73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2632	b2e.exe
2868	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe
2868	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4344-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2632	4344	batexe.exe	75
PID 4344 wrote to memory of 2632	4344	batexe.exe	75
PID 4344 wrote to memory of 2632	4344	batexe.exe	75
PID 2632 wrote to memory of 4564	2632	b2e.exe	76
PID 2632 wrote to memory of 4564	2632	b2e.exe	76
PID 2632 wrote to memory of 4564	2632	b2e.exe	76
PID 4564 wrote to memory of 2868	4564	cmd.exe	79
PID 4564 wrote to memory of 2868	4564	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\81A3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\81A3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\81A3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83F5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81A3.tmp\b2e.exe

Filesize
5.3MB

MD5
da7c0d11a3bd3f959ee2687fafd6f831

SHA1
8053211ae579b3cd8f6f0bf9517ab13afdc30a23

SHA256
85cb72ebfcdd8a4aa92ab6cc3bd3e47145a00ea822bd7961ac05d1dee4beaf62

SHA512
645887e7152dd5511626e451ea3dd1195a35053fcd739461b21398af890d901e7e767d7ff67d0fada5f4580863af09a8ae7deda71fad98e47cf3447ba4e9c08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\81A3.tmp\b2e.exe

Filesize
5.5MB

MD5
872d9b93ad5af29e2e49ef1a9fc9f715

SHA1
96bcec03572e4657f4beed217aaaa57c45eeb4b7

SHA256
0d658b417e8e71731d7e651648b5a989d8bb8fc22de80326e019f5eefae66825

SHA512
7e6d4c21b00f26fcb4f6f40047a13acba50412ee02a25c51ce4d9ed9dfc2f666d6567b95a094ade3a6d557f36cdec1a7b20e8d17f8b1653b747c74c60adef95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\83F5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
76e1f698332f1fb25c7274af08ebbdb5

SHA1
fb372fe4a5b19029bfc734d222312b80bf6813aa

SHA256
9495e65f27c594b45af8cdc907eff262ff9a339ca04332643193e7c2f8e890e6

SHA512
f9303366a09fe678283d03fb9feac8e0267304c539cfadec644f5f70625b57136c574964e119194ddf11005d5bcf8a8d4457c878fe54d0ffe78939dce41c9de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
5c2ee64ea96a217b6d3c1f7a0ad304c0

SHA1
a8e9ddda26a9777dc9dfa08de688c528f1479cf4

SHA256
fe7d44030e47a07d4081733ebce92163be9939026b47a83fcb87f8b171b88f38

SHA512
9155612a68550d7ca255b9c4a34d328df40546f179bd75d61844bf6eb6382aa99228d42d32a7e1907fbbea0373f372acb878171d4db824e5d99fe66b6c6f59ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
737KB

MD5
2f509cf112c4893cc9d8d6d64f702145

SHA1
df42bf9a95fceff70235a36b8b85ef79baf6a594

SHA256
15aae9bb512d83f86119a3931d24fbec229625a6f700e49ac3ce915e6714e553

SHA512
74d5de68e47059ba3c89217107bcdd3da1ec8e10715f2cbba363b4a2cb4ebabd7c1e209a404296cd97571d602267b77358fcfb7e4f44e0f0589973447d202957

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
31ba2f6a0b979d730d1028afaa6ea3c0

SHA1
261ec32a440a6b92f4b344f7a0f2479b9d158330

SHA256
0ea320eea34ad0cd188b7261104044c9a6239638effd0bf5323078384a34519b

SHA512
cf490dc4105cfae0542deae00a1b0a712305e91b109df997f6cfdde1ee86162cae9554a037854566fdc124e86ef8141ea69b952733305cad615a832c3ec48a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
960KB

MD5
f3707fd5b389e53285dfb3815a4785b8

SHA1
788b2ac7be4acb28e804021893e11cdd44ee0784

SHA256
f7ef0e3e60989fac5636e6e5a018b730b403b75889125b56c4d07d6279e94c94

SHA512
f11d8577758db08f597987f525b4fc4c8c3f5181255f89281300968dc90fe4b298c322e3f531f768cd5014d116bb7161365c9d3fbaa76ab835405d8a1e231f26

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
731KB

MD5
852a9b91b9738619b3d17bd901ea86c7

SHA1
a6351378e1a011be8a74ab09c8693da51f1bf551

SHA256
ee832fd4cb9b511cbb278648c2771300e83010391043777ec1669c4e2c73a7c4

SHA512
b4798d5e8810b2ecdabeb609a4e931600dd6ebd9d55b8ca88676cb36f4298c0537e1a39dd6774cd9634c8fab204fc5b486dcec619e14f7526cf7b2659444f474

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1018KB

MD5
eaf9fbf6fef5e67da171c50b0b71b28f

SHA1
d6419f56aee40a64727f7328f59dc358c0d69bad

SHA256
ec8b80fb6da353dc04f283c7e3db82a2e41888a4ae58b52a2b1d30f5ac6f10cb

SHA512
7440bbcf27e61445eaa53e134c509c850f421bfb1ce50dcdc0be1603f84d73524ffab79dc5e266cbf54fbd2afb680a17e3a454027c23f4da9e956c7b0e819e44

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
38c6cc2e8663bc2b107283a5a0b438e7

SHA1
434402115ffaaedd12695804da9c137f10fb9a78

SHA256
2cac6b25d3d4016a6b739998487af4d738d2c185d39b341ee9b2144a2a21fd0b

SHA512
f9016c1efa22bdc051bd8455dc028c640b6588fab4bb6c6a197fc2026dc4efe286d3b0afb0988cad836d58bd2e75396728e5bb8fc74f5a69c346b731944666ba

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
e03c3588465b2ef1b28ff1fe088ba507

SHA1
dccb919fb7f8f09037e652e01d142040c1534f2e

SHA256
7ef81aa1c041a3a0a4c578df188f9612e1e916cc2f469743d301f55ecd1a9d03

SHA512
5123b60ee8902acf837c833c41719908909af3dbdd577718fbc177a060bf2ceb397a253bedcd864857584c2fa2ebe25d4aba529c1c4f00a7f6d6b90fc2484770

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2632-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2632-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2868-44-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/2868-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2868-43-0x000000006D920000-0x000000006D9B8000-memory.dmp

Filesize
608KB

Download
memory/2868-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2868-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download