73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4352	b2e.exe
820	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe
820	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4028-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4352	4028	batexe.exe	75
PID 4028 wrote to memory of 4352	4028	batexe.exe	75
PID 4028 wrote to memory of 4352	4028	batexe.exe	75
PID 4352 wrote to memory of 4704	4352	b2e.exe	76
PID 4352 wrote to memory of 4704	4352	b2e.exe	76
PID 4352 wrote to memory of 4704	4352	b2e.exe	76
PID 4704 wrote to memory of 820	4704	cmd.exe	78
PID 4704 wrote to memory of 820	4704	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7D8C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\b2e.exe

Filesize
2.2MB

MD5
a3eb4b223d159fd3b208ee408905741b

SHA1
9162504cea167ea550427b8620c52c7027e287a4

SHA256
7d7c3b6acba86147c11e1fa9ee117d40850b3a1ef3b8d79034b3ad9a566468f9

SHA512
83fd30371e408b5cfd57fbc4dac5e97fa03bcd3db7d3739bc498b2af4b19b2142a506903e3e8e0d2bd4fdb084d91924dea93c44720da1b8a3a31f37857eed7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\b2e.exe

Filesize
2.8MB

MD5
98f6759f122c252e6dba5a22a65acaa3

SHA1
ceb844001f98cd0c43a889e92629988013a7a367

SHA256
e3a9f364e70c8974a5283b52e9fe75d9b21859d14a0d8e6ec19f218b6eb8e909

SHA512
9c4efcdd7662e8c76b6a1d432aa68b45e49a7d31240293919143e83c583c1c71fb22b9bfa7a9eb3fde02b05f8b70db62bdad6c9afb2e7c7b632a69f75f5e2350

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D8C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
3f5a95a135b26cc28958c72ed37e81c3

SHA1
2b4fbd35aea6cc5a0ec084f8be9f3b4b7f120141

SHA256
2a2d5b3dea44612b9cce565abfc2d58bf0adfc424650da62d60116f4277507cc

SHA512
8abaf7dc82033126690e9bfe259742046546a4b094ef9d42f777037da5425bbe25f957b610bac0aecf419e612cdd6123a79868efb64716a67e56bf9f69eecdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
1afe404ee2d555535fb6402aaefefcb1

SHA1
f2eca26ed5106ca764e3b0994213edeaf6fee68a

SHA256
3f5e6b50df3c70d3c70e04ec81df557ae3b62f5d81d1e6c14c5388d404fc7049

SHA512
031f4faa7bd995a72752747a789756bb39b2935847b6e2c5f28b281afd06c444bbffc6fc26990371790c134a049fe14c492b7dc58b3073dfec86f9bf69c42a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
cf90c50c51c10d3ce19a934db259c4cf

SHA1
c1b9a40e7f4a6955f878936f54d504a76022456b

SHA256
39ad9220c7e2004002178041dde3a45d07f6654642801896f593ff41aa9e9a1e

SHA512
2847cff38ede677a5c64f215842ebb8d43c06acf03bd22ae9faa446a3f5316e9862a065a5029b0b6f2d16123c3f8bf17b1616508335ae4ce9d50e7c9df17498a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
76eba6252e30dbb6b742ef8a9b944c73

SHA1
2143df63d4f735fdbcd66ac3e4f8dd7051a91ef9

SHA256
7245d34cacb8439af924c4d50e1c77fbce6049383a3a1ef161d89348d5c872aa

SHA512
42985e29d6366e8bd494d93883572459c2199384b6c47d6f768232d90d941bf16121a89b3a431a455945deefafc24579bb04619078b2a4bc237a066fa780f91a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
98a95f4a31f651900828daa3d7d68716

SHA1
22fb3920a3c8bb07b6bdea0bc0cb06837d071882

SHA256
ad3dfbe685482c53054d07b9c6e0238ef416850939afccb29c8eb0833d825006

SHA512
148af9c59918c03bda58cf606de458042f882ccee67e39934bcf0ac9c131b7e44bd0018e34630dc05ff932454a6379b87958100a98848cd206e45b9e6c5cd4c6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
263762e7271370af5dc553d26898274e

SHA1
f54a4d08fd14d23996c4d67aab31a84f9cf13374

SHA256
bfec107c633b5ea537c045dd5d77efe12b915d228b092f74197fe03f5f44b0a4

SHA512
1435a9e879a94400fb14449e472a92e537dbc124416e5c3f5ab8eb23d22693e6a35efe80d460bfd0dd7fb12f0d53d259a2231160db62131512934eeddbd29ab4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
a95e737885250f1d2fcabdc0a4b62051

SHA1
a8c76c1970f897a5fd9e46a4a9a4254306422c67

SHA256
9d94f5c410c6745abfc52a15cb17f4e7ec7d9c4948e93120836d593b7f72ea3e

SHA512
ed1f24d2be0996f9747dce3a8e0f1d1110a30a0eebf5c8a7525b19f07fb4a904125fa71418207c7f4c06377a4b6f6d2e111ae1fc0fc0e7a19f857abd87718a6f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/820-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/820-42-0x0000000069460000-0x00000000694F8000-memory.dmp

Filesize
608KB

Download
memory/820-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/820-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/820-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/820-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4352-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4352-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download