73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24-02-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
60	b2e.exe
1096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 2180 wrote to memory of 1096	2180	cmd.exe	79
PID 2180 wrote to memory of 1096	2180	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\858.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\858.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\858.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\858.tmp\b2e.exe

Filesize
421KB

MD5
b97da265c874d8649835e9640b002f23

SHA1
7593ba1dfcdb87299d154ef3dea585e370e6cc49

SHA256
dbee99a6218de0fe6a9b43bba2fe5db2c8a4fa624edbacd0eff49f11ca9dca5f

SHA512
248032bdc89aa0cc544357e88f27e5f31c46946d0239df22e1198c7b2c0d964543618c4c6a687198f78f9a4ba4ec6a5b5f12ac24a37c6ca7968d51a56c487364

Download Submit
C:\Users\Admin\AppData\Local\Temp\858.tmp\b2e.exe

Filesize
1024KB

MD5
55d3fcf113506e85b6cf485f08b11290

SHA1
539d601fdd7e37fe22412d8c73023e21293ac62c

SHA256
519083ea4de496637895b9c3dd7fa5d9fc1140325272570f09aa0d2bad46f2d3

SHA512
62c0dc6a36ef819eede73c8b041fbdf579ec0ae399654a73a4628555bb84c4e1fdcf314deb659f41986204e2d92acd886dd8735a24a150a309d4035b58a33ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
123b922240cbd550c2004beb94ec8837

SHA1
b10faa36e11c43f44cff74a9f9339ae6748fad87

SHA256
71855c6a38c445d56636936b4fd31461256b3b4232381a84f68e979299800c67

SHA512
f4bf53694214cc189a6ecc28e1f394ded1041717b6b91996a4a92deb22820550d169d0720e18f0c4f03fcda799f1c60aab1fdc2658d81b046967788c74e6045a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
964KB

MD5
e3936c887d8ff0d3d5b6576733b287f6

SHA1
2815f61c6a1876e89b73ffedf28e17e337183b00

SHA256
6f87df0e6e83b2c934e40d4bc9577f097b9213f156ae9af925e6fd781fb71ecf

SHA512
b0a8f0383e6df9e6083035b225eb7a6153dcce2fa459a9e9c2aabfa595f9aa495c0f2c16a347300f322fc2f5c48db8581c2ca72df42e65d6bbebf81b0b6aaf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
180KB

MD5
8c3284e57326ba4235d33b89349d7ebd

SHA1
91c3516f4663f225839aea14e7a2354e152fc1cf

SHA256
17b99a2ac4623b274ad5ceeb33e6cb6f378ede786611df6da0096d5dede6a414

SHA512
75e995077dfa5e414005d9bdeabe885088a6857ca9348b4047ab3161c6d7c8764f8a1f9dbc94b0f39667047fed33d9195c34f0f4279c857f59b4dd6ac39d7527

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
749KB

MD5
903c7b88487cbe41d3f71cb7516e7912

SHA1
251289a37f95f225d60a0bd156f0d40ee9b1b19e

SHA256
55311599841b7cc2336d270f2ec4a36cf896822e02e541740d3a8433ff412d85

SHA512
9bc7807764269b8f84a8202ae10f27054d12709cd85f6f7304b5b92e076d8ffa874dc796524799f577d02797b771eb1c79aced7d911c1ffcb3962701e60ab47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
926KB

MD5
e22a679b8ab3074c82ebfb62586f9f8b

SHA1
01c104a1e671cee5ffdd0eac717a52d7a6ca8b8d

SHA256
d445a8617d97099c2f155a0be7839eeb25e7efcef9a75baa04399a4a1208e5be

SHA512
62ed962f5c8da6363e8427dc9ca3b39a0e5d30e378710e4d5f9718964e64b3e2b28513c6430451a5c5834f93f5d72f36629f7d5ef40169b5ca81a84a56aebb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
469KB

MD5
13c3ae6e3d5857ce2a2aaec365ba5de7

SHA1
12a9a7673be7fbe57df4edad1fd0fb04c8904d37

SHA256
41e9b37d42a4f860cdb8b26ed1d84cd492ef86c32abca50d47164bd3a69bd5a5

SHA512
d01fac17a91c7fd9bf5aba65ba60fdbb398bcbe5fca17bee48839a766246d8e824dfbc5e08809bfa0c87fb69e4ec5ce2a7972827479e0e120d8cc23d8476e979

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
7a7d60afca7c8afc6093fa911f351fb1

SHA1
4880cbc27d9f6e73e8a5c6cea5fcc86dd9192835

SHA256
9cc5d7eaa8f1aa76e080dacf1300a51a947fdb6421fe69e207e50876c04a7084

SHA512
13fe38ffe2d3d3510ae5c7506ca463b2d2c5c3023f1a973de1555f30a59b1c3ca49bd1f837884a4656ade469beae9418e3ec6b67d570cc22a6b1c70a41a4d8c5

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
693KB

MD5
10635e35a17b06e04f7cc6a2c33c3f15

SHA1
8f8ccd14ef8e29732c51cf86867c37ff913d303e

SHA256
6dbadc0ebf1c4538b1a83d218df5f206c3db0575b6ae20828e082ae49e9d83c8

SHA512
67ca18cedcd81b74b5a79a23ce0bf58767c2628efb7362405c6bd5fc9edf6f2bc9794bf139f2772a42b6a90a6438c79242fba5a9d3992154c947e22e6abe1afe

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
560KB

MD5
d1fdfaa6086cd74c14bd5d8b817dacef

SHA1
0534bf7d2fa228d35c79e67476f09e576f889150

SHA256
be37db0e488036a06ea97cbd173c9c020a53f33c957ee0baea098fbaedf67d6f

SHA512
96dcbe1fc623a4d4fc602a7b8e3167775917b46bce4a431089e650b70c2642f91e58262b7348203d7d31521a07ece37a740f2c43fd2b295f6ad84d894c7de78b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
449KB

MD5
046436b97ca668fcf99d0fb96db06aa0

SHA1
21ebed78664ee6f294ca2cebf9b00ef2f994a645

SHA256
9881ab696b50f775a244edbb40888792c003315d4b103f6508b0867ba0a00b54

SHA512
2546776bb4c7d07cfefe1de780549b9a4b9a3bc4e834f377030ff1026c26c617c49ddd0bfead33d9548b4b6aafb785e9d9e3676e38e1d20ba42f57b8dd0d36b3

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/60-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/60-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1096-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/1096-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1096-44-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/1096-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1096-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download