73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4412	b2e.exe
4656	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2888-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 4412	2888	batexe.exe	74
PID 2888 wrote to memory of 4412	2888	batexe.exe	74
PID 2888 wrote to memory of 4412	2888	batexe.exe	74
PID 4412 wrote to memory of 4048	4412	b2e.exe	75
PID 4412 wrote to memory of 4048	4412	b2e.exe	75
PID 4412 wrote to memory of 4048	4412	b2e.exe	75
PID 4048 wrote to memory of 4656	4048	cmd.exe	78
PID 4048 wrote to memory of 4656	4048	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\8453.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8453.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8453.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8685.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8453.tmp\b2e.exe

Filesize
3.6MB

MD5
ede0f0249ff001f2b0d6d83ba492a341

SHA1
5c17a5e024ab0b32a7f7b0ec8b00aac7ec138db5

SHA256
28f439e2983f36aa9669b9495196221129910630530b247011cec65274ee2142

SHA512
c8d12f6ad7cd76d6726bc2bdf8b5e21ad99dabc36d6f022b0548c084a855d6525dac241452194616a6968f8e8de6244a224eb07c94f63b8e66cc4024e1515ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8453.tmp\b2e.exe

Filesize
4.1MB

MD5
756eeed695aef692155e426616a2288b

SHA1
24d194ccb4d4aaded4928b8470db1ab3c81d6345

SHA256
dbbcdd71ac9417371576a1b9e8f568d01c94f05801a501d06276e272ffc856cb

SHA512
e2ebbcb0b0c106d008c9251cc676bafd78a8032b17d6944074061826973aa28adca9784df5e18a0ddc1c9fb696bbaf4871b13e3f6493e5458d5db183ffaba076

Download Submit
C:\Users\Admin\AppData\Local\Temp\8685.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
219KB

MD5
231599db0bbd7d5079eb5e81e770c831

SHA1
e43f7ba9d9742730ac3530ccf50caf4926fa0446

SHA256
bc4a13709d0fbec298ce317281594cb1187b43b562668af1ecd419dac2a31317

SHA512
f651fd0faaa92890efeb9df91a82c9dab53a303fb4a0750298a04cb2130469893e45011f7dcb41762159734922db2f7e48479b7cb2e9c2abdec7c7f016dec472

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
320KB

MD5
59d36bdd941feb6c770ec68a37e8c21b

SHA1
1191d1e478164cd720974ea1ad2bc248999a8d45

SHA256
d5227dca74d9be12116b359c9d61265b102c0986eb6196e269cc3e3b895c0293

SHA512
b1620dd0763f2f7c263ae69c71eba7cba29d89f1bb551356abb7073e4e7013347345c43f2bad3c4733300c5b98feecf2fd91db2a363c9e5dcdd87f170edbe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
128KB

MD5
0cfc533c46d2f160fc8d8483706228cf

SHA1
0d13ced09eeed5fc3879f418bda0410a742ab6a1

SHA256
510a6af4547083718b32dc00d4711cfff2aec0e7b936d4199feaaf32a7d5d3a6

SHA512
11e35867688e7814881981298b6f6948fceaf254d154f5429e5a82c43397b1894bd35fe7fb586b26e4272d8371c3b8e96c20c71ab05b9df3e851291444702a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
116KB

MD5
db9f8201b09978cdd502a38117e57edd

SHA1
509b79675178d3ff7e049a9868354621af0d420b

SHA256
317551401ccb0a1b2c8652778558a93d63910029c0ed2f8dd1cee4ded6598794

SHA512
84e9ea836c3517c8fb25e113cfe9ceecb96e639285cfeee80b3040684587943d6dd24f7795c3e863efff99428640c359891a66701ee6955ec010d74286081800

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
146KB

MD5
7cffb622c922aaac1459e6a82676e439

SHA1
7cd87d0a215d1d71aee8b9e96db2dede0793b563

SHA256
47afc1dd45c81a528818c3d580e881441f679a271c478186968a09b31bca42f2

SHA512
150f72378a07327222e47a0acb4629865ccad0f2de352ab373fac92b2b031b33e970698b9f5362a4201a9d9fca8b6127272bd7bf54f89f6b9c3017a281f62b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
6cccf65bd7d7ff5b53aeb882e15c462c

SHA1
a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d

SHA256
1379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2

SHA512
c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
15KB

MD5
88b0df511928c415e9697b6c5a73f5ab

SHA1
214146d14a77ffe339c8408e435b70e49e2b4cfc

SHA256
360e754525c09d38da50f253441aaabe645b6263a086ed463f28a23715e25e92

SHA512
1d3aea9da6b90015086890f9abfdbb6dd5a3ebbf095c487338aa9a79b07bab423485bbbe0e34d8222cded365d8544886dbb716ea7ae3fd691655009b827fe390

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5.6MB

MD5
5fdd39153b482b1291ccce779732aaae

SHA1
c4f777b9dd04b4b81154907ec63b2a0c19333226

SHA256
e0014ff6a44afa97a8de333e9dde9090af1b1397b2f700aacec514c039394295

SHA512
60283961c5744050699cf06cb198c01e4aedbd218c0bbce31d04fa214627609c6956754effeb1762c737a8104b7cdfc6bcc123f7d2ffbb8a797db51e727fb1ad

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
7KB

MD5
35f065a5a77b061b70ba098dce3b5049

SHA1
8dc75047b3a6c71eec197a26872c73412d319d83

SHA256
c51df5a21b3fac79737531dd0e23cb7edac95cbadcf2f23ac78d461d207fce52

SHA512
6f93c3477ad99b361aaafc6c80b5978c37fcd5ad489e2cf5022d4b534770b7f36ed803ee6897debdcb66fe03f79ca004a2ca05a795b1edc094b8e2e39203660e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
52KB

MD5
a5e8519702eb8470ce0dd604bd80d646

SHA1
05537aa194f7d58207b3cb7b7d3e4e6db8add747

SHA256
157a646d1d1a4e788fcc74d826ad19e8afb22fadaccfe3b427b531bc08e3692a

SHA512
28a185af8b500da98bf0fc0d11d2afc569baff9c0aca94f78e27b98174bf90f6690fba3495dfe061257d8c9e1f12b369ad76e05d718f8dc30a08f8e0393521a0

Download Submit
memory/2888-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4412-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4412-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4656-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4656-42-0x0000000056A30000-0x0000000056AC8000-memory.dmp

Filesize
608KB

Download
memory/4656-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4656-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4656-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download