73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3880	b2e.exe
4256	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4256	cpuminer-sse2.exe
4256	cpuminer-sse2.exe
4256	cpuminer-sse2.exe
4256	cpuminer-sse2.exe
4256	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 780 wrote to memory of 3880	780	batexe.exe	74
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 3880 wrote to memory of 208	3880	b2e.exe	75
PID 208 wrote to memory of 4256	208	cmd.exe	78
PID 208 wrote to memory of 4256	208	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1EAE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe

Filesize
2.4MB

MD5
29d240444adb9813b5adb991ca67e90c

SHA1
0cdd7c578547560b099e3f1bfb3e83892333f954

SHA256
1fd04673016b8baf0d9ca4cadb7cffd70d24f17bf2649c44c34b523790e41998

SHA512
2add4e12a2be3e15af5f13028b4f7ec1eb75711075beb95d7e658a79cea6df813e17c96c19bda8ff77c8d411da3c85a0bba19e6d77de8b25dde719e4764f13ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.tmp\b2e.exe

Filesize
2.6MB

MD5
5d1616a632af579e92783c61efe0a1ec

SHA1
7babad16a8d4e8eae18d0dc29857d1c31b11986a

SHA256
4e451959b1ee1e867ec8dfdd0a55584b74f3dcf2bc145c6339538f931aff786a

SHA512
e3364d8a654a2b73bd8decc50cb42e6df88005f2e596a144f551b1a83d295f6ebcf0c4ffe4bf94f3818500052ccd1b3e3ffcd8d45ae362e061796f40898294d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EAE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
877KB

MD5
7ebd1c5c25ad0fda520964c7b91364ba

SHA1
9496d0f3a0107a3b51a7eab52303eab1211e3993

SHA256
88b12c2bef7437dcb67d774e57c8fdc002c04b72ef88b0284eeaf49e1f6ac645

SHA512
90264c42ed424c94f51a39d06ce6e3325230df3d93c3cd894295e0e9458f0d68a8c0fa2589d91e045ca478b8735e7d2c743ed905cef9e883a1d4c624d70fa74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
646KB

MD5
cd96ce8f782fe18826df76698eea4b16

SHA1
4652a49aa935137403a860ad4c91e18dc14eee2d

SHA256
ac6b1c5b620ec89665be29b1397184ed15b042df28600d1d4b77803f4f7b3b73

SHA512
b57e71599f369dc6e5a5269a7574e1e3159bec5b6724727010e35dcdcf60b083876cb5d8c794857c0b8c4d15c5432c7923bd2bdbdf873d513a7ff4ccd7d58d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
725KB

MD5
a010ab10eebfdd8e3bc088e29f3f7b7c

SHA1
226c8901a69f322e8290a3d5a310820bd2dcb774

SHA256
a188a7fc8fe7d70af3adf180671307a0c735c327d88888ce05b7153710784923

SHA512
541aa9af9bba5419bc4cde8fdf6010508765207023694210690c3eb96038a3579a84c85dd927e5527c6ba89322495c1fe9147f8aa69b5ee4db1d31efdcd4853b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
777KB

MD5
e14371a6021cd4f39a7197865103c49f

SHA1
49b8f7eda789659aa57eb1d74f9a6978dd75ed22

SHA256
40ec7f9cd3d0047c9c5dfb1564d23ab546ffb3dc356a80f9129edd3da48f66b2

SHA512
08fb221442d9243c27430741f6f49699f32b26288c20137f0c8a22959dc41419058bc1ffcf455c28a9fb5901bf069c29bfbc77e99e35fa424c586debfbca370e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
550KB

MD5
8971e1eec629e941c978df5d8ee94c27

SHA1
1f560f9d178546ba89c9de2b2f8cbf09afbacef9

SHA256
5eefc76cf79d7715a23c507e3a281af5f26668fce4b5344841012d2f63cc21a4

SHA512
721a255b026f1dbf4f1764e8541eee9000f12f31484483ed51c5872f505fed42f641ba4d072bdfd28fb34f458ce35b3a12369dc79d02068d5d41fa0a7d9c8ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
818KB

MD5
94837d790df411af7755799e29118012

SHA1
e4607908ad52d864e2cb801b20819b9991aa5717

SHA256
f2f673a8011d903fbce1ede7a3123252559c5a93cef04d94e5761702097a6da9

SHA512
bfe1975496701e777a017d1fea351a79ed67e14349e9fe52ebd652b4d010af4e432abc93d261a122503e3f87f74289af68464db96e166ea85b3becdb8c8775ac

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
fe316f2b417e142dffa0e03efb65e1a4

SHA1
907805b2c3bc0a0791086cb5fc8e3a950bc78e6d

SHA256
aca06866767d9e0bbe1e9bef7efce1152d34243e1acefc5f7ac4f6a245456671

SHA512
8ebfa0700b00c4064d1ded11fc1b4001f01238ee0c4cf88a873e0ccf38c30a574d600649bfdef85f2e3aec5c279a43680f7a66604bc6f27bbda0219e3786774d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
672KB

MD5
611725cd7f762e0afaa0733181fb9e1d

SHA1
33ed3c0f48385328ec91cf73cade2330eccfcc9f

SHA256
abc2e45e882ea0cf16467b5f151877d35f944c742ec792f592623c70c045a6a8

SHA512
8dcb0f6b1f50de912c823a535dc96b2aa5e2600fc66d659a7d7d789d60c86cba358ab4cf7a73ef2a058e0c204653387bab9033a0990e68e5b3329d9636d322f2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
718KB

MD5
463764895dcb177fbf99cadb9f9ddaf5

SHA1
4dfb36bc17484faefb19ad2f1d7e96c811379322

SHA256
d216916a402fe9fff79c9aba25dafe006c2df9bc51155ef9816e1be0c35d60b6

SHA512
d7dc9dab3248e3695c80a52e566f940ce428a588230736ba58e57ff0ca55fe13f1c777e7f371fb0dc220042a343227afcb9a6fb38958d2eed89cf71546edd093

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
593KB

MD5
6011478e624a79ad07e2010ee22f0744

SHA1
a9aeb90117f9e183564bf8b0b57de67d79a84b86

SHA256
38348bfd0a5d18044de41eb5e05bb2576463adfca467916977dbe4c7e33c9ff6

SHA512
15d06dd5393db625f64f92c78242762f3ef5c7be07075f7e529bd0ba18b30efeeb767aa67d459e42b1d94af5a0bf111c18864b88d2f6bb626646badb8e16d56d

Download Submit
memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3880-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3880-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4256-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4256-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4256-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/4256-44-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/4256-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-58-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-63-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4256-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download