73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24-02-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1640	b2e.exe
1936	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1936	cpuminer-sse2.exe
1936	cpuminer-sse2.exe
1936	cpuminer-sse2.exe
1936	cpuminer-sse2.exe
1936	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2492-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1640	2492	batexe.exe	74
PID 2492 wrote to memory of 1640	2492	batexe.exe	74
PID 2492 wrote to memory of 1640	2492	batexe.exe	74
PID 1640 wrote to memory of 1464	1640	b2e.exe	76
PID 1640 wrote to memory of 1464	1640	b2e.exe	76
PID 1640 wrote to memory of 1464	1640	b2e.exe	76
PID 1464 wrote to memory of 1936	1464	cmd.exe	78
PID 1464 wrote to memory of 1936	1464	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\7B1B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7B1B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7B1B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7D4E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7B1B.tmp\b2e.exe

Filesize
1.3MB

MD5
f1af819fb482ad5f35dd86eab6df3099

SHA1
0816becd21800fe914fa72a9c6d3331b945930b1

SHA256
3b9a307bac3c449bb9d5472336c88d4d1e284af712853261cb90d082159e1b84

SHA512
d3fefe6e6a589fc019cd48d82b27f38e8f0e6c1d5f8275696704fb998127b9d5d9ecaed1a459286e46462c57e21e4fffef7ddf97cdbd3a3be6a8a4b4e9c602fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp\b2e.exe

Filesize
128KB

MD5
272c54a9b6cdfa558e23cc257343048a

SHA1
7f26d86cf2a3625ce3e70c9cfc9b0cc075b8d5aa

SHA256
1d7e7ea2934d091cb7ab81c31e31b4015e05a9f86b213f9d78b0297c88fb3415

SHA512
5139de29262ba7091e5ab0529232912aea9ca34fdeb16165021d3ccaba1d351abc59f2130eaa6af8c3c0510db5f649095f7043ea837267dc9eb4ce0169fa18ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D4E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
482KB

MD5
c144d09910d768cd042eacd3a1686105

SHA1
ae5ee6003c3496e40893fd9e38cafb859ae2b61f

SHA256
e2d310e8f87577e8d9ff5e6242178d69e4bf839008d0defb52e08333c07d877d

SHA512
d0a5374848f32f19cbf92bf72bd840a11b2569aa9852896435427b0ad9c1987b1db5a29d4e2f64e86f38555dc75a2aaf1fbf83d2fbaebb46bb75fa8126412ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
580KB

MD5
b500ec8f8c949fa2ba7543474dcc9494

SHA1
baf802c4ebcb14a10ff985eb3e188718faebdd00

SHA256
829154936d3eedc0dad5d9a6f75fce2cebb4a99dc85407ffa73b5b4fb07ee3e9

SHA512
edfb93843a66e8da7034d16e831b88bff19d104f2f8a0511b84804008890893dae791df6937e6d323c3d777118d4c311129fa2941706c72d8dc961ee989576a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
808KB

MD5
e215c17eaadc99054268e595c24ee10f

SHA1
965b5136338ea543413a180a3b177d649a11e5d9

SHA256
b449f73d403382cb6089899c8ccbd8b822c984155fb5a1c4dcb10d15c7ff6898

SHA512
520bb11667aa781c161b1ff07902980924418ae050d9904ce1eb3d7357388ee09dd37d1cccbe1bf38ce7e62ce19017ca16e1788a68fb3dccf053f62ca988aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
510KB

MD5
3e4d0d83f8325342e9a0438430a0653f

SHA1
fe69eabe58d48f7ae688287df8e4a826403d7621

SHA256
2801a259bbaebc4ca68138dd6bf6ba84c01c5fa0b34066d40eeccae349022f9a

SHA512
49df9f2624136e6292858c1cfb56c4f7ad0b0df5383ab9babb02f8249dcb3c68bde3b5ff0acf94785f67ab3d522db3645b09bc110fb216f06dbd7c4e487552ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
380KB

MD5
eda4bd004e5d8cc991d21c92497de22f

SHA1
5d0556df590979ea9466fb432d842ef99cd420f5

SHA256
e510a2e511828a9aca4edb8fb469fa07cbf487beb36bc2c69b9a302a99fe0140

SHA512
7a7ecd65f974a9ee9f9016a304c4c36b913c66e438a96f1be3d9ab5303e5532a68d6adf7cd018e8d0cd5c5588943724a5316a744a64442cffca11f7ddf4f4769

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
289KB

MD5
379518a74805c96071ea998714a93e3c

SHA1
34e917b33e119e0c02327511a38600f8a621cfdb

SHA256
838d9cf39d7c8138b2801ef4d64f7aa3c91a305a63065f017b5ac26ec7af08f2

SHA512
41c6ca259bae09cbee7aeea7f7927a92c0c3d1f2ec284945e92d0a6f63f162ee1204ed8f3e17d4294b8d890a66ca2631bdb236ce5f8a3ebc95b40703fe83fc6b

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
553KB

MD5
59fafb62534856da5f89e329bfbe5fc5

SHA1
9f0975751b67b930394562e67065bfa2eeda473b

SHA256
1ee84d26d880ce28ef3653f846f72fa5dae91dc9c513aaf5cbc7da6726a96d39

SHA512
3000d4842ae7c03ab21388f9d3d8552445b608394a0addc97d7259df5a006306f6936ccad5867be3cd36122eb69a64361a43a3e7973a7b48e5a1ac6b6677f0d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
281KB

MD5
8c87506d655eab64775bf6fc4172e2dd

SHA1
9ddf288404b0634eaec091f8db9375454add7403

SHA256
b99bcb549adda70a13065fd449b8974a936f729c24dbeda201a64e5ef10ec6e2

SHA512
165ce25b30a07e104ed92ab71c353687ab78d5d5c2c56c2da618c08ab30f2c6c85e77d2866e15ef47217d258020394a3789ff91607873e7e188ca8065f84c73d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
621KB

MD5
943c3d1c904e73a1c42ffd7f6f68c9ba

SHA1
5d01276a255a7f6d3765b4546c93d41b2ebd70f8

SHA256
f0b000547c8dd4b5be07197ad445b80dfea0fcd77924aa62b07979226adc6701

SHA512
0936449b5a2f34b284b084795f3593cd4a0c005e64de74990fc8926ae63fd9b7b07c3d8fff7f8a0da4bd7288d14b052ce8888998150a2be24e59ecc7c7961bb1

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
482KB

MD5
19a37e52e0f0aef1a25de3a1ec929cfd

SHA1
0f7c35d64ef21c19ede4f0c91a1ae07359123327

SHA256
4b2f0aeab9d5f78f260a29d67e3e0cbdb591a896913da4acb2da6ec5fd1f4545

SHA512
095919c2809dd186ed3dc607eba39849553f5d0f2d25cfbd51a164ac9e9bb22cc286f9261a54d9c66af25be9ea3f537f0ed6ce513fefff2bcc2008bf89920750

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
540KB

MD5
ebf9644fdb4fc2b329e7ef28bfa64baa

SHA1
c63480431ea3a82e80d72ec19244a768c3dd65e3

SHA256
c09e080ae98c5b1557ca499bb02a18fa9237c344ba8f9ee1ec1d34fcd2c35749

SHA512
7d9ea7531b031d246bb6521800aac12d217f0498ea9689af03ba6bc641dce72fcdfe805f5258771e5e88f1ff97237ca1ac3bff2b0dc4593732879606da46fbd7

Download Submit
memory/1640-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1640-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1936-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1936-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1936-44-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/1936-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-48-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1936-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-42-0x0000000051BB0000-0x0000000051C48000-memory.dmp

Filesize
608KB

Download
memory/1936-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1936-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2492-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download