73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24-02-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2424	b2e.exe
4176	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4176	cpuminer-sse2.exe
4176	cpuminer-sse2.exe
4176	cpuminer-sse2.exe
4176	cpuminer-sse2.exe
4176	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/716-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 2424	716	batexe.exe	74
PID 716 wrote to memory of 2424	716	batexe.exe	74
PID 716 wrote to memory of 2424	716	batexe.exe	74
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 1712 wrote to memory of 4176	1712	cmd.exe	78
PID 1712 wrote to memory of 4176	1712	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Local\Temp\1CE9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1CE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1CE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\23EE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1CE9.tmp\b2e.exe

Filesize
1.6MB

MD5
2c1a720b33b924d634a3563ecefffd93

SHA1
3f7badb08fca724ab53478b73c244afaff258ce4

SHA256
989fef4a53326eef20ae1db109e4483a3939186ee58b976912fa8690876d3367

SHA512
0b3a1e0803bf8c9dc410e2dc21da2f6e6c526ac043dcb23ec9db2965b4f3277c3207fce18ab2e7dac48c28cef004034572286fdda1eb47d8c104b8051dfc5c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE9.tmp\b2e.exe

Filesize
1.5MB

MD5
40d294a2661b5f25017bcbba26a5068a

SHA1
a9883459852b68be03d4f22a4712706e8d1f0d78

SHA256
4bfa6a8a48699ae4135d9089628d03cc011ca61bec14bce6eaeae22781940217

SHA512
8136a68cf39cbb916367054d1e20938b1db89fb73c8530e7c88050fee4600f3900d15c504b17836185de9be2bc76ed22c2f7c5cb468d01f52008ab3491398940

Download Submit
C:\Users\Admin\AppData\Local\Temp\23EE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
143KB

MD5
2572879f25fb60f98db88c592a4663f0

SHA1
f5dbcc171cbe5ef55bd75a3d028f0bf37803ef60

SHA256
d1d5b19664131aa35bea318a3b029a82f3acb213b321329dd3a646a655f6e627

SHA512
ce040017dca1fc388c5356afe0bf83995f4fea70a28d1a13b92d3977d6992afc4a8e9f73ccbc4985b3d2ac39440d5e440865d16338f4432ad8a60682421ace63

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
151KB

MD5
fac8d6eb6c630309dcceb3548cb8bac5

SHA1
53a35bb208537d86045dc537f18f18bf0f2baa2e

SHA256
7b150c40dcc9306d9f1e2cd313997c95b062a0ef4bf79cd9253c58d8c93fd21c

SHA512
b1d51778cf8e006ab5bd2a2f9442680119d3204fb8452a6ade6fab627e9efbe980fc6c9a3532e5b30ac7bc13e5fb3b89707d88e94136baf4dba6a3ce564b38fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
106KB

MD5
fca44ba3133f56ffef46a705b9eccee4

SHA1
fe8407aa24200d99d935cc451ef7395a352b61f5

SHA256
8bda85f973b4eb547dc82751e076fa5dd43944f50076adf321b2e4124c93b31e

SHA512
1d4367bca24d541c6d3726efbb2c7710e11ddca7148d9dc6fe089a0f5d86362bf5e13b633826b8593549f12713db6baca8415e2e542e4babb46648e16d3f106e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
95KB

MD5
aad905e3d5ba81084997ef1fce507c63

SHA1
fd304fa95c1b5e7896341258b1279a2dc54ca389

SHA256
0c2dd735dbc5b97176d04cb8bcac500998e40aea9724c4b3d63538d8cc3955bc

SHA512
a68969a57b5ae50620cdf4b98ca992f344271796f15418a6ec8b7c93d0327c8ac1539f2fd346c86e9b081eb5bc0e1764a999ffb37ad968e27287da7d64adb502

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
73KB

MD5
48fe213ae64ba70e096fb9fd85316a63

SHA1
a517114fa03bad22ce38fd6db9c5ba6b3a179410

SHA256
4df5bde1e9e6d42a4d0dda77dd894808c31b350d1dc340ab0c7590fd30e84d19

SHA512
a8fe5345bc97e745d94049bf4d4a225dd65a324af4cee06df804132c779c2d8bd46f725d21695bb3af892827847198c5842477ffedc2d631c31ccebf129c6b08

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
37KB

MD5
cdd0b43520952303845bfbef218d7a49

SHA1
10b2b094dfa66dd4eb50a12a6d09f97ae314e63f

SHA256
c2e228b579413650ba6de674ba104d4696c4f68509c62ece31352c4dba38513c

SHA512
b44e75855fb71cbcb1d934bb90930207addf6af7f93b2fd2a3c3db9152d0ee5d7857b6fb2d2f3c9a6c862bd4fa856764677e77d174a729ac9d001f59a09d127d

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
111KB

MD5
1d02631bfd5d883bf001d4dd1134fcd2

SHA1
1e98c588a43d50c7464f4fd329c4fdefc0cb040f

SHA256
58eb1931c4efc3f5ace937cb852118f1d7841e655f225455f7d9169bc0e82c86

SHA512
f501b61c67a4a3c8a9d939c92b09f80847010c55e050e42b38edfd694bc59437fd3e839c98cd6ded211c35d40a99750a39c1f5c75a2a47fd551a6990d32f3923

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
73KB

MD5
3c5b727edcdfa96be2606321cc623730

SHA1
d086bc27938a4d96c63c5b5583e9522bc1ca4175

SHA256
329f1f739be2a3990a900a37f883b548552f5dce07302fa446789da1194c6069

SHA512
3a95225f1013c5efca96d66a2f6e54b3a024d8bd2a89f68fb6f500d037b2fe38a8f47ffcaa82ba891243634defe31ddfcd4e148fe935c31efd9f2a124bd16344

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
113KB

MD5
a15a435d627138be8e1b2dd1a07fe55b

SHA1
484e9f624cf3860443e8f459b2a4eb5ace1c13bc

SHA256
ed261f65d4439922a1f65c7430a891a5838c50f1cdd31fa9eff24519c64bcc14

SHA512
000080fbeb3b512ba850342613399d0c6d0844ac10634d03e964151787904ba85513ba282748958353783f9e4dffdc399e62b0390ba993718fe51cd0e75c3040

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
105KB

MD5
2efdf3661e806a8874a63bda8be6d8c0

SHA1
4b2adbab0dcd5da52fd57ae27110a209e66690cd

SHA256
2bcd395ee87d8dc175a2718d333f579dfe3ec19e9acfaa0f5e36eea97bca0ab7

SHA512
48a6a855f93ca02db48550b74dfd296ab13f5c578de003b8e5ea4c7f929ad7266914666d34a423bce677af246fdf671821f691c3f4c631ab739a380cb2729813

Download Submit
memory/716-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2424-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2424-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4176-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4176-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/4176-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/4176-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4176-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4176-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download