73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23-02-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4736	b2e.exe
3980	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3980	cpuminer-sse2.exe
3980	cpuminer-sse2.exe
3980	cpuminer-sse2.exe
3980	cpuminer-sse2.exe
3980	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/324-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 4736	324	batexe.exe	57
PID 324 wrote to memory of 4736	324	batexe.exe	57
PID 324 wrote to memory of 4736	324	batexe.exe	57
PID 4736 wrote to memory of 4484	4736	b2e.exe	67
PID 4736 wrote to memory of 4484	4736	b2e.exe	67
PID 4736 wrote to memory of 4484	4736	b2e.exe	67
PID 4484 wrote to memory of 3980	4484	cmd.exe	66
PID 4484 wrote to memory of 3980	4484	cmd.exe	66

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7445.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484

C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe

Filesize
384KB

MD5
1d85f4980d66fafb6b72210df9f1606d

SHA1
86b1e86ce3bd5af91dc13ebb9e87d42f0ef312b1

SHA256
b9c06a303f6aaafa94c1fa96b39557c92626f2efc89b1f87f9734dd7f2bb4680

SHA512
31cbffff31f5b1d729d742453ea2ae1adfef8390b545388effa3f02fe134f051d6a732945ae06704f53406d3f21fbff299a607eb0b56578fda01f8efa147e082

Download Submit
C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe

Filesize
284KB

MD5
713b900b42f053639d244938c2f508bc

SHA1
0a77749d2d9e13ac1139c926443b6d1f5f2912a2

SHA256
28ae360858b2ebd53a6584c6000826d0218c80c335f1ef8d2ddf8aaac9425b3c

SHA512
6799b6e499fc18573c89ae5268ab6626b631a78de30bc277cf653eed43091f7c6426dc1a22dca597cd1fe08a3122aa63f0730fbd686134675c21298e0169d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7445.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
224KB

MD5
e3ed797c3b4b65b6c52dfd1447bf03a5

SHA1
b9bd6b75b8cf145134766f127a983094a634c016

SHA256
9c1916a77b1f3d21801d9df9fc6e7dcfed8678389dfa31ef662d728c95f4a208

SHA512
b075e03baa6405a94ffcdf23197bc25daa68d3b4061852c13d044eeeddcf59e5e0a7db0b414217e6f2ff7e7266cbd4213fc3cda11e4c174340a6e5fa4e485a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
196KB

MD5
15ae6f8d48797bea68616c00df49fff1

SHA1
58fab1e07755bc6f3fdd444863bfa3e43f6a17b5

SHA256
60f5d91e4b041d20bfcc0c4b09257774fc91ec0aa1a22ce0f1748baaae372149

SHA512
40856cde5a95dad267ef46cd2181a13fe2a9c0d263e6919e9e4cf53ae9271b6fe3caeae7539b3b2f53d7e802d5cfa534c3886dca5612490e428421a8852ba5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
248KB

MD5
36e547190415aaa70f35f831f0b065e0

SHA1
7e5fbc3b5466071498a0cc407230d1cffd93fa16

SHA256
b9446883d8a224d97e3263a5d781b72886292ec8787782cd1204f276555c3ca9

SHA512
2409314bafede8a53de2fd047350f309ddcc6b5bf58011df0603d09326d66e58d8821b13e91336c9392610afc822cd092ec8a2484f6843fadb6edfe9137451c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
114KB

MD5
6380344609686f48819d2f1b5bc1eb0d

SHA1
94089e390bee8f0c7e255d685b9e34af3f99e813

SHA256
ad65d066a3c921511f243e0e50e232920e55cd1342180277cb7df9277db1527a

SHA512
238820a2addb3877af4cd0b9a9be7aaabac06b8be15f0d7d505b966ac5c5fd689e22df94f55c70dddae3085f173c1b60033009d2c72f2ec2a87f6c76427d1525

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
121KB

MD5
cf90355d2bcee2bac0928428b4b26e01

SHA1
f3f7d1fd9f998a240789ae5c5fa80cfb2731bdfe

SHA256
e51576d0ad7228b74a6040f06e23762409cfb25f9cb8e1b681fd302529d2a0ed

SHA512
e70d09849587b71277a9842f04b9febd20a751c39894121c63fdcf1301ec98c361fcc2a0024786c457c3694bf4bb7011227d4b4fc2640a4897c3c6ae5f4394ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
115KB

MD5
216cd9d4c041eb72d587d97d75b5b62d

SHA1
287ccd6217dff5776b20155a22b637caee8b862d

SHA256
8d016e15f676493a8e9a57accb074e65e765a55cb303a8d1e700ed42b9d217bc

SHA512
b8cde49f295a12df6535c0b11b0554dc51fff3d02d99d8be794c094b6955c96cf982f7b8b5aefc0b0ea0085c1f7dc64e68a3bddfabb5da49d3e6ce4a4d7f419e

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
193KB

MD5
d9d69bc54f86ec9718a76a681cb9fc85

SHA1
a8c6b815d951614f87f27ef375f4c66bb890cdb2

SHA256
d885aac9338377fabcc713ffef20230a047bd3b4244218158b52a2f235867780

SHA512
506cf10ad38d071e363dca4df37e7a4b627dc078d8f8bfa692c3aac8a6fa9ae127a4aa5af0f89b98e6567febac00e89dc52f85a07a55308a16e1b65f4ad91d40

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
149KB

MD5
41db70bbfc32991180e315a83eaf72d3

SHA1
04aabdfa266eed057166613f16a888e7b1fbcb6a

SHA256
cc577e773bfce3bd6a536ad9d20f9f385ef54d058f30d39f020e5d77c287fae8

SHA512
3d9993317cd2ecbc20d8f8570c977497607c1688df166fbc778259752cf8a2d48d3b550cf272f4ed0ed68f776e549cdda0ad9249958de23d4b4626f0b83fb86a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
73KB

MD5
421d30c2509df5d01aeb01d2bf56e988

SHA1
33239ec280114e06cb694991f9b0c93e7d87d728

SHA256
2a15557a1d653e8e09b5365fc819acad4f6711b5ea0170f538db8647add715cd

SHA512
30064faca0137f4bb86cbd227e8f7a9352e6328089a03ea6e1a41cd92f73711f6349a0b8f10f60f10ede8432b22574c6f5e1d2ba463c79f4b4c6adc5d8e45569

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
216KB

MD5
fecf4f1c85f172205a525e970444da06

SHA1
6f22b4d29bb88ca135448b1aa1ce1c2e92eee4a1

SHA256
69e78f1618a1020e7610df819b79d0a79c055440fb87570babb092d67867df27

SHA512
66e4dca4df0e9bc5d1fbf75dab17bd466d31015dd637e0612363291d2056df1132aedb048778b4adc0aa6396e80cd723ac408fef137925f3e50d8e1a8671a677

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
130KB

MD5
75603a30b5f86a7bd3f6421c3a64d53f

SHA1
a99d725d45f3e6ef980cd9f50faccbfc1c9e036c

SHA256
6c2af27854730006ef18b150fb5de95defa6b741f1862e4475e53c3213afd343

SHA512
3bd437cef183037e996bed8e21528c97a32eacde3141c78d83e89f95b93c5dac8b44c98bd09bbb4f6ffe575f9ce8081b75bb61d5e1cdbaffc4ae76453ec9b389

Download Submit
memory/324-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3980-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3980-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3980-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/3980-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-43-0x00000000596F0000-0x0000000059788000-memory.dmp

Filesize
608KB

Download
memory/3980-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3980-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4736-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4736-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download