73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 16:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1592	b2e.exe
820	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4764-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1592	4764	batexe.exe	74
PID 4764 wrote to memory of 1592	4764	batexe.exe	74
PID 4764 wrote to memory of 1592	4764	batexe.exe	74
PID 1592 wrote to memory of 3832	1592	b2e.exe	75
PID 1592 wrote to memory of 3832	1592	b2e.exe	75
PID 1592 wrote to memory of 3832	1592	b2e.exe	75
PID 3832 wrote to memory of 820	3832	cmd.exe	78
PID 3832 wrote to memory of 820	3832	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\4BE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4BE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4BE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4BE.tmp\b2e.exe

Filesize
3.8MB

MD5
7a69624f7316e5fac68a079a6cf60a81

SHA1
447571efee607e9f5f76959049bd7c3ae6cf8c08

SHA256
b487f8fd1607ad1c71cd1e896f00c0b306f894bc2e0f8bff05496c9b670ed0ba

SHA512
0430154ea7c1c9d7aa479ae0bad090e15b009de546085b382b2fa6b4eb8ecc157a7405e56bffa1b860e2dccb7f11e9f7173d018e8b6483982baa3a135c741d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BE.tmp\b2e.exe

Filesize
2.7MB

MD5
8bf8f5c9d34334938bf32fc15bc9404d

SHA1
fc6b04c193ad23f74ea2a395d67fabfd9ac4aeae

SHA256
176555a7e230054dfb5acb067e8b9306657c5c574f903e67fec1ffe8ecd0a372

SHA512
47658beffb531e00acbd6e1949d549fc8a936f8af46020fb94f6664bac9d153137fdbd2a9b8fb0a5747a06810949cada5de0a014bfcb1928819904c906293dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
704KB

MD5
903e2cfee96d720dd5200a922b637d07

SHA1
f6d639d7b6bb586abcb5f97b1b212252ed6c85b2

SHA256
443ef0fe0e5e9cff04e267b1bbbbc98b547e5bd38a853eb79d06a43a8e7d17f2

SHA512
c9c357be28d1d97bd5255d88bc64255f452867407c3aa4c99b286913286780da1204691a0344514f070b8bad391980a88b165eb1e8e9ee97f77ef02eb85071c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
5fd46a66845c804b88dcd97ffcd66652

SHA1
9556ce5607bdd245c8e4d6a24b8217def653f57b

SHA256
b7fd85a2268a4d62fa15fde3d9e51d6fa3bc865cb4d8e5fdca309be7b027f193

SHA512
0896697d588401a6d29c30e77574ece4f0ba699b082b1bad93964748313a5903eb4994ec81c61bfcbd75f2be3f5200dadda3fd1454381cc5874a9c8952ebeedc

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
512KB

MD5
a5993c0dd7587f1716037dcfe1f63091

SHA1
9a4d23ce36f5fc5791692b47d977c0bf92842879

SHA256
568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3

SHA512
c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
8185100383d0fe360c9198e5a883b08d

SHA1
ab398c469573f8e84d3cfcef01287a0604d6ab5f

SHA256
05ef7288b0d559bf67c3d69c201da9bdcaed0b49ecc538640f7b96c5b82eb538

SHA512
24930ef0caa1f2db2ed60f7dfdb832a172cf7747b0a336b051f73c0087a5f2fabff721487cb49cf5a3bc2be5426554b0a3a0e51541b6a4ca735646af24f1404a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
249KB

MD5
5cee2006a99a26efc5ead10c4d9a12c0

SHA1
d0ec8c08239308b0b074e3a5c2a44f0852b6ed6a

SHA256
1a1728b60c1615ee81dcefdee75ebf195426d5117539496700e1564b7459045d

SHA512
7fe1506af966a04a921dd723d2f024e8f183727127e3aa5fb5d5665ceeb96cb673e3494008121640fcd32719bc887b9a1883f91f00670cfc2a74184c3d388658

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
memory/820-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/820-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/820-42-0x00000000733C0000-0x0000000073458000-memory.dmp

Filesize
608KB

Download
memory/820-44-0x0000000000ED0000-0x0000000002785000-memory.dmp

Filesize
24.7MB

Download
memory/820-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1592-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1592-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4764-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download