73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4012	b2e.exe
3344	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4384-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4012	4384	batexe.exe	76
PID 4384 wrote to memory of 4012	4384	batexe.exe	76
PID 4384 wrote to memory of 4012	4384	batexe.exe	76
PID 4012 wrote to memory of 2992	4012	b2e.exe	77
PID 4012 wrote to memory of 2992	4012	b2e.exe	77
PID 4012 wrote to memory of 2992	4012	b2e.exe	77
PID 2992 wrote to memory of 3344	2992	cmd.exe	80
PID 2992 wrote to memory of 3344	2992	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\8126.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8126.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8126.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83B7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8126.tmp\b2e.exe

Filesize
4.2MB

MD5
8f8f8b038ecfc87e3d2c763065f08bc9

SHA1
dd66e7e088d5897238292a9b8b94ae63fbcabc6e

SHA256
de1ae325525b8aebf55a5bb4ef7736298f645c9d7997e224c3f7aac9720d5452

SHA512
473e78e471746d3f35d784e31f7bb79652a9e7f43a77f58593c547a83db17af1f7dcdd0a7e8edd764839fd7332b9213dc15e7522f57689daab129da1075a823f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8126.tmp\b2e.exe

Filesize
4.2MB

MD5
b4063ac10fa8e2d06016dc752f546596

SHA1
99d55b2d3b06c1c6c7eebd9b40b5516074b56b68

SHA256
391296ea8e7749b2c2a06efb9bc1f7d48f7da037b1b2f7db11ad50fbd2f0924f

SHA512
330be7f652aae3e7f82d22ac97370abb01d9d4a2dcbd3958a44d162d39271214406e2ee01edf17c3d5258af82b9df97e55f91e8413cecbde8df2b3b227b72ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
761KB

MD5
27373e20c48f2d3d4630ab6eeae4b81e

SHA1
bfca6d22ffbc3732861b34a93002467b37451e6d

SHA256
27abf7123a5bfbcd58af77400a0e318284c1fab4b5cfc8410d74a0581a387cc4

SHA512
f7f067fa9c79a32c82ad140b26c8ec958af18baf058209f2991a038c80e5cc4b6ad90aef23b4f3c5c406b5ea0f7d2001a83f7e1cfeec5e705a09ae5a9a3b42f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
466KB

MD5
c5cd601a788b45281a90eada0ba5f962

SHA1
395a4d8acb5cde5e3fcbcec55e006518cc5a3635

SHA256
680520181a8d1aa5a38164e65e338cd1f8cdc3f30304ec96fd25bbc7c8fc591d

SHA512
94257f087d1786d2ca8ba3b54f3df618cad57365990363c747952cade84c6c796335112f72233c8e7ff83e833e4b5399a0e27be554d0ba401274e2dc9e1f4ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
261KB

MD5
58fe26687707348d99736f3a1e8788ea

SHA1
f609b532328f01a8973cf4b4894e3a8b47116ced

SHA256
916e72f62313439a2c6da233849f009eaa10cc5f33b5f9b42b87f372ef264e54

SHA512
ac861dba0b5eedf0e0eaede3c98a1fef4fdffe5887cd02fb9c0e1b1d445706310d5e9bd17064a273049ceeb23fe2fa1a3405fac6f9e5b0ea9e02350a802c7b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
412KB

MD5
03c1ec3aa4b4b4269a13d0e73459c9f3

SHA1
c9fe07bfdfeeebf80ad27be9cc4257697e1d017e

SHA256
cbb56e17e406434b4b1ae96bb49776c401d609508bdfbf35562e14ad2341219f

SHA512
514d3273f11c28713247f9fe90238db4f00bc38e34bbb354dbe98064c7368cc7e97b95ab9b4485ae8be063095dd705d2669834c5ba87a83a7cf439e6eb60ea03

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
371KB

MD5
7b396e5d688f03e720224ede40eb0274

SHA1
45ab42da47a6523d7dc6ca01150e1e6581ee88f5

SHA256
7ce6f2006d5c3f79c7bd44fb0a3e4580ecd6e82eeafc51854dd596426596992d

SHA512
37be3577b86c43bae7a7b9bef339432779649062ad1a425b328418535480cd063b11a43095b788a34cc7da205329fa508cf15e0bc797a3b83a194acb76bf207a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
376KB

MD5
44268e7eb017d0e4bd79329f58bc3532

SHA1
c5effb86cc2a7e9b865482aa77210461776b4bc0

SHA256
20cae1eb2721189bb7e4143b76b78b93ed7eef28d9d4dae9646177b78a4f9c26

SHA512
64f5ddeaa1e12d698c3b92095f62499c626eee2992831748015c62bc342a3397dd13ed72182cba3b50eaa08ff13d3f81d17f43c6d7938c1d9fe3d3b8fe432ecd

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
252KB

MD5
77792cf943edea1212c9af23ee8539d5

SHA1
8d1f6885a4cca5a1ca936bd9e4ecba1191017a0c

SHA256
1f224ef17107aecbeeba45bed07e6519244febaddef590fdc853d4bffcb28de1

SHA512
9f5559983fb5426fc240da06e466cd3501ee842e78807ea0a5c93fb8e592054b45ad693ac970004b78789d86a6fac04d6a62d705aae3c789c1ece635e65364a7

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
468KB

MD5
392f8e9dc480023a960626d90007764c

SHA1
20b39efa2533c6184c51fd50caafdfd0a33e9dd8

SHA256
d27cba9eac32a848ff8c985fa95c3f30063d5fcad8669b4d5f71d67005ca5112

SHA512
8ffd2c92e76802402fc8811f093ce8c077bbd3e4ea4dfacde72baec580f2bfc8bc93428e1544cbc2b4e40e354f1c280d0e3a205abce2a9a0da9295858f782a52

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
129KB

MD5
212dea8b6c98bab109a3707f87a18b80

SHA1
f5d869d50d481f7e7e7e557146a3d5c2e4746942

SHA256
71c1fe07d2f6e3f5e2ebd0e1b77cd17b634c0b95eb4d1b3905a50ec86ec5aff8

SHA512
b167919091bd00a14e0379ca7d4d640911d89f86d82e3849c67adab8628a95f3bedfa534430b2360b4af4df645838ee353cd518f11413d751d82474cb1eb15eb

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.9MB

MD5
536e6e4961f932727cbcfeb0b3fee8d6

SHA1
cb94299c6cfed5f057371abf81f41a51550eeba3

SHA256
b04f4ba1b9647e21eb3d76fe3adf925a3cbee9633292d44d24b50f961d3e578f

SHA512
19a9113ddc6711eb24ceca92a3f84d2cf0365b5f42ef592fbb8209523350fe281855db707be2be270ac37a949048f99a5a78c46e986623bc3b8a66304a3c4c17

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
336KB

MD5
ab1f1e083d4c29f101a3962244ddc9bd

SHA1
ad742a3ad1910e69b641b097eb54f2ca1364d28b

SHA256
928442d9bfb3e8c2655742dc058c057a8e2ee55621c77e91a61e0d54ea2ab262

SHA512
7b375251bec94221452e31c9df2b8313ed04ba4a40cc811bc3f7fbd7cce3ff388082af2334fa99d5e3c5baac111f752d0d4884643b4be88393a6ea202f45e846

Download Submit
memory/3344-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3344-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3344-43-0x00000000674B0000-0x0000000067548000-memory.dmp

Filesize
608KB

Download
memory/3344-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3344-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4012-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4012-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4384-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download