73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4212	b2e.exe
2392	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2392	cpuminer-sse2.exe
2392	cpuminer-sse2.exe
2392	cpuminer-sse2.exe
2392	cpuminer-sse2.exe
2392	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1788-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4212	1788	batexe.exe	76
PID 1788 wrote to memory of 4212	1788	batexe.exe	76
PID 1788 wrote to memory of 4212	1788	batexe.exe	76
PID 4212 wrote to memory of 1064	4212	b2e.exe	77
PID 4212 wrote to memory of 1064	4212	b2e.exe	77
PID 4212 wrote to memory of 1064	4212	b2e.exe	77
PID 1064 wrote to memory of 2392	1064	cmd.exe	80
PID 1064 wrote to memory of 2392	1064	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\833A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\833A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\833A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\85AB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\833A.tmp\b2e.exe

Filesize
2.0MB

MD5
342df6a8fb22e45503f6f20ac6159bf2

SHA1
5cf718c3e14575f184dbe720b6b4c34a04397f5e

SHA256
d4b986894ce946cf9b90a4c5b58637f81b4b09fb4db5385dee82fb8c68b6d3ef

SHA512
2689242cf78cb513b21cce7cb241b2a6e595fff912b68da672d4bd392a1e6efe94ec6eae3d144ea169bebb3a455ad7780b9b9cb4ddcf7110ff20e91a5400f2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\833A.tmp\b2e.exe

Filesize
2.1MB

MD5
037f2677f93d0d7a705b30ac463d48c6

SHA1
ebb1393ff6af3d37eaf9629f5c43da8b9f05f187

SHA256
2624eca419abaf6bc5facbd5f687f15ddfe62263c46b628f5673fce118a10617

SHA512
7bfa8f31d179556acad8daf2609f0a3b0e419cfdf69aa23e1d2f4f22c8513082dc34baf2781dd5b9a53bff7e4b9a66d0a4332e1837ea068cbe0f9c514b5cb45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\85AB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
443KB

MD5
de7e335d23c67a196fd27cf0ff907bec

SHA1
75807ba31dedf3411396aca72fb56b389bd316e2

SHA256
20f362f50fb3946cb70819109a5058ed94d920a64ba3eb8a8133a29045860b91

SHA512
fe84bb0818fee52472046d92dfb54f800a49666403bef6f0950696bb330db1113a6a3cf4a2b69547f478bf3da651728ba9a328322c78dd5efd350ec32c127e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
379KB

MD5
879047ec60dad1272fad09360ebff57d

SHA1
e789d4fdb1016cb8bcc53b4666aec9fef0c86b21

SHA256
dbd2b2b48493d5a614a4187fb16d29b30b7e9ae7cc869d19c4644ec5e8d5a14e

SHA512
63cb23cb42d5ac9349da932712c04cf22403b12bd1083da90400805ad2571e0443db99fb0e2789664dee6bb55b3cd68588ca7e2b33f9a30a21a88b24f58c8082

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
296KB

MD5
7479a68c254b00f1e5188a3f74ad5801

SHA1
dec9da52bcf8196d0dd7aaf3824af5623e654836

SHA256
1921453232fd14c1f722aac99656df74ec6af6fe65adceaf455ef351a3b3ccc2

SHA512
bd74b8ba354678402f7dd4f148f6c80b51a64382c4398d7d71c9bf8c54e6a8f809a8ceeba8986e1dd0b4e57196131529ef1748abec208725ca84c34d108821ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
271KB

MD5
4f6572060c67a24f59949e2a8c2c2c5e

SHA1
eb0c15ffa618d6b6810bc86404dbe57d6767f207

SHA256
51578272ae8d6b11a11c5945dcdd48df2e55e8a4a3b83a6844b3b9c70c8e74b7

SHA512
2ba641a5e8bb2b1e9278a3c4115bbe6fe65a2d8707a1d5db88813d4540c0623d071a988dc633df13ff1d1112d0bab6f9bd91bb5997b25bdaa243ab164e4372d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
395KB

MD5
f3437cb6cf4cc78b75537fb7eb6154db

SHA1
2ee13b1ca26d3d6b7bde9e1020991ca3219a6c2f

SHA256
ab9f1c9f03fcfb6b8bb72785f13c50001c275eb444582202cb965d02c3b8a698

SHA512
b9c53edcadd99b5fef1cac2fa1b92730021c92ce7e54e11647967878e9a173b46d8abd2153ee5a16024b59ba5c476398ca137d92112ea376c9e8f198711fc329

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
195KB

MD5
933e4f5ef9087f91a2947beb16b3499d

SHA1
389b623b55c9bdfda0b24b1112978f4b3fccf134

SHA256
53f51fb6ae3cfb3737295b4d4c54ef92e826965d08d3cd2c171972091c793eb3

SHA512
c6ae1d34c3bc0a20735dd87b5a0cff4d1434329b677032f4a2789759d2373ce1459e6b7f959ccbfed16de9d0605bf24a2a75e3004507a0d6a0f2b248f2ad12bd

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
224KB

MD5
c1d9e57703493a7392393df099bdf50b

SHA1
0a79784ef8360859386e39fbf86434883c358e9a

SHA256
abf9819182709d5a79dfc635af708ab1358b883a5bb67399fb1df21fd0808cc3

SHA512
183bbed6ec376575dc2cd98b6fb3142c9045d8fcbb634a90ef8ef663ba02686571901e3803cf00ad19126961f563c49a9cca3b47a2127476804f6fb254e194bc

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
cd71b158626456f796bb70e2c846c463

SHA1
aac057acf7f46667aa51406b863ac1d1ca874f4b

SHA256
ca4635390e749626cc1eaf724e4325e1704131220d0d80dfa927b6c5a2590122

SHA512
68465744face5322e7b0964b52dc79526335cdc181169b8637c54e8c329d2faebda4f7bd51969eafb5ba73e57188057dfcc19b64dba4aed8a3dad95c6ac4d36b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
201KB

MD5
d32d2cb486f0af71e406bec03f967049

SHA1
c602465a50461cb1310f88b2cdbecb9985a696be

SHA256
490ba6ba74046168ef246d2bb9cece2568a3cdf63c989dd5f3f584dc12a4f088

SHA512
78f7a11ce27604e219991b2eaf871f0508520af3b29af547c58c90e21de66fd7881b5c7775ecea3f7de1119586615eb2c0986cf92b3329a05028be0026b4a660

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
212KB

MD5
2b0ed2a567295c84b528a6276853439e

SHA1
bd6358e9042e2e9d5ae26709c7da1acfa056e371

SHA256
b78a5e62e62d12deb5ce64f66e8cd6739d5d77257ef8bdba81840331cc0a1afd

SHA512
25e93234d740401840a75412d8ed2184df781d6b4f3c0d85eae5073e3a756c7f3d1742839a631b248cb955a96f46ed74d7d48771d1e02ba300d3300532fa1e3d

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
276KB

MD5
366141acdca0b73d71d0d604071b16eb

SHA1
05e1eb5f1da9dd99edc262c40c85c6f9ea70a1c1

SHA256
b2c89e977b8a03f7e1c7c6d0ecb13a4927571ead021e8282561d5a0f1f3ac1af

SHA512
f7574a02132982e2c8c89e7abcc959bf2b8103b07d068e27a4f43849a77679894bca06134c5529d8050170e4cb85463917cbe9d192e66f1915745dc77432518e

Download Submit
memory/1788-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2392-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-43-0x0000000056750000-0x00000000567E8000-memory.dmp

Filesize
608KB

Download
memory/2392-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2392-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2392-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2392-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2392-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4212-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download