73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23-02-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4520	b2e.exe
4712	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4520	2308	batexe.exe	75
PID 2308 wrote to memory of 4520	2308	batexe.exe	75
PID 2308 wrote to memory of 4520	2308	batexe.exe	75
PID 4520 wrote to memory of 1924	4520	b2e.exe	76
PID 4520 wrote to memory of 1924	4520	b2e.exe	76
PID 4520 wrote to memory of 1924	4520	b2e.exe	76
PID 1924 wrote to memory of 4712	1924	cmd.exe	79
PID 1924 wrote to memory of 4712	1924	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\7EE4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7EE4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7EE4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\807A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7EE4.tmp\b2e.exe

Filesize
1.8MB

MD5
9d2f803d3db733d04cdead5dd5321005

SHA1
095b462cf217b4bbc789002d1f1bc8cbd2ac3257

SHA256
9383e927a7f9ca6e1d2584bbc54616d019590fff077340791154537f382d1956

SHA512
8980e80fd37f1e55f09292190dac2ce21ada18bd7f20a8c5f78bc7b5161efc01a1376385bac78a2b0e63ebe5bfcd2e8b427ee2b71d6984232b8c98959181e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EE4.tmp\b2e.exe

Filesize
2.3MB

MD5
3d22749e10586c167d4dcec6ffdfecd0

SHA1
8e7f5b5c1099d8895d69cd6ba9c455920f2f33bb

SHA256
0ff963c3db01d8cbb4b6d5105e6e4a17bfa36d538f4e888c69949c0d540af7ec

SHA512
343a3c04262a10d4e4caf16ef294b132df6084625447fe1502452b50c034b26fb616a931e15a3ecdf2dd531c994f375046875dbee7cb6f13b7384936bf7b985c

Download Submit
C:\Users\Admin\AppData\Local\Temp\807A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
494KB

MD5
60b6bb16479b6caa1e74fa06eb3464d5

SHA1
6182e9755d419aada3cb6ff5eb121f5c17dbcdc9

SHA256
6083f64ffe66dff4485aa3e7a1c3bebb309d3db2b958cd7998c81d07c48113fc

SHA512
692e5770ce8e68cb2abeb98632143ed6980c2a2c99d027915d40e39ea8a6b1323555af52009ef303155e08b99b823b54517bd7222772af527ef3eca1eeed1f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
549KB

MD5
1609a3dd550cdc0886cdbefc9975546f

SHA1
9182fa14b88eb059bbeefbb8327b2b33fb741d10

SHA256
157dce8571e7709558acd29666215d931c1f33d088bd796166a5f937248b199f

SHA512
8152eadd8c9328950f118f9744b5de3378ff7c4de3507a72a9bad254a2d249fdd19e1e54b7885e0282060f09b707e1ee1159fa33920e682df1dcc7d2b613712c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
379KB

MD5
52ac338601683f89665af7ac36f50f8d

SHA1
1001bb00239f5ace9fb283612d4787066a8986cd

SHA256
b9d860609d59e5f668fa3cbf1724b9929c8c7f2f3c050121889f98a2cf276523

SHA512
6b820e6de3aa22769cfe8c40fe3109c900bb301b0eea4922122613174fac75ae50611d08fd0741f23c5379cd1b35d447dcfa60b38385bcbb9ab7c4596a7e5681

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
583KB

MD5
6aa909417d52675f8408402d1862f1fa

SHA1
40d5d94dde35ca5669fcb2849d923537269f4836

SHA256
79f91befb0fa7324ffa8189fc2424bb89f33a4e262e9ac7f2732200363003de2

SHA512
88e5140b61e93b5d30288b7ed5c8838f054f151487fa5d8566c3eab416072f17c14456daabd27416837476915106ec38798ad68ae2bd7154271b6ec2dfa05bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
319KB

MD5
fc0bcda9d3d296b0800ccf77a952089b

SHA1
0a6071a1d7ab2f73fc5cab5bda7ff482a26bbaa1

SHA256
a1567b5562a30a2920ee082022f9691f45f353b88375bf199cf711979c6c93a9

SHA512
3af92df5c8012e658f68b6067e4db33808ca7514cc298ab4158b3e65a930f33225b34b4a623336da591ad257444fe229d255aad9ec5bafef2780f4ca1375a80c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
798KB

MD5
a6c538d8a731f0bbe423dda69f376766

SHA1
11d8f3759480c57d75745f1d51ebaf5dcfcc9e97

SHA256
9a94d20892f67d7903044ca41e2c3b9a13f5908584cf05bb19ba1f2d37fe4393

SHA512
de040a0347bf7f91f3a92809e23be3ff6dc8c246c71145238559b8fbc1848aeef61846400e11ae44316c36b540e4d90477586915f92efc76962ed40cd700626e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
368KB

MD5
b10a0a19a0f3027539418ba0df782487

SHA1
c588b23380f47bb27d2fcfceb25184c2a45f806d

SHA256
e5152bc34cf62a3110d9bd857357757c87811106d43fe065ec4c2c9d9e81c045

SHA512
d0f6e91c1a26a00d599b8d29989e8095bf44905b1a799a5117f64a4902acde3161b184ada190b5e95c2bb3e8c2fdc1d28334ac237e40320d0f3c37b9d285f142

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
551KB

MD5
35dd496b2e7c96defddb60b4994668b1

SHA1
5fefccf890a478c3f1843f9fe7961570ce7a8a18

SHA256
2bc3b3599e54d51b6dc399df4d1d5be9ae0d831a53a27e60851fe1a9df7f8657

SHA512
24060ce8c2d1705ecc91c840d0d8b50c1a3a414ccbd2bc9fd57fc59a898118df7b8cf27282294ef8ec883fec900c4531caef5f1a85a5ac2c3bde38d4cccf325f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
270KB

MD5
3a3d35fb87983ff8f5be01f3d8d1957a

SHA1
4c6f79c81e75fa1136d0db042d89cb0bbb3d4844

SHA256
778c7e154e0d628ab7b2abb3b5f4ce18ed41b7d2f9c0fca008d003eb7a5d4153

SHA512
338f7fbd214db8d21e9c9f3927ffd836d0d8b68d15fe0c86a5b5ccd089aec8890c22f7e35d6579a3c7874afdeb0e0b03b4d51f68c57507e5c50612a6de5d68d4

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
322KB

MD5
332a89378fdef017df7f2fb2decc4a96

SHA1
23c6b24f04dbcedb3c4e089b3e480fa70c853b63

SHA256
f59b1899c9ee81ea4de35521c7237f060b52c3ea73ec00d7527982653261b765

SHA512
258b9627920a5be1b1cc5041e4d53231e3bd413606bbceb68e4688ac4426a13d83483c3f8bfc7230204e9df37b7d8b90da8a6ecb5935eea7f5dc78dd2d9d6180

Download Submit
memory/2308-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4520-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4520-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4712-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4712-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4712-43-0x000000006D920000-0x000000006D9B8000-memory.dmp

Filesize
608KB

Download
memory/4712-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/4712-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download