73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2496	b2e.exe
4708	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1484-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2496	1484	batexe.exe	73
PID 1484 wrote to memory of 2496	1484	batexe.exe	73
PID 1484 wrote to memory of 2496	1484	batexe.exe	73
PID 2496 wrote to memory of 4036	2496	b2e.exe	74
PID 2496 wrote to memory of 4036	2496	b2e.exe	74
PID 2496 wrote to memory of 4036	2496	b2e.exe	74
PID 4036 wrote to memory of 4708	4036	cmd.exe	77
PID 4036 wrote to memory of 4708	4036	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe

Filesize
3.3MB

MD5
c30512c0a562e7bfa93291d3cc381609

SHA1
a99a58416f03630c477b7c885e8b51bd5257b92f

SHA256
047420b4f4abdabec2292bcad06ec2f64f7658c6e5e7a205f4446e771b757ebc

SHA512
425e484f71b9a114a1c61f4a154b6c4e7649b04e367ffa7c4407d350e9f0e67df25e5f4257b3c34e51122c4ce266b827f0bfea85f7492847d45b9da9ff039532

Download Submit
C:\Users\Admin\AppData\Local\Temp\53B.tmp\b2e.exe

Filesize
2.5MB

MD5
209846946c4ad024d566886d3ef583d5

SHA1
45b397828b34e1400cca2dabff37a50f86b61c00

SHA256
57bb3c5885e79e8a1f634ae74dc8563c1f8e5b905a45e1b46fc227acece56163

SHA512
f6893e4381ded92cc58af7795bbc9a128e71048ad29c819562bbb09db57e183c09e11f8110cd3811927766b21b530854189ed379801adea84c2cc75b2f129e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
767KB

MD5
f589e92db51ba602b0fd83fbd6133372

SHA1
afd54646799426d4372285a7e8c4a00242608ce1

SHA256
7d29fd690028c815b7188d69bba565fa678d356e837e0a96a39645f00560cc6c

SHA512
5fd40079add8c43178d3090552f8ea06b08429dcdc9b8185019b1de3c97e5b9acbe297c7827cd851e329ffb569acd4dffa5080141a93cbe7e52cfb74cc4f8797

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
741KB

MD5
28e5f5504ad458d10a224c89c818460b

SHA1
dfaea8756f4a683430fc1d4fc98d87c68e4c622a

SHA256
bc7a0ff17eb703e399ec8728c8ca387c3a0b4203c49b0d44de27d945d98e3ce9

SHA512
cd3679623048946a655f46c6f79e2fe7e609458e9149c373728cafc7fdd1478af915eaeddd953a1b6b840455b90c741fd428e7ff6aad4a4a5b0d4cca3d60ced2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
266635c9c5adc12d421aae9aded619bb

SHA1
6c2133d88c8cab24af3d4c97ad44107f1654acd9

SHA256
0664a55e813be1d6ae63ab1f11657cbe3730e42204a73f9c5947ba707ffef523

SHA512
7f9bc96360a1bafece252359c2c3abf6a4a6b5810e50e6f2e66ea2d03c5b3d2a466b623d1a63b005060eebf1fad35881ee848dacc7fcdf63d82cd4efd5bcee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
6ccd8cfe099460517facacec3d7493a8

SHA1
31c80a1d93b9cd4ae3fa5d2f19bba835a690bb76

SHA256
e59901df6db41f6ee2d7c7ce7de3401f5e9cb0d7cf70f51d4fdd84e6ece096d8

SHA512
5ab63e79f612a776fddddce1109b67a0e14de37364caf35bb9ec95ce7bfb23058893afa49b692b0798bee7946af71b3a338957432c3aeee287faa0b2fb190ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
924KB

MD5
34fc7ae89e1ebc161fe44aa2be14e917

SHA1
a15e01c65b864f2644f3fb2938e67224f8452bad

SHA256
1aa552cc3c889c6884d5b6de272fbb58e4b1f2f1b0238f599d8716958e27fef9

SHA512
a09b88df7ec12fae29b839ba97f0e9523b264526d28c22d33aeb228b24bd5d83d113e4effe9c38e33adf6a0520e0c859d68913bb35dc2977ec2be4e8eacf5c42

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
988KB

MD5
79ea74e4b634528336d93790da8f0ddf

SHA1
a7b0adf9425f9894cf7993ebad0b2b4da651652b

SHA256
490a0e92ab1d19217a9426a6d884366f03a4db66a07d744321bd55868f63ca7c

SHA512
b57d3b0b0b2cfc222c97ede7e8ec178e7dac269cdca839fa01ad01e2e297eb2d404c755ce28c9fcdf8263efe08de97deb26d64ddc7cf52ab8c5d0e49a45e151a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
952KB

MD5
f9061aa086628fc2a9b2fca0fb44fcce

SHA1
349a216b6603ff3d0c12253730fabcf13c36eb31

SHA256
c11f832c28002e2d07b020d811bc88dc84d0358b01b1f2f07caecde844672675

SHA512
ac8c78cd27947839becf0fb55bd23744a855bc104e622299f396117e2d375fdff5028ae1bb01053767267618828a0aee44ddb01def62ce7c5e72f0d726e4f9bc

Download Submit
memory/1484-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2496-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2496-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4708-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4708-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-43-0x00000000660A0000-0x0000000066138000-memory.dmp

Filesize
608KB

Download
memory/4708-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/4708-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4708-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download