73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3880	b2e.exe
3364	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe
3364	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 208 wrote to memory of 3364	208	cmd.exe	78
PID 208 wrote to memory of 3364	208	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\19EC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\19EC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\19EC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1F1C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19EC.tmp\b2e.exe

Filesize
896KB

MD5
1f22d8bf5f6c3dda3e880ea1ba0417d4

SHA1
2a8dbf2319999a894714bdea650eb5be32c64c19

SHA256
afb7da96abe31529f462178372c48627a7e681e3c18cd2196aec8beee07f5b96

SHA512
217b89f6a74039807c135539482b1a769d715190f7756e2b0162a33da3d8ada909b80ca3fc1596e542f163f6a45726282997f4e52a36c352cc89b9e58c1e6e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\19EC.tmp\b2e.exe

Filesize
4.6MB

MD5
7d7868459691a2c328873b785a431e5c

SHA1
6c3ff9e0d21a95df0900c498d1bd6b29b6a780d9

SHA256
fc1461f288f8798085b382f92a49c1f41127d18a15ff96d5c772f58a34c032c5

SHA512
e6cd8ff58d9b05ea241678f213047b679b1df9787d5f3608015764a4bf3b46bfb6c76e6b6c7407cde0c1200d5c95720a602a857710b3fe615990f4cab5269b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F1C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
303KB

MD5
a2ebb772dd608cbeab1cfc225c0fe404

SHA1
c52fb8475b9b2951047425ca5e3ae92e795f6d87

SHA256
2bfcce870252446432b9107846857d8d1987f01b413b0c4c9b980aa8de26862b

SHA512
7f4ab33626d1a75455f49d0b4a1ed3431fa1b011d66a39a3aa9a9ffc915e6accf6e4c0582d04b6ce71d3b2fdfe7da04f3482986fd9c7b4dfffc4d4fcc5058b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
100KB

MD5
bd921d5b0962caee46a47168692fa812

SHA1
dbe4de75b7c1ddde4adfbd8efec1ae2a8dedf2a2

SHA256
9670d3993ae3f64998a4f07e2f371925326606fbf1b502a9d204f75788264321

SHA512
d4537b728c721400088fbc269c3804a00be2acd28bc85101d29742fa47698a6aa8268809d79a1afa7c61bf0b8edf3194d02df5e56b99891883ee9b000eb90009

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
186KB

MD5
1b127ba901f9ff57f4564bb767fcd646

SHA1
78fedc16f1c920ba9eccae63959202d911d850a6

SHA256
07bfd8dcd328165e6e405d30f7469bbaee4c247a303b44fdde2a0db44a19846f

SHA512
bcc22e7cca0772b3acfb43eff2e8aa95d706e98d896950a4b53d9a6f3f310892735920bbf23a0d39bf7141903db4f313dbf1d6de5cd4dbab2cb2b6545c6559e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
164KB

MD5
0efdc8e9a41e815603007096ddd6f6d9

SHA1
585a2b4aab2e96449a8f333fb98e0a61d281a336

SHA256
4f0397a71bec70e3e20ded1a477184b58430c3fbdbef6708913201306d5ad38a

SHA512
810d7ecfe8afc48948b1b1a0c85af5c61e770746b2875f4956f8df6c491008052c1dd6816d298678a03c20e64fc623a66223e0345459bb364016f340aeb7f476

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
31KB

MD5
c5cb93b67c713728c42d86e11ae51494

SHA1
a5897ebe925d1aa5414ebda8084392dae49c298e

SHA256
6490f164f7364efdf2b0749efe2b153b5100b84755994da8cd0807353439dfbc

SHA512
cff79bcfa66a3868e2e5076e3eab7eac191aff6c23d0fc5f1ea71b2efe100df8214f5dedccb3a2841bf15b84b61d2cd40b24b891a6a063e356ed6ece7acba27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
a921e7514a98a78be27f7a0aeaa0b8cd

SHA1
f9aa00748fdfc1524ed8c6fb0a0da9f6c0b6fec7

SHA256
162d5cd7ffbd0d80213dae6caa0d4f6a9ec0bee9399121750c7f4a317cb63b0e

SHA512
cfef29d70a6115907dcd8e6e9a5b62203e42f926cb349a750645ebf8f3393783e9b63f357f520cd647af85d7bcc8235b874c2e3f5326717bba554e37ee96eabd

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
57KB

MD5
e1decfb90b3eaca98b405d96c3f20dca

SHA1
b64766693a58cde8a9a2e6abc6f826de9ed4f904

SHA256
bbf5f3ce3eb31dab5f108303948c582911dec01f5dee104c29b7039698bdfd1e

SHA512
07c049a8469bf3e0302c9d8dd79f9ecd2cab235f3c9ec2263429aa6e71d6ed280cf1063e726bb8b841750a87536cdf2b193c9651dd1bb2a98f76c7cce67f3607

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
116KB

MD5
db9f8201b09978cdd502a38117e57edd

SHA1
509b79675178d3ff7e049a9868354621af0d420b

SHA256
317551401ccb0a1b2c8652778558a93d63910029c0ed2f8dd1cee4ded6598794

SHA512
84e9ea836c3517c8fb25e113cfe9ceecb96e639285cfeee80b3040684587943d6dd24f7795c3e863efff99428640c359891a66701ee6955ec010d74286081800

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
109KB

MD5
950fa209490857a16c95d65ba7d77724

SHA1
15d2ed4ab0d42f10a73537e9ea53d5012dbefeed

SHA256
b897a108306c34f7f5151e0829885dcd6515106df10c930922b5d36e1669afdb

SHA512
f883716a52946473804b8a526423b1079d2812eb5596def3da01c45720d4cb9352d7fbe85ad3bb165efa6b595818c132b8729e691ee0f94ef141e57bb9e0ee57

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
47KB

MD5
f6dd7c4968649bf725226c708fcb1283

SHA1
1d619e5ece84493cf3732cbd6830bacc7e9574f8

SHA256
5d188b9fbd3bdb1ca6632c908b74855b4829656e0aa8d843b0cdd743d53c3ba6

SHA512
4f407b81ba9e04f57be277cd63ebd5ae367b196573e1f55a8689c41f634dbae59a0f4398541790a210a6040b35e9cd1c4bd51bb1ade96fde379a38b66d7aea37

Download Submit
memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3364-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3364-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3364-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/3364-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3364-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3364-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3880-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3880-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download