73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 14:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2356	b2e.exe
1148	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1148	cpuminer-sse2.exe
1148	cpuminer-sse2.exe
1148	cpuminer-sse2.exe
1148	cpuminer-sse2.exe
1148	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4816-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2356	4816	batexe.exe	75
PID 4816 wrote to memory of 2356	4816	batexe.exe	75
PID 4816 wrote to memory of 2356	4816	batexe.exe	75
PID 2356 wrote to memory of 4132	2356	b2e.exe	76
PID 2356 wrote to memory of 4132	2356	b2e.exe	76
PID 2356 wrote to memory of 4132	2356	b2e.exe	76
PID 4132 wrote to memory of 1148	4132	cmd.exe	79
PID 4132 wrote to memory of 1148	4132	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\171D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\171D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\171D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1BE0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\171D.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\171D.tmp\b2e.exe

Filesize
777KB

MD5
4af8f9650461a936c970443fa442e0c0

SHA1
ea61e1efcbf4465ec5473b1e0f5d7e3bb7a2eb9d

SHA256
575939f1666283cd380719d3b163ce38360900c6bc7f18f5b3346e8e7d785601

SHA512
d1c36c94bada3b6c58098d6b523147d5c0941dd189c574eeffe1ac0a27ae88e314a48b2a74c39988e0ec2a773452175c07dc48f9146d2f1a4178849336463236

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BE0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
215KB

MD5
5b23f1b0aeaa8ee4d05facf80f7b5817

SHA1
ec9829da9527eab2f8e7264441e7969be5978219

SHA256
cc66a14bd0e71afbdb3325e7cb64341f6a2fce777a6d1e33964b734a4785c03b

SHA512
f01ba0531432b80a4fa74adccc287e07b0b1fd294fca6c8fd8e37e41123fb6b2c8f5510f7c43cb8eb5a25f9684705c4f049aa0bc58b117085f099332a2bcb53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
568KB

MD5
fe60a6047ee5207ad872cc7bd83e20a9

SHA1
d93d801c804285f29981836a98d53fcdc1b5ee00

SHA256
54be1163a213b05761b25d49b5444ce3d6455a39f920deee483c067c7528dbb0

SHA512
82da4c5ca308c1651c3f5993a548c43b8330691d95dce6aa376db212edd4f16919fcc9b3b38ae5f7c94b9fa5568067222be250d08ef72cde256f711cf5aad0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
560KB

MD5
1d39d435666205082093a0fa4e4e126d

SHA1
ba9ce7e83d20ebc6927eecb0b64dec6b6757d1d9

SHA256
487d3e9fc8574a45e58480946fb95cb1b061e52b957f38d41bb11fbfc1320f4e

SHA512
9f4481c9952bb3542ccfd47fd2c064e575ad661a5fb4f908d20af2c2ec538874f266de4a1ade40002acdb2bb54481687bd3f796a783976b048fc0e5a83342d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
208KB

MD5
06a3881dfc639a47102436ad28e33037

SHA1
bcd4dd4f40cce121e83729411c0821cb13111a7b

SHA256
a8ec1f30bd37dc5d8cfc1f668b8d8a8f7647b78f070bdd5142496aa86fe2dace

SHA512
346ef32c2b799a34ea597bf3827e384dfa6a3ce99cf8db36e70a5388d0c9a72def6282fcdd5c58bcba8bb6dca5069268c1b13db7eda2eb7fb6f000f17f24616d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
424KB

MD5
29babae8020574508c1ae7dd17e98f66

SHA1
c462aa2751695dc8c88c56535373f24030285877

SHA256
344d3ff3ac6a1bd456d7bad3ca000200b435e07e8a6a8cb6c41bfccd5101615e

SHA512
f56097c45d6bbceb8cb80ac68403ecb7cbc63e9272dedb214a10da47423fd9416e938666c776be9acef39ff01f2c11371eee81c591ec8532ed2ee68a45549195

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
205KB

MD5
d8abfb4d8e41a37ccb83b95470d1d02f

SHA1
8d8d8d5ccb1ef8b88b32f37f354daf1c04b28952

SHA256
cf63cb2e2e10fa68dae8c2bf95021887e9a1933a909c29371afeccf3da92e6b2

SHA512
b88320100ce21766c015afed7ffbd80f2706e86cb74ad09bbcc86a0e5d5f22d32d42fd048fd4b7fd06b962681d42246dc08e41dcaf9bf28f97dd29f20f1c9842

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
316KB

MD5
e14380079a1b3bbc6349a30082e086df

SHA1
cc20646d9e04ca8a1e61c143990b51ef371dd59c

SHA256
0d0f598e23f390068e7385dcbbea32694afbde4f64ff3498018b401ad7468290

SHA512
f8f068e812391a60bfc8a7497d70f1fdb7e27d1a9fbe952185ed99a2ab49325b7b195ed354ed4ba846f1fc1d65b0b7eaa747ab4adf23b472d03a89a88831272d

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
397KB

MD5
b5ca7c09a4741f15a7015b9cba1bd101

SHA1
244c2992c9287006c33e46b9e50d944327968bd5

SHA256
39f8e436b8be66ec3863b4e96becb641e8cd21f67a55137b02fa047883aed16e

SHA512
12371cf984730afbec9533955329619566ef7fabc831e245a9fb074e25170f3dfd579e7d6b1db571aebf76f031744d58fd14563bb2a86a8d878afb33ca424cef

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
320KB

MD5
e748e3357af6e4674ff8962691273b0d

SHA1
0acfc30d68a1ef7c6790a79270864448f70f0aa8

SHA256
84ff770c784909548dbca7bd2a24c8e82338b142f2d4893023e25c52f70e8d14

SHA512
0bd15154698983c85b46810d8fef9092f4d0725882421d6db61f168873af967808c467b924dcb8ee72aaad6e10202edab14916580fc442e14b9d8c85f9d07dcc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
250KB

MD5
8972caa5ca9564cef489e8ef96e763d0

SHA1
7a556a846f049588c5fcab25aa65049a08161557

SHA256
a5b36abe1f12d09c2ed57cd2e0791d8a4f27d0e5eb22ff76a796482b655d1bd6

SHA512
f30a8b547f91a22a4699fd2c9d57a1f17495d19efb7a8bfee8b1eaa92ef523a3922f986ee9a71ddc0659b86505200ec06c3fe7986d5d917f78cc54db69146441

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
246KB

MD5
7c484277b94f654d6a7058180ddaf59c

SHA1
aa695e72c48e81f8f93fc20656cfd0f4db25912e

SHA256
c9344c55ff5ff20a063b57e8c84e726b641fde6de189335c642a1cd15b5c2fe8

SHA512
2e999cb43fb7f13c58f89097d57b41946e3e22a4b4f6e18e4ef478d556f5f7775e216d12a0876758ae1080ddedceb4775486663018ec3a6ac80f474d7af025f6

Download Submit
memory/1148-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1148-43-0x0000000061DB0000-0x0000000061E48000-memory.dmp

Filesize
608KB

Download
memory/1148-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1148-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/1148-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1148-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2356-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2356-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4816-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download