73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2424	b2e.exe
3372	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3196-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2424	3196	batexe.exe	74
PID 3196 wrote to memory of 2424	3196	batexe.exe	74
PID 3196 wrote to memory of 2424	3196	batexe.exe	74
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 1712 wrote to memory of 3372	1712	cmd.exe	78
PID 1712 wrote to memory of 3372	1712	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1FF7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe

Filesize
2.4MB

MD5
714f456e96c3e45ed7c7572c09f89cca

SHA1
d92a5159e129a51ff0609d2f3bd4288a6ccb9727

SHA256
504c705f15506b537abc566deff3069df35ad9308d87be617c0c0aa5ecedda2c

SHA512
c885d60f4513a4ecd772ba30ab9f68df6fa4754c85a373f16bb180dc7faf629f8b2a445e7efe5f4496f5a9aff31514cd459307f947c379684a862c021b784509

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A49.tmp\b2e.exe

Filesize
2.7MB

MD5
85880325733b871f335a45cea963c153

SHA1
a7688686182bfb41ccb79563973a50fdb68c0dd2

SHA256
ca9350595879a4c6f6a19d717422da4a9b65370d7a9bfce379a73c9e30c1441e

SHA512
f8b4e09a1477d36fe7f0364123d8b7e56a1e623b99c2c2f85555c2f11c7a88388b883d478d8338d4ad214a5b49a65a93e9b02544f70d9da03b3be94dc7ce0e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FF7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
473KB

MD5
c439dffef101a3240b0bddec65980579

SHA1
127ac103ffd3b72b0fb2830debea979e8a643de1

SHA256
bd4d26382ea3904df2a5aaf04b76265dcb50c6de98ea4e28ba8b66af0b6632be

SHA512
2f1b4d965e5de314cf05ef2312877c9cd9dd2426251110f7081a00989585f81f1bc81f1de1d3c28ddd238828d7b775d75d6029e59e5ba18b1187210685637625

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
786KB

MD5
1e209edc2e83c3bc68af9f820861a78d

SHA1
6966cc81275aec4bee69cddcb85fee05cede60ce

SHA256
d20b8518d49fb0032be0f7a82c752d6c30c94acf328a475c37f1a503442a3060

SHA512
13a5aed0422dc9eedf8c7a2f8509e5be1e557e2a6aa2ea9de381ad5093e5af5de733dc26c269e7de51c937db625452980dbf4b1191bedc9b745a14cdab2c9cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
670KB

MD5
c186e7f358c2df569956ca7a53862613

SHA1
3d6d1e71e0d10c4804e3a5d52241778c2b169c67

SHA256
237658c9cdb980a4883b57fc6d6d0a09badacf95cb76bc95700aa5d2b96801ac

SHA512
30f0e5b22a1515201f81b1f37ef78cc99f873d1884f48af9239eb25a9f047f50987b2db55e2ab2ec06416656c4c67cc64e72c1ec0b0fc90edec291165be22f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
610KB

MD5
bd4f5159dbcd3310a7359cdde33d3205

SHA1
008fbc3d8dad552a659229fad2b125a6f9cd6f32

SHA256
b3004a9c5e1e3d09dc54257a16ed15f50216c6f2b13805da0eb6d7edabfb92a4

SHA512
9867f83b135baad551a701a42f8a200bcf9fd19448a8e3f4c6f4e553a01552013e6e28d61d2ffcd792b465496fd080275702c63337a7ce476b61e159e44a4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
584KB

MD5
af65e08e1d6c69e41436b3138f86ac0f

SHA1
a2f40a6f2709fde8f0f74040bfcaa7ad6502558f

SHA256
3a589eb5ee9c2a3240cdf2d7034beacaec71a0df1795a613c7c26fb1581d6eca

SHA512
d1019e1718112507fae443c5812a51c3ce2a5b762a02fadc4b617648e2f6adc7081d94bcc32d83cd34e316279e1cc6d935d2d411c4bc3c3776cf07e130c014de

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
739KB

MD5
7f4f3a32ebe1399ee4fe3784d97be01a

SHA1
e5d3bd99b3db991b8866b1f4b1a6b5f32269b3bf

SHA256
d926be66b63b7425471849968a01e4c07e87b19179285bba86b19832e11b1b93

SHA512
125e1485ea0f6a278d64b1a614e7252f020ec39f20d4a3e8322ec4c2fe6772dcf1db2dae857cca4e9ca46c66bda07026a6be6da8035bae4a749fe17ad294c317

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
499KB

MD5
feab906365042aa1d21ac2d12579878c

SHA1
701d04140135b24ed1eb4fb2ed174ff9c9d3a834

SHA256
57084bd84e02bca5be1cd97ea65118c67528ffd70e3b864db29d3f54856a344f

SHA512
ae49a02e6845ed70b45684fe49bbaf9f9088f4dfc39cad9a1d164939d05580469650493328f8f0178e35172233f99b0f6930f0acec84ff0d8ca4fff96f20edcd

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
744KB

MD5
d259cbe56103858dc21f60327b5b31c2

SHA1
fcd034bb1568f041efe2fbb8807044511726a8ad

SHA256
02e155d74ef75cf6daae4b595c38d703c94eaddbe9da390dccb08bcec881c0a8

SHA512
e8610b70a7f05c9ec3329e49a6308e1f017dc48721e23e648900881af21424eb0973ec964c6930d3457124bb14df2600b5a905c2925ad36f3952e93123037f58

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
496KB

MD5
b7e11c4c7f0bbace6b2760951fb86c69

SHA1
7292c917e9bf571af4ba93a97a9e63c3a9b7ab9d

SHA256
b4901d246fcc56d327b28502a9b98f1b5439f12805790d954d9a67b37496d681

SHA512
dae2d7974b83e6aef4ab6c8fe27f86809347f87781a0e5f7c1b60438385ccd75cad60adae3779e12770f13fb7a662b7bc49edfc364a0b1c2c72ac48bc12f4b29

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2424-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2424-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3196-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3372-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3372-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/3372-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3372-44-0x0000000000E40000-0x00000000026F5000-memory.dmp

Filesize
24.7MB

Download
memory/3372-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download