73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23-02-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4952	b2e.exe
3848	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3848	cpuminer-sse2.exe
3848	cpuminer-sse2.exe
3848	cpuminer-sse2.exe
3848	cpuminer-sse2.exe
3848	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2304-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4952	2304	batexe.exe	74
PID 2304 wrote to memory of 4952	2304	batexe.exe	74
PID 2304 wrote to memory of 4952	2304	batexe.exe	74
PID 4952 wrote to memory of 2776	4952	b2e.exe	75
PID 4952 wrote to memory of 2776	4952	b2e.exe	75
PID 4952 wrote to memory of 2776	4952	b2e.exe	75
PID 2776 wrote to memory of 3848	2776	cmd.exe	78
PID 2776 wrote to memory of 3848	2776	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8EF2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\b2e.exe

Filesize
2.0MB

MD5
e4d4b0a32114323c5f05422c8bc799cb

SHA1
91b3ec5e26224d29c102a004d6e3f7adf54f3060

SHA256
9131372eed4269408e61b27edbc12c03a7f9003c0033df0929e69b883411960a

SHA512
41e74a3df13ea626e883ce538d8fa89ead2cd531e8e2bca086619061d296d0a74e51fd3a3ebd3c4d6b96b106568723122782d3a0e0a585d23cc27fafc197041d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EF2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.1MB

MD5
87b2a772adb357df57b6fd21133e0e25

SHA1
4bf22c8deaf062b86b161768eba24b96ebb24729

SHA256
6c80ab843fc846d29fad8e5b03397ca0aa9b247f93c3c8bf827e8e04d466ad5a

SHA512
3bf2c13a02bc904c09d95d8bc30af217db49d30fe7a3250c86c3ac2e452463c5b7ae609b386db4bfee3d0d00a5c428d77b4fd9048b764c38f9439cc64b3fbaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
263KB

MD5
8ee5a3850e750bd563f076e53604e9bd

SHA1
4544666eb6751645b9d0af573907619aa10e3f81

SHA256
dbee6a3a2d865314b770772201bae3570827796f18deb7f8040a893207f16b71

SHA512
e65944eaf00d324558e4617b333e9f48244e7b0e1713d0feb4168a7f5d165261454eed7767087f0907ad5bcfa11db9598cef9ec9fd5359c28312a3a9b54a0ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
272KB

MD5
1c0f5c28591b1182530b93a723fbc3cd

SHA1
8b892e44b3f54ee576b281f1e32bd0e6b0df97dd

SHA256
84068228aaec766e9a3c408c5c1c89353d561f35253bcd57c02887b56942ff6a

SHA512
2e3eaa76c8b2e49ded4a5b6dd4773abf68eb41c41aefa4a1f257b7c91f923092b486217239fc8cba196c7951b713e98d071c72022eaa02aa3754b74051065f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
116KB

MD5
94ce55cbf2e0631766805e69da5ea80c

SHA1
75fd7000970956d6cd1f10b0f851fd6f1fe9c12e

SHA256
7ba3ed284b0cf7b5a7cd6f9f5ff9e8e512fd4af2ec93fb042f42f12d7ad02639

SHA512
c227a31ddba899c0f2e91d12d88f0135717d09d659854aa4a8c6193b729ea87a3f608f6ab5d05d72ce55d7730b09c170b661a0f706e393cc773a20ad75094f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
203KB

MD5
401e0cde57e84a48da06509096d5fb2b

SHA1
99de4c12974a0ee4a26ff3ff642d66e4f89d799a

SHA256
be24fc2e04b62b377ecaa81bc46a5a65f26a52207f372b2d567a66e07b3f7f7f

SHA512
f035fcab6d5e43ed1a852a37771c193eccd160c5c8745a0cef8c51b6485ced1d3e7dbc39c265e30b7e00c27920ec1c08df54d47fcf4a876f7430108ddc2c9160

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
129KB

MD5
d80221c4bcc6b1c8a7b3295dea779cf9

SHA1
2cc78eb39ada93f10d4d9462402b855d0712f979

SHA256
2b69c8672510c549d7ed19ce61792332a00e9a0684d16a4e9b6b2d1d85ff3e76

SHA512
5b168c14fee9ea6ef20423c707fbb47ba9be6dcfb376957d3917cb6cac82e49d3f5db117ad580be7131e0ee5952d611b239257fcad93bdb800dbd7aad084b265

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
15KB

MD5
9ebf037434fcd840dcf0685241728b9d

SHA1
5b43f067277564fc330eadcccb7f4feda9ff5b2f

SHA256
2a2a9b76ca8f3573d0beed65b8cd8f6bb98bfa24a62c4c3e2be6c7da65009f12

SHA512
18f96dab56c002dfe2abef5f283b82133da06c2c0c9d3db2c70e3a5ea3f22c46839b418ca2b19af5ac58925f5bd12ca3b7b40e0e6f58bb6f2c54ea06ec638e30

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
88KB

MD5
acd048a493cc71fae18be64c2c1372aa

SHA1
62aae95510ed81ed8c675d900f1738aded3c5bc9

SHA256
0ffbd4b56ca2351f3805fcea5422b278820265f752d306ebcbaab4e517bce39a

SHA512
85b92cbbd9a17cd0bdba7b4b1654b659c4bad96125309780b68d4b63673aa1410d4adf9554c2d1f511f9311070868262a74af456594c9d218c43ca851c001e4d

Download Submit
memory/2304-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3848-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3848-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3848-43-0x000000006E140000-0x000000006E1D8000-memory.dmp

Filesize
608KB

Download
memory/3848-44-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/3848-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3848-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4952-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download