73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1256	b2e.exe
3744	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1428-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1256	1428	batexe.exe	73
PID 1428 wrote to memory of 1256	1428	batexe.exe	73
PID 1428 wrote to memory of 1256	1428	batexe.exe	73
PID 1256 wrote to memory of 2784	1256	b2e.exe	74
PID 1256 wrote to memory of 2784	1256	b2e.exe	74
PID 1256 wrote to memory of 2784	1256	b2e.exe	74
PID 2784 wrote to memory of 3744	2784	cmd.exe	77
PID 2784 wrote to memory of 3744	2784	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2D5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe

Filesize
2.8MB

MD5
1cd1f1463362e82070bd38c1ad8de2d3

SHA1
02b59eedcca64d1bcdbebabb05228cd292c1fdde

SHA256
80c54200113264848b0a02dfef414bee7e1000ae8db116136fad1a6474d43e29

SHA512
f67290611bf4653411f513f696f93add280763b3da208f3ad6a5c2b171fde413daf0d6e4909a13d93a08eed4946e98332ba40d07e39ba686cf356da9d87c355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe

Filesize
2.5MB

MD5
35ffee4e793de9e8635fb4a825da13d7

SHA1
33e645756e7bd58ca2b085febdd3abbfc9e0627a

SHA256
46ff93e4e4951c8f7bcd739c955a7175131da5abb67c7e57cf339265aa6f63ab

SHA512
edb5cff501f7558320ba7644d226753cdcee3b2ca390ccd5a218ec3442766aed66d82f12d4d20ce264c89bc1f3f155afc60ee6c2e58f024ff556f65662f3366a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2D5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
128KB

MD5
87bb74a6790018700645a8310bb9a32a

SHA1
b0e3e91efa12e0df5ed4538d3b549ab5d9f6c16b

SHA256
ee6a846f1dcf082d5216bf314e65e1428af13ce54dfaaeb371d1c54f330c5298

SHA512
702e12a0858a1dd987d6a761f0ddc88fee9bce38be3d71f8c9be3fecc8cc6e88763967140f83caf4f2e10109ab95b811bb70bc70ff0b5cce8f0f32713ad3683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
64KB

MD5
7fcedb6e973c5df3b6652a2afafa6a13

SHA1
116728803559ab58a8127544df80b75a0dd1c6d2

SHA256
fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825

SHA512
05c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5.4MB

MD5
dbefe05d4f1077997e9b3986d16468cd

SHA1
6a4539202a5cc50450139045a465ec383ecc784f

SHA256
024f4bb4cf5a27bbc9bb527c496a162763eefd0ad511f4344449ec4ad00e367e

SHA512
d1a8b9a6b30611501dd0ee95fec23619d214521ba6b24bc887bfaa71d9291f2048ccfcba440aed74a5e8e60e1076f07ae73a17010ee0f4e7a287cdd17fcf7e1a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5.1MB

MD5
a88372048aeb5e969e69f038273687b6

SHA1
7e836ade8c773d1589ac61962de7befbd2ada0af

SHA256
355ef2688cc32d5fc38f7d514c5290b1d5609b64f3e93bf7f1d0dc43987a2bd9

SHA512
5d2ba10b4afc505a5e091b468fabdf740d6e171abf688e2e933a2f70ceb6e7261f2cba0580f8f0e76bf4972e001fa90c03f4c3f31363c46e58a1e9ff2af8c9eb

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
6cccf65bd7d7ff5b53aeb882e15c462c

SHA1
a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d

SHA256
1379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2

SHA512
c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb

Download Submit
memory/1256-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1256-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1428-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3744-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3744-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-42-0x0000000050730000-0x00000000507C8000-memory.dmp

Filesize
608KB

Download
memory/3744-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/3744-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3744-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download