73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
60	b2e.exe
1096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 2180 wrote to memory of 1096	2180	cmd.exe	79
PID 2180 wrote to memory of 1096	2180	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\8A6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8A6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8A6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FDA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A6.tmp\b2e.exe

Filesize
1.6MB

MD5
4b3e3a3f84660472fb9714cd8feaba1b

SHA1
8561afb6ae0a1ab8a4d8364928811b66fcaf9da9

SHA256
006513b9e4310066d4cb66a1ea11b6619c10e428f5a1ccc39eab92e1d487f442

SHA512
a4ccf4de38da8d27dd065ef09b81a4bca708188c6102211faaa186ddd8f68b87381611da54cb6098758733c799e2a3450cb5cae66b58c29a4264d93f93a1edc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A6.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
705KB

MD5
8c0d51e25dae8486f40c3508ef311984

SHA1
0f016583aeb57c32fa02e04edbae695c89b3f16d

SHA256
1b06bd20b2025d9df750ab8b053d35e5fd2b697bfdc0e6b4d5f598ef8ea8e139

SHA512
523e53ca53a0a97e30d15e691c91faed800686bebca89698583b6ad2cb03ad5ed831d29289cc6fe4746cdf7962edd22213cf72791c5a6b7bfba7801af4f8449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
814KB

MD5
e1960bdee5d8c29d9b296cf152646fde

SHA1
3a166cfb7443c858343ebab6e29e58b2596ed11f

SHA256
4e086cfd43d49a9cb23d4949619706206513198de189ca849e9b2fc5bdefce3b

SHA512
ed5e1662860c40bb939b7f7dcd09424fd2faf63ff0577794ec17a2b06b7aa9e4f96661a9ffca7eae2f04fb683e9501a451ef3d3ae179c209e41314a042bd8a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
467KB

MD5
04de04bbc944e526cf06f1d78be31b03

SHA1
f64f11a1a7cf00ee0b4f4ab2f2af3eb84de869d1

SHA256
af9266f4aae9c8eb0b6680bcb826e9f75e8d7b27156471428ad20aaddb98e0a5

SHA512
f04f477c92049b13fb3ef7d27cc7572bba32c4c406d6eef894694347660c71721828e0064dc12c2ae122007dd650c169b87bd2a90cfb0b7336305a10ef30cf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
387KB

MD5
bcba49d4d52fe4e1db841a6dbdfc7630

SHA1
aa6ba56aca23f6e9ad1b3b8a3d73442b4f8f24bc

SHA256
72b03dda461f155e65656bb7a49082a3ec3e6101e8032ad31b3558f7a27b4e32

SHA512
859e4ce4cfc8faaf960bae2a1f64e66d0e850f2efe15683d5a8e6ed4f7846844d6fb1572b0fc50e5166963e4cf177a9682ab42cd12e081ba8ff80725fb3289c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
359KB

MD5
1471e4bfcc23eb4cddb3f404697e511e

SHA1
232ffd0ea25895755aedf22d26ba7103edb8cf7c

SHA256
b07965dbcb6687ef2aabd6850df10289db1a0869b410926cf57a0b431042210f

SHA512
b016975b9b797c65d72f8b51f8a7445aa365dfc397abd4fb9b7b8b94f91ef80ecb7a3420aff233ee8c8b21f6be207b894a848b749688cf7cd862823e559a2ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
203KB

MD5
63b7ee9c72b0de0fb07f913196a1f554

SHA1
22d4b0eed4ae918e65298bbf0b8694de51d4c378

SHA256
e0ab0c1fd548baa346e247d766ed4833f16dac9bc425ddc8488a8754136dd996

SHA512
28e6f9f2ec511987b339a42348dcfce940f2445abfa2791b9c8bf5d9df2561ce76e7ac1ea817cac2d31c8ddc23787e2d6ff9e76ab1b6eaefc284a2faf3fcd24e

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
654KB

MD5
ee34d782ae9e0b823de1934d3ddc7611

SHA1
a8e203493d0afbd92477d9ae151f7243306bde21

SHA256
105c3b741a457cbddcb40a7636da7edfdb4d4543119869ef149553a3c0571afb

SHA512
51ce35a9c3a735f4f971f86e56f5a00f37ad0fc9cf5fdfda2f6cbc90aedcd42774ac2a976925278c255fe3184f65ee1ea3282488c03eedd7003186cbc72c06ed

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
418KB

MD5
5c968c2d0c52eb8da52700cbe55202c9

SHA1
f99c395969b67e794218ab384e8ce5a0435b4643

SHA256
c8f3536ac263cd24621330947a823e6e4ab8544dbb847c0b88dad819bcaa8480

SHA512
655b8484fbcef034de8972e6a901920dcb39558922339d3d6799039fb4472dd5fdd49a3fedd71b9ed3f969f48ebd86934ec21380aaa1eb17da3c0bb9d9306ce1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
263KB

MD5
92310a019ecffb5cae7fbf7e7e0bb632

SHA1
6feeca5f774626ca6641bb79dfcb4224564bdf6a

SHA256
db9ca0775280cae74fd6a58d380c0fe4a5ccd9449bea355101daf14a6bfb7698

SHA512
183327635812c7de25ce9ac471677fa023361b8e403a9518d06d70103f826dcca41107ff75f9cdb71decb7de42d69b141d30af6f66094884652a1dd74194283c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
537KB

MD5
6ea8d064a25e091f0cffeb8a7969502d

SHA1
2b2644b9eea6fe47fa4fb6fa96a2d376db07c5a3

SHA256
77c4d999420f13b2293f2bbc6dc446bc7f28d329ed2a419ab905b6422319e205

SHA512
f56dfeafa629a26fe36704ac86d148ac8ae2c842199e7675c00ca5228eaeb8255af29af94b56f5c71ecc759543ada41d680ea8547221da708091af35ccdeee0c

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
447KB

MD5
43f9816ca14c02e7bc862b84709ef1a5

SHA1
71099bb32728762eed222efaa102eea39c9d9693

SHA256
8216e431a4645078fa790cdbae7450020a627c6af4459a0bfb88d4bee38936df

SHA512
5a2ac782616cbc20bad4f96da34c1d480942f3926367dc02de365305f6cf20bc7542241a1ac29e30236e26b698eef7503a395ed956983bcaf9b90bfe23b4eee7

Download Submit
memory/60-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/60-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1096-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1096-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1096-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/1096-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/1096-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download