73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1536	b2e.exe
1616	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1616	cpuminer-sse2.exe
1616	cpuminer-sse2.exe
1616	cpuminer-sse2.exe
1616	cpuminer-sse2.exe
1616	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1536	3060	batexe.exe	74
PID 3060 wrote to memory of 1536	3060	batexe.exe	74
PID 3060 wrote to memory of 1536	3060	batexe.exe	74
PID 1536 wrote to memory of 1100	1536	b2e.exe	75
PID 1536 wrote to memory of 1100	1536	b2e.exe	75
PID 1536 wrote to memory of 1100	1536	b2e.exe	75
PID 1100 wrote to memory of 1616	1100	cmd.exe	78
PID 1100 wrote to memory of 1616	1100	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\9654.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9654.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9654.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97DB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9654.tmp\b2e.exe

Filesize
712KB

MD5
12f87515619078643446ed156998b51e

SHA1
18399148f4ad1655e857ea0060729ba25c0b7f94

SHA256
972cbf17fb3b83b45434523742ed3dd2744786a08f1e2bd0d706e000cc79a074

SHA512
975e9f1db0e1b229f89d799eb570de281dd1e7545fc7dc714de6bfb72e69b83cdf411c2bf32a797a7b896e136ccad160f4a3f4aa091e0df71f1c38afa0b0427d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9654.tmp\b2e.exe

Filesize
420KB

MD5
9bd530d8b84f3483bdc8a7bd56943d3b

SHA1
49684673dcb7ccbdfd1f6cb4155e7d4dab969095

SHA256
6a54619ecb85d2b77c91e9cf16c543e1b7bfcc04b71b4b88c190c12bf711f951

SHA512
46dfa1ffeef6557ea09aac756686518e03d8cbe2c37fe297986262bda0856c160a5fa83324f3642f606312a63eacffdc61dc27631d39ff42cd55c056acf4449e

Download Submit
C:\Users\Admin\AppData\Local\Temp\97DB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
124KB

MD5
b93733e9e64db887a232577a9656c954

SHA1
46997179c923f488141be59bcbac1198b060109b

SHA256
75147c6afd45147a694d375833f58b1f3209c1467d940cc766c16deeaf8b47fd

SHA512
2944249a636f27a613ff67fdf6f7dc1b35052e73f884d16e44bf2b64a7655b3bf72eb7d74d20c632265950902550f63522b5851087b09dd08f61e46e372a778f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
155KB

MD5
87ca0fc1ed1683a99fd1524ddf7fc20a

SHA1
d7aeb663c5a3b29077b47e000813d35bf273df90

SHA256
0bf21963c37abad482a4ca5c0c21ef8022f3478643d405d14703d825d2352bae

SHA512
55dd930a8a66195114f3f9e13e104948b558e63241200d3f7a5f8e5db5c52780e5ad357a72567c7867976015c0119a715a8ab8df44124c1919accec2a18628d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
113KB

MD5
b5c346d81d576e7deb4c4f512eb89fdf

SHA1
7ff098a4fda413cc6955ce14c0168d63cbf2ac92

SHA256
69d736c60dabb37dd7e24c6e2466202f159a215e2084f815fd14a12ea3969a21

SHA512
67ace0c83d8ac5fb43ef9d7689bfd329444b465607f28b346b395d12c4d8587bbe34ecd9bb4a3b532bb06e27309f370dbc80cb628db43d100e096d9b948e4161

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
108KB

MD5
b1521cf3d1921cbf5077f9be70d36b30

SHA1
fc6e2eeb096a24e3c55e9979040ca33b2d82180d

SHA256
38609807a99ae597171aebce1fdfa82abd93ebc3788515c17d4ad28989abca76

SHA512
48a378f84a616b1432bea7ce5b520a39426daa43a637a2fdfb7b62fe9d227cd35074b28ca1b0a4ae1355f053ac306683a6bd3cb173cd727a2894a4edb0a4a402

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
173KB

MD5
d6e3f4c547788c10301dd19afb599e0f

SHA1
c72744a1c138d56de8a8a946a15429f841ad9dd3

SHA256
76e4ffa1099d99535a2eaec343a598b6b0f54a01cf66402e25d0490c41e1ec23

SHA512
43849a1244cb0c4f58e96993ad81801c500317aea929515b607dcc14b8d35cc6dda68138fe9412050c775f91352113fc2d2a0ae68f4e30ba4934917cabe219d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
89KB

MD5
55a869ae66e1e487a5b6b8305e9c8009

SHA1
c8efa4b031a3f664199cb8c74eb429c55128dfca

SHA256
dc357f9f84b6d963d5f17ae8329632692b5d3c973ad8aa9c3a6deb1aa49144a3

SHA512
3a6f0f8a2b25e51744f9a90653530f38c430a804048c468c4a3c76c0a6e332cb427772f486ed9238bc69e953fd975b4439e20e80a10470713a73e1fcf35ae1ac

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
113KB

MD5
258aa2075271f1897db83753dceeb370

SHA1
7218801fb204b4f4992b8377a83948890038cb82

SHA256
4c317866986cc871eae09d7983a68ba19723830b8cea5f3533030a5193d0e34c

SHA512
26afd0c70572c94b5d0dc36c1fab247e2c29325f01dae9c62d780f1c32f0356e629bc677bee0bda12df9035c698b73f6fbbec5f5ec2054fcab5371454f48ebde

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
100KB

MD5
af57db604eec2dc17e1a5da66ef7da45

SHA1
c213e6533cbb08b624cfbd2f1a0317036837e401

SHA256
a174cbcb7a36ac206f45e47eca6bc39ab7f49c84f283f985b0beb31d5ec23cbe

SHA512
4ab442005b4831a1dcef00e46b135d5af9eb4cd8344fa80b23ced45db14c940f824bec570939aa65d5b5584fc8669a8e6d7bef4f37a1d6ef5639c3914a40639d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
51KB

MD5
931c64898bbc7ab18793c3c6da6cc0b2

SHA1
0b99cb21519d11d74080925bd3ef54c836e6311e

SHA256
a70bf67f54a5a97aeeacc4b8e094422d26e0b256e27d991a2baeec947b44cb05

SHA512
89557a8ed46b87e54984abc8ea7d1c3e31204ced3d4e1ac07e3274ace08ba8c9565f7954b3a35c71a2d08c37307756604d8ae8d07e5581b9a09b7f57b078d9c3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
65KB

MD5
400d829361d38fcd842c7791c6e916c2

SHA1
f30a6d3c0217f0e863af3f86eed79e0f5fa67bda

SHA256
7404689ef1fb895e0a0292b39f1bd33b502241896a0fa12137794ead0d683625

SHA512
d055c5a2fe9724ac45f46a507036f665bcd095f0ae9a5b7c8a9a61aab4662943e2f604aa5726fa8024a6c67c16e9bb5eb9d1d51c534f85e6c047ad8a97686b13

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
124KB

MD5
b58517cba7cb6a17a439ad14a5ecd623

SHA1
7d5ece9b2ccd4be651afff3fec054cfcbe5bf537

SHA256
63653e6ae4094684e921105defb7befb3e3352e9d80af7722a53cd5d800f5940

SHA512
1028a1f01e62e7ced5ee6054602d7d318074cae6090815de0d9893432849ad3c3d13ba782d751eb1f0b4750b05bac502d9f5123175e0adeeb58b4050233b0e0b

Download Submit
memory/1536-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1536-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1616-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1616-43-0x0000000056F30000-0x0000000056FC8000-memory.dmp

Filesize
608KB

Download
memory/1616-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/1616-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1616-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1616-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download