73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3268	b2e.exe
4340	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe
4340	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3268	1492	batexe.exe	75
PID 1492 wrote to memory of 3268	1492	batexe.exe	75
PID 1492 wrote to memory of 3268	1492	batexe.exe	75
PID 3268 wrote to memory of 4416	3268	b2e.exe	76
PID 3268 wrote to memory of 4416	3268	b2e.exe	76
PID 3268 wrote to memory of 4416	3268	b2e.exe	76
PID 4416 wrote to memory of 4340	4416	cmd.exe	79
PID 4416 wrote to memory of 4340	4416	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\6A2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6A2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6A2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BE2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A2.tmp\b2e.exe

Filesize
506KB

MD5
6994ea5432b724a67db5b8b189250b59

SHA1
dea07b5ab3e111b0c79e4253b2f5283e6aa8407b

SHA256
e7ef41ed2c02540f0423669b51665b1943a90942e1fa5866d9ab8bb8f4e8b341

SHA512
3ded613ee52966140026e4ad835eba97fd71260c71e1adc2bdef5eb1f7173a9fa963c93c6eb6a6d96c9327cb63d06a0596c1bd62076d66df7143d4c7232d612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A2.tmp\b2e.exe

Filesize
54KB

MD5
4b21a11570ab02583c7791e5753c509b

SHA1
e3c9eb14cc26fc1f629fc732326c7afc11f9b86d

SHA256
d9b823d50534a3a3dfc8d0e9da95233544ed7e61847549feb13f88528b7c6857

SHA512
5cd0e12bac66f04c38c5333929d10dabfc0af15a3ff888430d731e58d04863be916607bd637827e751a960f26383786d8feafeac3733964d630cb30ff7e9a0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
812KB

MD5
d6328198cb3175ec72de57d1dadfc873

SHA1
9dbdf5a08870ff767236f8f238cc5b1c188f7450

SHA256
e3110c03faec62ecf0cd5954091f10c56ba0ba476e98db210002f00f3e463a32

SHA512
03a9445b780f0c5214768729ca390e662c5e5ab22d55ead743f34a36a60e9d208c9ee3d982efb81471b47cb642027f89cfee18859e2766b4164953d8a86f07c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
635KB

MD5
617af0955673a31068b26cea09bac1f5

SHA1
7174253ba5f2adbf6b71c75a76c75fc59d991fb0

SHA256
bb2cde38c2f5098771e523728981dd52070d5a26baed1b5d9ce3a1c6fa9d7a66

SHA512
e189015618ca91da2111b621a299d9a1e296bc3f20fe668158e4b0c8bf27a88a6dad09fb06abf4b0608c280fe3fa3993f271c7addf9dc2b3fda03353920dc1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
442KB

MD5
233388e5cb6882011f8f1bc293135525

SHA1
7ed7b3541d256775240e2da71a889c19b1be19ce

SHA256
6d1b17dfa001dad5e2ed090a1ce7c1a54bdc36b1141d11ed2de6bf16c78906d6

SHA512
59e2e815a6a95a4f611c44582df80f18616e70d1af5db98daeb414e0ee9694da8ed09b735a243df83194f23d075785721ed7934a0e5cc490d3440bd106ed78ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
704KB

MD5
fe188d751097a725c9e9c1be97f8840e

SHA1
a5b441038a928d27445c3b6b79625a90a3f5fcf3

SHA256
3779e204d037ba84fd8cfc7bba68e0080bb9d92cb0d05525b707c39d79e39846

SHA512
c0654b1493684b501b4ab3ecd9768538df3d3623d48d23ef3b5efd339871b3642e30d3e07c5ce56b0ce5663122d25973692f3848dd57f9386d6f51cacb31ca86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
404KB

MD5
148f50b95f5476a00bf58c91548a02cd

SHA1
e3cf0792a51be0f1897c412d9f489c000709d51b

SHA256
979f1e3f0cf80d35478f4ac9f77f31bc7a0bcadce1adfcccdf805d5c04ea5f9a

SHA512
0bf90df76d6944b6c17172424574778bffc912e14901d3571099ccf22fe84429fb2d854060d7f568f591ffaa1eb26aeb11c4420b0e49b10a9ce6d79ddba63be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
57KB

MD5
07b59122b40ce7a866b54f68cf5b7ceb

SHA1
f95371c9234b6145bbc6ef086213c86dade22921

SHA256
c97fcebe672fa8f7703e7b627d248b9b87a51d8ffeb6ac1dab72cec31106ca7d

SHA512
9796f33345c001a51b49fce5319c0a0bfb144b37f26ba7d9c1e26a619c9e151667e2d67171be1afcdaf56b05d537a4999315d523fc98739c7f4766fb90acb0de

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
370KB

MD5
17d364d8c38755873d0ddbf2bfa75ac7

SHA1
5b47b8c372a4ba4f5a69b9205b1d00fa85612d30

SHA256
489d6849208c17bddc6949e6287809ac4cb726d69500346c71962d86a808dfa3

SHA512
08d630c07399ebee26fe9d5486a7377decbb74e8080744d505ada1a0fd2ef8577b9a8d655335cefbd29d261171215f53559ffcc0cc342c020b84de04c39814a9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
384KB

MD5
b91f7bb5508b343188ec32dcc7880611

SHA1
fe2ae7ba4a1bbb2a5df7b73f21a0b8fc745cc11f

SHA256
47881756cdfcb302e63efb2016c122a1bb61574d81186275aef3d5a9fb72b84b

SHA512
a5b91bc653cbf28219b6f169d5d849fb53eced9a932b8edf468c9092544795ee8120d5c76f0c45f27b7a2464c328f5bffcabf3e83d2e7236263ea930cf92eea0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
236KB

MD5
7825984df87bcf17eecd8dd37fa24bb1

SHA1
228bc0fca963212d1976c15546cc90e2a05a2290

SHA256
9eef5e63ebc66e4b2f7bab956dbc7bd6f4eeb458a7c0af898506877917b1d3b4

SHA512
a19723ba64ad536b509518b138879bbd343dbc3adf14574d804741e7e91b6a3ca70b4073b6ae0ff0d4fcd285005ba8984070da77e154198a41cf178de95fdade

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
51KB

MD5
25a2faf100a3a7fefc5e9cfe53c81059

SHA1
3dad0a1eb74d215799486a18ae0ec8a14c539816

SHA256
f0406bca92baf8f77dfa3c1278f3d18cbbae08c25ab6d4b1ad32c48f230aeac8

SHA512
7a7670c37fe69cfddfaf917902598f91e4161fd80e16f1c1ba0e04f73391f26f99b2e30e6f7ae18da060d85c957e54572cb68e83b71abbb7270cb3fdf152e7aa

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
45KB

MD5
398d35f5a70663678f49c0aa97f1a8f7

SHA1
6225049d0c9080e9f9c78211fad273f0d50eeac0

SHA256
6f4de43e752373db23aab26c3a6480554a205eef84ce1df9be81a51a5c0878a1

SHA512
f58d7d61ae9576d974076f4e2feeb3f9092faa1af98ebcb1798fc3769d6ea0513081c221cf8456f6cd06c658110080177e0537ec78911daac8e71f7cdac170a7

Download Submit
memory/1492-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3268-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3268-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4340-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/4340-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4340-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4340-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/4340-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4340-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download