73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3220	b2e.exe
5096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe
5096	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4648-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 3220	4648	batexe.exe	74
PID 4648 wrote to memory of 3220	4648	batexe.exe	74
PID 4648 wrote to memory of 3220	4648	batexe.exe	74
PID 3220 wrote to memory of 3884	3220	b2e.exe	75
PID 3220 wrote to memory of 3884	3220	b2e.exe	75
PID 3220 wrote to memory of 3884	3220	b2e.exe	75
PID 3884 wrote to memory of 5096	3884	cmd.exe	78
PID 3884 wrote to memory of 5096	3884	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\D764.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D764.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D764.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DB2D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D764.tmp\b2e.exe

Filesize
1.6MB

MD5
1e9446ffe80055b0d0681a975585d4f2

SHA1
e2b13091250549c39e6156044d3d826cfa7cc936

SHA256
6a5e65eb48e3c9f4a594a64b60d57436418cec87e75c9cf93d55746ef761e17c

SHA512
fc3ca72c1070ad153cb9f99b6a1665efb80d83005f575d70437af8d87164bff1c689305570feb80d84889a31fdc0ee1b375576fa9594ee303c2ab0776bf0e2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\D764.tmp\b2e.exe

Filesize
2.0MB

MD5
fdeff16ca964a2e9a2203979adac8aef

SHA1
63fd594b64440d14c8bbb531f900073ca93d6f24

SHA256
ec3b54b18cd56dc7a31df8ba96620e24f6ba98f305481e310b7f159ce544f7c7

SHA512
e892709e7c3ff823345cdbde2b4be9f51b3769456baed5ab824bda5ae849dbcff8c2a5750c7db79baa9636eda2542df5df5421b6e8629c827fa4db1abc188e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB2D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
472KB

MD5
d3cdbdc72e3b103f958bed82bedba22c

SHA1
58236ef3415aabaa60f7f2bb8a8ca62d89805586

SHA256
0cf5bfa575227debb0d6a45566fd60cdaa34b7f28de9248a94011d9da5447c40

SHA512
45bf1ea057b90703605ee15489bd3e51e8d8f71f73a635dbe48985256b39b165730eeafa600cc944fc42ba6ff21dacffc880a85204646b7897f85ba1c74540eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
381KB

MD5
5309e2b5b544e7a7fc39bd15fd590a85

SHA1
f954cbe8ab7c45d1d01480f4c5ed27b2bbde87dd

SHA256
68c62578493317a383358a09a28cd655665ed8ee6f4f0a9491691dc9f5226c5b

SHA512
7f1a6d96b997b17a49a5d67dec2a54aba1358870900802f032f6b84abc6004f34b04b474a58b63876e8a2546c142e7d8cd9c7dbf743f49df2b1618cc1bf59f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
237KB

MD5
5c2bb5a44010c81e56995b5a4cbde000

SHA1
ab42ebc0bb12fb2d051865603daf158de9b0616f

SHA256
9fbdec253226177730aa797ed774b504ddd0bac07ac12978d1e91bb3816a320d

SHA512
d312a4fa25ef0e58a1cd83a0eb39d9d586f0406dbbc1622e6171c4a541dc342492c4e4bcefd4b549eccdd5b80a9425c445376d6338e9f1bbe560c2259dad525a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
277KB

MD5
20baaa751203598d0c24e7c7798c5678

SHA1
5d0594a3eb029d9832d7c640f2792c7b06c02833

SHA256
c9706ebf342b7f164e1267d63cad3d10a7fdf9b4ecb352fda15b24ea7f8b2444

SHA512
73acf5517175f1c0a099e79410fc18d2b846de541b2753626ae78e26558582ccea2ee58c34a1c06f10b101876e6d391c643ad059078bb696227bc7381ad0ec5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
318KB

MD5
92eada1b95b3536a5dc886595a52b4c1

SHA1
7c4fbb350b414f59a72c5dbbea7fa100ef9bca9f

SHA256
99c3e6be656f1f58d10f52935ca3bca51d9458d1d20448fbfca0e070a6e916ea

SHA512
f031ea02c755a67c9c9afd15295e497efcfddf6e8f8ba14b547a697170c758100a440f0236615b5c9ec33b9095bc05e571760e934284a1102e197359d11ebedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
140KB

MD5
7d01d299b1fe697f428ce21ef5e15db5

SHA1
e3ebfa6296b943a676e5197872efaf1889a9a556

SHA256
2b7fe626a93cc416ab2415c65ff1a90d2f68e6de98a731b8574c290b2b5e4294

SHA512
96fd25f7241bfe32017211ba7ec09aca69a85b928ccac27b1b635030b440e9f3b5b25701d5d659decaf45a700a1122707a61dcf40b770ebf73d8c495e7330923

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
234KB

MD5
9a006aa8f22e2b10a1af9030d40900aa

SHA1
33657ae7551e83a3d0336437c359fa5ab16060f4

SHA256
ff4e7d9fb61e07c9382c6d62ab59ef45ade1569a966b47afce8c06b112008309

SHA512
a768c8fb86c497c2f5c2d46de042226b7696978006ef8b8d8169bb890210df4a70027764d2569f847c934d56d31d50bb203f8246917860aa49ae9206165dbd85

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
128KB

MD5
48c422e815911804d8322f84e605438f

SHA1
b577cb4575fdf07ead63d0f9831833f4f30788e9

SHA256
3247538f008c10c405b77c7a1ff636bd7f7e72b0cf4b5990870c157958b4e6ea

SHA512
0278d1c8a8bb02bb70bac382c89481451ddd147f2b195fed3cf1105524358a04703be54186e138d0e1f1423441e694cd292eb890cfe66bc421eb160821548f8c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
118KB

MD5
895fea2dbdbe52205b41d8210ac079ec

SHA1
fac4bc9d3f64841ceab2f73884fdea9b55793528

SHA256
58457eafeb4ca0217e60c82b46ee5dae4deca926988adea9598779e2608d1112

SHA512
281b7dba818d916d91b22c897cb4780a469d3fdd984b344f820458ddb9f6b192d96c65c89150ce2becd6fffd205d6e7d97567197b507755fd0c50759884e80f2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
66KB

MD5
733c25b2c304ca05f0b29a177150b3e6

SHA1
5bda8733ca5c6a9c4893c5407b36f023e4f6586d

SHA256
cb3aa34d97b721030d0aa76ba728304e7f362700b28019567d964b7f136d9a5f

SHA512
6be0e5cb5ed5679f85ae674e5798f197e48b785ea2d2b302b979cd503a56cc1ec3355f3a23e59431a4068efd73b26b764d0732f40045dcaaebdb1be5d5d52cbc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
57KB

MD5
07b59122b40ce7a866b54f68cf5b7ceb

SHA1
f95371c9234b6145bbc6ef086213c86dade22921

SHA256
c97fcebe672fa8f7703e7b627d248b9b87a51d8ffeb6ac1dab72cec31106ca7d

SHA512
9796f33345c001a51b49fce5319c0a0bfb144b37f26ba7d9c1e26a619c9e151667e2d67171be1afcdaf56b05d537a4999315d523fc98739c7f4766fb90acb0de

Download Submit
memory/3220-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3220-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4648-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5096-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5096-43-0x0000000069FA0000-0x000000006A038000-memory.dmp

Filesize
608KB

Download
memory/5096-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/5096-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5096-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5096-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download