73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23-02-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3944	b2e.exe
1188	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1188	cpuminer-sse2.exe
1188	cpuminer-sse2.exe
1188	cpuminer-sse2.exe
1188	cpuminer-sse2.exe
1188	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4776-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3944	4776	batexe.exe	76
PID 4776 wrote to memory of 3944	4776	batexe.exe	76
PID 4776 wrote to memory of 3944	4776	batexe.exe	76
PID 3944 wrote to memory of 4916	3944	b2e.exe	77
PID 3944 wrote to memory of 4916	3944	b2e.exe	77
PID 3944 wrote to memory of 4916	3944	b2e.exe	77
PID 4916 wrote to memory of 1188	4916	cmd.exe	80
PID 4916 wrote to memory of 1188	4916	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\800D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\800D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\800D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8211.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\800D.tmp\b2e.exe

Filesize
2.1MB

MD5
4d174871a1cc2edba56daec7d3298c7a

SHA1
616f009df7290a6e911c6df702676628d9f725a7

SHA256
1da7a433f84e9db28fa95232e44f25ddb097e3a1fa5b94aa2c1721d442f1774b

SHA512
625b47edc7514a5a344710de36d621af8f74d2101f2fd288598e159cbc9a48799a8b2e25a2a23580c9b8a81be5cc50b79af97e59b9f79094a960160a2563671c

Download Submit
C:\Users\Admin\AppData\Local\Temp\800D.tmp\b2e.exe

Filesize
2.5MB

MD5
e93e657815835abdb682c647e160ac0f

SHA1
8048ab77f22b7562511e5d351dd93128165fda5e

SHA256
bc3d5c465bab7432f744c111a2ce73e5a3183caeef1e570659162657ffd026ad

SHA512
a4ba44a3412eb03ec37dea1acee29069b6229285af039722955691b928946357a7eb221529e55f98656a554a29bbb2145d8741c0b8cfde20044fd060b826200f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8211.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
680KB

MD5
1b1f5da0e91af0039e69529ffe6f180e

SHA1
3b8bad4f8c39051a8a71e493da8e5c7f24237b77

SHA256
d1afdb72c4d2de935bc86dc104d64b914cdc3413375b2d3f5560dde59a119d41

SHA512
066d7ac6b78ac66d71a66c814d37d1b2cfd66e6337e7eaf1c47ba18f7f341f5432ae73c4406cfa298a6e4b5f40deebe836186d463e618f49773f64fe01b35e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
615KB

MD5
8e550fbda8eb0d11e875a99bd22f4030

SHA1
68f3d0b1918e7636b95b1ec925d6bb190ae2cbff

SHA256
cd3c3374360ae4aac4f9fb1c52525e1db38e79448d6d33502c79b0dacf58fc9b

SHA512
0a61b11198498e36b9f8ea1bac41f889f47ced06955a55c6b8f8dd6cc8e5fb1361acf27c492cdeebc6c2da0ecb8017b7b8235af62f86d12294f80da8ff236cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
776KB

MD5
b04eb6cdfe99930c5ecf81314e41a990

SHA1
d1ec7dbaeac30ee7f395e87dc381392e6617e58c

SHA256
dc0a8c018c689e1dd260c443b0adae5d5e4ded975f09db52e419cef7b6f5c67d

SHA512
2271869500a90b6767dc5632f82441f1f63bf6dd67bd1d8054b0e48f03e1e0720a94b41ac2f0ead8fce1c3509b97ebf6a2dab95538805af19e80fbd498036cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
710KB

MD5
504054a7dfd8dfbbc539923741533644

SHA1
a8d3b4b86d1fc8af03bdc9954cdf7b12cebece1f

SHA256
98b59a768c2726e8908fe508493042eb8027134dd944796126f04cd261cd7767

SHA512
1f8c727ea6482d85585c48a3421e478052f70a148e99c1893e6f9387a14cd027883443754a81d9d6fa6e0e69ad8dcebaef2bcb2128beb32dcee1232116206042

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
854KB

MD5
3201e5562dfe7a62f7ec6e66991354b4

SHA1
188b40581e255b749738a2e90465511117b58bf1

SHA256
89d25787c43de76ec48c7310e809c42d3619abe32253c67382d05e3e08dd8778

SHA512
9de8f72b261839c2a90ede9f4dff5d65ebf7895dec52c55b4c7db1c13114ac7c31e9bd71f7628323cf138f93d94d3bf3ec7b03785bcdca3ee40e1f658114f7e6

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
768KB

MD5
2a46219bc1b1078bccece84b28ddc1bb

SHA1
d467a88114c3142cc425f10204e8ab5b9335525d

SHA256
469f882be6e6bb1f2e49b1923ffc9921701ad9b9dedaaf8bc22987d714a32f2a

SHA512
b282f6119728666a4d2b536e9a0675519df19adf1531c9a34bf221b1cf325b76ab6083b96e3660406621dc4fc290482e4f8fcf58459b0ad49b0845b1a8291c5e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1024KB

MD5
c6151ba2a5a47dc2053b8becbd8a0b68

SHA1
1f6d6821cc72fdc279db6c9ac0a4fbeec236f2f3

SHA256
1e2b0b487fca221e8095a470e0aeadf8151b008c54ec5f4c7a5b30582d88b90e

SHA512
c4ad99b39c67ce00f245da976fbddf54d6171b8fc33a60fc2fdaeedbf7b8615085de99069dc087c6b1890ad7a7486f559a2412dac7ab0cd301fe24867ebc1d25

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
573KB

MD5
c285f4d2cf909954c19eec4cffaf4760

SHA1
50b5b511c5d25502653ee19df1621f7c85e2584f

SHA256
9bcce06e7e0c6964efb55eb38d5ba30643e57ef2c8f1972bc100000d4785bfe7

SHA512
98f7b8584c9b5d4365026607becfa8c169173828881b675a1b2a2dba7f5102f82723efc9823bc366f89d20a219618436e29f8705a9c213a979b0d9db01ff0fe3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
775KB

MD5
ffa0c8b9f8ca912781841375508c3127

SHA1
37571766ad0299d147f7ef0228a8b6399abcc47a

SHA256
a94a09b8d416e22df6228224fa80c62148e63b7d985a80fe8d1450ff3697f5f6

SHA512
a651e89692de74669c59a07d73634c8da0e10eb440a56aff1b603f7429d71e287e2e6b1c256428a5a102e7ce25d564c049fea9481d1323e14756be5a8103da59

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1188-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-42-0x0000000056750000-0x00000000567E8000-memory.dmp

Filesize
608KB

Download
memory/1188-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1188-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1188-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1188-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1188-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3944-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3944-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4776-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download