73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
308s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4956	b2e.exe
4524	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1248-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 4956	1248	batexe.exe	73
PID 1248 wrote to memory of 4956	1248	batexe.exe	73
PID 1248 wrote to memory of 4956	1248	batexe.exe	73
PID 4956 wrote to memory of 2088	4956	b2e.exe	74
PID 4956 wrote to memory of 2088	4956	b2e.exe	74
PID 4956 wrote to memory of 2088	4956	b2e.exe	74
PID 2088 wrote to memory of 4524	2088	cmd.exe	77
PID 2088 wrote to memory of 4524	2088	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\1FF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1FF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1FF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1FF.tmp\b2e.exe

Filesize
3.9MB

MD5
93f4570b2c16034a16c1b37696b37d42

SHA1
888eb8f5c5117751c94dc1ea02d835b1eb1ba137

SHA256
15aaf743ef8df8a61f1a5ff05da68fd38248000a78001fd5717a761bcaf784a0

SHA512
5a4a60e64f501914dddf10bfeeb2cc3c6dd3f768aa1cd530c4b92c8f1d224c75f72982e55ac5ec4572e88b2f8b0909c90e130b4367a398dbbd2cbc158c2b50c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FF.tmp\b2e.exe

Filesize
3.1MB

MD5
d43b640b531689082768da5f29b40f2c

SHA1
c568ccd4b9ec76f8613da4ac46abd8095f7a0074

SHA256
3976e66aadd7bccb7a590212547337fc6febbd5ed79544b4555e08f12baf9a2c

SHA512
48e1edc0ed406cdbf4ac30882d1add17d5d8405fdc455e0741c1f4827924498c56f219dadb88481767211838a4511021bc3a308e9219114215835d052abe94d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\80A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
0d98059983a4ee2bef454440c00db38c

SHA1
8fcc1410a4200c685252d8b52c2230b0a0f838d8

SHA256
23eac00e47c61faed64903d93755496591eea3933b64077742305e492eaf23eb

SHA512
3d21fb485361c4b95961a23811d59f28812d3ab35a21b5aee49014003c8a32db342cee1dde5d3375e51c2cd6b48e24a717723de8d802561ff1402512a99dbc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
8337d5ef0926924cdd08097da31145a6

SHA1
6d18d10402658fef36bf9295cc5420f24611feec

SHA256
8f7049b0dc39a1b7fd28b5aa6ed5831626ea24b2d60a5ab8ea9f4d4dc79c9de0

SHA512
f23dfe8331db28219f73d135f9bd5d7d96ea4ddb70cde648c7a9d14860555e55047de9ad39698892c70b70b31e2f65f1fce03b575ad8bde0e86aa214295748ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
875KB

MD5
abd4a3a447f41b5f851c57fbd39f67c9

SHA1
4ca54250eca699087ec3d30a9e8f30ba7c6d34f5

SHA256
da735fb204b6f47c603e113508ae1d8b84fc877dc2a92ab30a415ce4d16b294a

SHA512
60db4db1fe61d30c5614f8297276b6d5892b6e31f9fae3b8eefab536709a97fb575d0ecc70d98c7303395b90811f2ce157c07d849d287b44b2da528eeaf0d607

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
996KB

MD5
98d1a2b9984a48757f5ce8ba57e39672

SHA1
102d54e416e64730e33f0a561d4d1f00e32d888c

SHA256
bde8ff87d407db092f333f1a5018de8bc198dc815eb9ca06d7a8863520747fb7

SHA512
7237074949ad3d3d5ada5e04f9a0df514ce7ec4411639cb39baad56bfd2033335455e061e6e7091c24401c425764c73ce5cd8bc3fe0ed670a1092ceafef95de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
f35342a6634a5fe7e4726d8b84d6e57e

SHA1
0930ec945b2f2a838b782199edf336be6b2e52e3

SHA256
c48d66eeed3da049ee0c58d81fec4ad391beaa6a10ab02759bdfafe7b39a7010

SHA512
94295116fa1d9fa51cc0d9c3c270338c83b6381e25a5ed99df181bc53a51447134a1ff167c1e173aa55f65e35e85cb6da1026c8c1a4e4de85f66cab2a5f66be7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
03ae1346c99a66fcbd06c3a56898820a

SHA1
cf57878eb1c3523d08468ba3e9e65a063c24d902

SHA256
bdb28d28d4f6093c2bbf0cbdf1b2edaf325ad34c214cde4123437896488dc445

SHA512
b1e6f93db804c65f996ae29123a601ee95830391d9f5b73608962cbcd25a9082f1b1f9a6e732e5f84bfa3bd7207101edf9d076445370150ae58c9dcace634260

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
801KB

MD5
d179efe9171c8831b40c2e8b5717bb6f

SHA1
fce12c756c675904aa43361e4cd587b4886e06c9

SHA256
4bf7ee4d522187a2b0b84e14a1b0923863de1944ee23cc0c5a5d159362e2f2a4

SHA512
3fed203bc73f04df61356a4372d054e60dba1375495fcbbb5d4fa87757879b53770ef353bfc8e21700a81d6a1d5cac76098e70b135f3d030ae13a19ab3ec609a

Download Submit
memory/1248-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4524-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4524-43-0x00000000660A0000-0x0000000066138000-memory.dmp

Filesize
608KB

Download
memory/4524-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4524-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4524-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4956-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4956-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download