2052d16d21772a8c78eb85fdd77840dcca3e565b1d3bcf43c47e3cacc6dd4fe8b4c1f8a5f901163789fd92392eed13e85cbc499c6788b4a8f094c2

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
550KB

MD5
6d830c5c4e9e2e4306d1e7c7ea4f1cea

SHA1
bbc44fd8e61cd347b70dc2b861f614f5506a2dac

SHA256
3b75513577f2ff5a205e9f38f25b4bb110a2b68c65ff98eb75ed92472496903c

SHA512
8689dbc3ef582d2ef2bce6c5f398fe458481e02537e0fbffc97f19016c9cf62ffe3b9e005344c3fc2768cd4ba6737c08320f7dca79b42ffc71e3cd1fd870a178

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
514KB

MD5
8af6cdeb778e8d217004ea5d48b0b349

SHA1
4b7539f19d7046569672efb2c75e41a5a7af447c

SHA256
eb836694f0302ebf229bc6f2af9313d322c7cdb22f62252eb60b5bdafb7d8a53

SHA512
bb4f6afe2278bad62801dca2926ce64a26ab13c2bf8ff999505755d80ffdbe3382e2fa1abef041a5c5ef4c970a72a0fd8c7c46fbb6af2de4ae87e4293607cea8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
773KB

MD5
108d4406fd8b4284bc7a5dc17aa92a4d

SHA1
af650450156ee1c7e662aa81d66161e6fd58d866

SHA256
233c548c578b472ab7753aec41c3f98c0fd8959a6d37f058224a90c3c025f16f

SHA512
03d0c554bbdae4d7062229bd9f401ff1d12c7dc8565e1275ce4afa1ab15abebdc21aa542ea5aa72a316afd7c52704d108e7bf6a121ea83835c66d934c1ed1bed

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
509KB

MD5
253f8b0320e396dfb3fb839c39717987

SHA1
3fbb6f3d482ac90c7ed2995b2aa22bf5ccb2a2b1

SHA256
e2221e28aeff6853ba74643bd29c226210f89ced4f40e623270d485e72948fb8

SHA512
9f6dde9a892d72c7535c57a3aa216376abca0e344c94e8c222f74a10107cb73bb728fc37e77469acd1a68a55cdf0e2ef7b6659da403196643334880eb6eca101

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/872-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4020-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4020-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4100-44-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/4100-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4100-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4100-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-42-0x000000005F420000-0x000000005F4B8000-memory.dmp

Filesize
608KB

Download
memory/4100-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4100-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download