73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23-02-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
60	b2e.exe
1096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1416-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 60	1416	batexe.exe	75
PID 1416 wrote to memory of 60	1416	batexe.exe	75
PID 1416 wrote to memory of 60	1416	batexe.exe	75
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 2180 wrote to memory of 1096	2180	cmd.exe	79
PID 2180 wrote to memory of 1096	2180	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe

Filesize
793KB

MD5
f5ae4bc41fec9e1eb42ae86c6983425d

SHA1
2094eb2b91141bc39b12ca19083c878c278d5469

SHA256
9341d84f080184739fc27adabd9877c8a2e40c58358e3017a50902d098affa59

SHA512
77a753a45a44c5ef4d92151e76f07bc8d2daa9925867795f22628e144ea0cfb6990f54fe9186a44872186b07f3e2be0fb64930ec3c198e14df7a2029829aa3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\54A.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
569KB

MD5
013346bcea5357f226da777fa899f0f7

SHA1
437cd7e4aa95c536b649240f6b8c504089642e9d

SHA256
b8437394922ab2b1468e12ee0c44e56c28d06bc96ee6eec6dd7563222a12037e

SHA512
174710f9edf145751c756ec11b7290c575efbc16f614ae33162b7fa41d90ce49489a7672f5eb30410a4d7047c15255044ffb3a1095f747c40a3fa292af01e84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
690KB

MD5
254f812a891640ed0f83efd3a7af31bb

SHA1
95163568c6224bf74c7490e1ca85664daa1de888

SHA256
c101bd6ff38d7d26925dc6ffaaa2ef0c6c4b66e76c5ffcbc211085bc10f89064

SHA512
9547b78706df1f6d4803d59272c39429745df0eb49b0dfe4af4a9e44790446023e53c71fa79a8deb6e2283fa61ddc9d515605bdd5e68536214de0065c7dab42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
362KB

MD5
2d276faf72c095a1dda34721b7a16304

SHA1
c74346ef44e84f3aa7fa677b82245bfa66b42b3c

SHA256
23f0f6006d656e6037ba6774d309d34d86f61d8aeca564e4c304e8d670e8932d

SHA512
1bbeff05802dd64cb0feb9e2b92d0cd4601a88da1aac8d6f2e69728ff6e35700f6b79e4673af8e8ca4403278e363683db94d4e1ed8508f613c691093c0da560c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
559KB

MD5
9e668d8ecaddd0814b0789e38a89344e

SHA1
20883b9e6d0a1cde75dd02b6182e671625f40c3e

SHA256
6407596dfa62e171567ec29d9a6b8917faf29c457c942b787a6ae4a38c5d9b34

SHA512
b247f83bbcfa04699313af4829ddde2202ce9aea07a2eb868664778e9b6ffb08a646c01b9d46db60b27a0f3a947bba8e1f32690f573aa449a2246ac7b7436a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
997b36990d882af961d9436f0ce8961a

SHA1
4a6d31963d0e2fa527789e7b2520d9791da0cdd7

SHA256
e296fe0b9e4d128783fc6ed28fbe202dcc0fddc9fd2ca555e3c90deeb890c472

SHA512
9cb6c17c5fac6b78344af3d1fcf5276f16d6b59cc9d6f2c71e52d72e2c7956a3f9ece2f71896fd39822646be4111175f9c386097bc30abae8f7ddb74563bdc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
460KB

MD5
f8dcf6fc8acf645fb726d92daf5d7657

SHA1
6959b753b4081ee09bbc3a69523e7e64fc5ffad0

SHA256
e3b793fd73870224467aa5261cdaa93fa252a4fff47bec0229e26f2fd8057f9e

SHA512
b398d738b6d7a30e137cc00a0a270183927c02b496dcb6a97f61e357dc84715bdc4f960d21069d558cb4648697a2bda30b80945277bc255f107aed0ef664003d

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
378KB

MD5
c13f091d12093f2194037c2e811d5d43

SHA1
1891bfaf0ceaef679cb53d59fbd87946e4088997

SHA256
050631fccde03ba505af1afef98a819048a5f30cd5b8f64f97504040918f4e62

SHA512
6322881d936b724aa89bfca0cd4af8bfd62d7b0a792c46e5129d76421e94aa9fd1fd3cf6bf1d798c20dc0e48cb86d3a2311ebaee1ae8bd64890ab65288cd2da9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
553KB

MD5
65831d70f4d68526383e9e96492a40d4

SHA1
a01605488860943ed96c7cbc0680c32f41bc35c2

SHA256
a050d13e2482c8864c099f5f84781d582051df1cda58608e1ba3da4c2b1df38a

SHA512
b861948429b934d797bbbdafd633c07b877edd645d7cf188ba78b5672a0d2d81f23e0b4ed44e06ad1c62c89debe5daacd6f8bd23ca49e802c60abf1c9f6728d7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
422KB

MD5
28daaee10d0167fd0fe32bcd4edc8897

SHA1
a35e3fe1a0f1f5691a8afb2b2e8ba1b52eb029b7

SHA256
6a2a6356dc151a057f25251fcb6dad4858a4a77fd1c013c29adee20bc4d99125

SHA512
5a7c276d826124cad055f180fa818f3befe26551fa9996b3f3ee77e926b49984ce003e7650168f91f303169ca9424556fe8c073652c97e53a2e043d59be56818

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
376KB

MD5
a93297b11e9fbe7dbdb429ad604336dc

SHA1
75c313eabf5971cb25a6ff0c2ec50d85b7ee2ff2

SHA256
2e18bf6361ecf0c83794fab4f918fb38e63fe1fdc7d8938a8896f5222af0893c

SHA512
fa0d16878b50850ae54b793fc5ae44c860e3be637f0dcf70343b667d6cb79f2c5b0466a5bcf67c1d04f991c7a79c4bc06d7f968aeb31086fe5f10469ed80c951

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
memory/60-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/60-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1096-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/1096-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1096-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/1096-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1096-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1416-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download