73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24-02-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4900	b2e.exe
2320	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2320	cpuminer-sse2.exe
2320	cpuminer-sse2.exe
2320	cpuminer-sse2.exe
2320	cpuminer-sse2.exe
2320	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3524-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4900	3524	batexe.exe	75
PID 3524 wrote to memory of 4900	3524	batexe.exe	75
PID 3524 wrote to memory of 4900	3524	batexe.exe	75
PID 4900 wrote to memory of 2484	4900	b2e.exe	76
PID 4900 wrote to memory of 2484	4900	b2e.exe	76
PID 4900 wrote to memory of 2484	4900	b2e.exe	76
PID 2484 wrote to memory of 2320	2484	cmd.exe	79
PID 2484 wrote to memory of 2320	2484	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\74D2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\74D2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\74D2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76A7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74D2.tmp\b2e.exe

Filesize
1.2MB

MD5
4a2dab481cebd56ed7ba7c59a5ad9865

SHA1
132da83d7b91a9f49ff0327d04670738efce0c59

SHA256
c3becb867197c602840d0846be440b9724e011ff1b18dd99aeb15b6160014e3a

SHA512
53e3a49c8c3a9e6ab343c20b23b8a45a827d0c2ae4de0b39c341cef487cecd9b8417d82b4f507534729a01349fc0f7bdaaea38ca29ca54842fdd438a18cefad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\74D2.tmp\b2e.exe

Filesize
777KB

MD5
25e2bae069097912e90e197d6c15b9cf

SHA1
5875141601d820acd8f40ba8a7a00097b72cdf35

SHA256
e9222323b4934a272c6c5749adc120c3a5a9129972afdb29bc492f010f566930

SHA512
91b3a78d8f55c8cb61027523bb7fc58a58d2e8fb6b6f700fbaeb092b1eafa40d31e52dee33e8b97dc61fadd911fe15aa59190663a121c1077f8f3635f7cb6268

Download Submit
C:\Users\Admin\AppData\Local\Temp\76A7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
145KB

MD5
fe1bf6be052aab98130119a309312594

SHA1
8abe3def41fdd4355008825755c446e864cc0c82

SHA256
f5b995f08b96976c96c92f96e0a64502591aa22d1f68ba0c4cf37d34dffd546c

SHA512
801ba49538ac45fbc80dae258b0e9c07934dabcd4895b9cb81b07dfdea02c67499ac9deaa0eec79ad02b01d62e20ef747e354ee7baf7d9f2fffdad9adb5d3ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
114KB

MD5
4782cbfa136a4b9e02dec2d0d8c8862e

SHA1
9f13f3f9af30b5097b6c50b6d35250ca1c49fe71

SHA256
4b29657c19d7fc34255d66cfd6378698ca8b5851e6d099c9067ac49285e66663

SHA512
6beea256be47174a6461a634a6f76d23113a529c9c40a62641a4fa2c73a837db55c0a15619f0badebcfd2dde68ad55b3c494ba7b6e535012a201cfa584fae6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
138KB

MD5
54310dea5a5d88d2354fa33852308fad

SHA1
2f0c07cabd93645300f0fafb2063740a05f64a6f

SHA256
e329e802a7bbc30c0fabec45c61deaf1b59b5452c2f3e926a0702eb989646dec

SHA512
b06f3394393b4d251072f96ac5610f2a67f16a4d07ac6faffae037e2aeb6d3d8e773865588a9b2807fe7169be92a0dbe571cf04b6129fcd2a10daa092fb70faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
156KB

MD5
9e67fe46e32074e95e87d74eca7cf06d

SHA1
fe1c609336d380a5c649133e73866f9aeb1ab417

SHA256
0862aacc6aba56fc4d65c40fd06ed516f200e65883b58c72287f9a220e1c19e3

SHA512
30313052576c16d1042a1015beb0fd9f022781fc68bfeb8c3cea8f957d2f0a6f0d6be328ab23dd637cb2ca4750fc642f6936029ac7594c25d6e7cf09cb3ac112

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
143KB

MD5
702a389888b87832bc91f884b9566e12

SHA1
6e4fc6a6efbba346f2b1e28021adb3dcbfd7b511

SHA256
ec7967378e545f83af44add667741aee91b10722591913ecd817f3810e6d2e10

SHA512
5e207c624c5fb4356966dd926a0cddba839e0b8bb64a64ff73fd4c56bec3a0b5a93e955f1f960df72ae7d09e92d7cf86c882085397d605c1f3028d049a61597a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
138KB

MD5
c093a3353b2acb1bad3e11e9ce43710b

SHA1
96ad3a620e270fd0d631c52b9fe21a701db9577f

SHA256
bf20d0d3d0739de12bb2baf9be868f5d142d54ca1e34beb6f25cd0e63ac3c10d

SHA512
e7ce0d2eb5c147aca0d01aa79d4230ae24bcf53061022b474a068c7cd9c14dccaeb292272f44d6e146f7e7c39313e576ea50ed4dfa277bfe901905a1e38ceafe

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
308KB

MD5
1aa8cef2ec4b4213f3c925c260201166

SHA1
2d1db556894e2d388e079a6a88eb845597caacc4

SHA256
febf0b69445d37a4fe590563f7eb4b9b526abdf3bdda2d06acad4bd0e51c98a2

SHA512
6307d31dcd31f679f26c3cb400faa683fe944ec6f7576b18ca95c354599b7a83f92119306d40f6d7b4f28aef6efe24b016d080de78c971496d762b2f56436f5f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
92KB

MD5
77afd821f3cd4a03c8c6edaa000d8281

SHA1
db4a8b967aefb0da73e7ae88631c2a3afc24571b

SHA256
fcaf37e32275e19b0c44e166fd4bedda1e45ef763b7d9265223c00e7443eeb8a

SHA512
1decd048c9e3a3cffbfa790704472b31f47681d23d988588f9833e0b38f0de6ad380777135159712144bb2ff6c45ae2ab3bfbdcc87b8c3f9997cc7c3d80a1b9a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
69KB

MD5
e6cfc461d50b1f237b40f80a72ed9d32

SHA1
f4f83b65f060aef2646011b0ac1d9cf30c037d2a

SHA256
aa2885ec2b6a0c56fd44a4d404ceab4065bef099b23e87d5a4f41b09d9b95a54

SHA512
f479db670698586066a915fd9f89fb9d8c7b94a250d83806cbe6f7100b9e43e5c635a90a80e76e946e9082e12331c934933ba8d6edd79b7b5e0e4af6fec1e9c0

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
185KB

MD5
4662d583333ca5deb10c31d6940ad617

SHA1
ce04b382f895308b2ce6597c06901eafd1f387c0

SHA256
a13dc3a9e0b6a279bd21b2fe89e2e7870529d91b44726c1addaba70088653146

SHA512
11724a857bbf7ac75ed9f2b460935c64e359380a49120c3ad20b71137fbc680c72bfb3672156edb4d0445fa313555eaa6b5f3b0692b2ecc63eae744791ecd74a

Download Submit
memory/2320-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2320-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-43-0x000000005AE90000-0x000000005AF28000-memory.dmp

Filesize
608KB

Download
memory/2320-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2320-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2320-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2320-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3524-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4900-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4900-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download