73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
60	b2e.exe
1096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 1492 wrote to memory of 60	1492	batexe.exe	75
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 60 wrote to memory of 2180	60	b2e.exe	76
PID 2180 wrote to memory of 1096	2180	cmd.exe	79
PID 2180 wrote to memory of 1096	2180	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11AE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11AE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AF.tmp\b2e.exe

Filesize
1.3MB

MD5
03a293396da8f3c42edf6b8807f9e2d4

SHA1
807be4179cd16ee74f409c493957ab9d4c133256

SHA256
40ace4e2bb82d200721236e2dd762e2b9c3f3b2b56430e949a4c7dbdc1e6bbce

SHA512
da267ab2b8dbc876620a082e7be0f3c78ee0951375cef068593b04dce43c52aa3b0eb08ac1c3b2047321e491b8092407c285d1ea1e3b849510f418f1b59584dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
358KB

MD5
20163172e619da243d008103cf8cbb4a

SHA1
692ab88e953672e104e2719a3ba204d19c8dee88

SHA256
20fbcf7c085ee75a9cb4ad47ebf2410ab026cf513b4b13127fdc14d746338af3

SHA512
1ac95d76888aefeab020ab91cbf2a677631f326efc8f05eec41ffdc77dd84f061e58f61f3a64a4d26b412502fd402e85f6b2c5c0890c17405abaad95fa11d751

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
347KB

MD5
0cc0b44ffdccdfde81345a8bc778efbe

SHA1
96688e5f361c79fdcc154c894eb976da780499bf

SHA256
7e67636f481ad9146014527d32b2e10973bb676db89ca4fd43c54bf9833ed944

SHA512
3f2e8f2d9f30706b7a25cfd5672670303cd8fe8963071b3e5043d2a8545c42adb1adbdd165bf900a0dd827568a683c674d19bcc22b0a9189abb27b9b5912249d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
418KB

MD5
359399e5de137e1598ee01340b5324fe

SHA1
58f5c0e79ac0c623f407d1ff407ac8439dd20d72

SHA256
7351861c022e6d2d5d67260ab23a457ed7926313d2aa8c4083603f2dd7d0dcf6

SHA512
d75c450dc340a42d9da7c2aabcb50e7026654f94039b7ac0cd1abc86c352498952fc50666d9697f93bbd3715c34fa883dbad63e4d8479c7d6f370d9d606ceffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
492KB

MD5
e7d7e38a647a5923a1364c54d41cbe14

SHA1
d559be243ff8ddcde3bfdc571f53c6c89c465497

SHA256
69658cd7b2742d8e26a50802857d60bffdb63e9b7df188a73d18e9f6bba1ae05

SHA512
bd3dea0ad5cb72edc18ebcaaa2978ef604450ab56eaeccccacd63e7ffdc157ea768d7fbe7c546e7fb1b464a68d672b34db847b382f7bac57c31d60903d2dd727

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
290KB

MD5
e747d11201425956893020814f06f409

SHA1
cc23677903633ff5a7fee1cc9b22d685bcfa4fe5

SHA256
a95a4be89175bd56f5ad756839e1f3fc58f26741d5b0fa976705a43d81528ba1

SHA512
5b292c6bb2bc204c661a23c2dd8730888b1c092c63e902ccacad57a69c28047d946322ff42dd4475db2826cf53653215581beec6db9f44352461654af19ad69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
338KB

MD5
43ec237a46966f02b9e72e2fb1400f66

SHA1
9ded61518103c70c719c771d62b861b079b04abf

SHA256
62e306c2d7f7ab1c42ac3a3014346c5801788cf1ac7f455eab35a8541ffb0d35

SHA512
c69b16f3172b3e4d73cc7d2b86e8fcade68e63d56781a647f7cb9e7755f3b8b51da3ae71a546bcf9fad16ed9df3704dc4592beb531d7d0b6c0c2f8adcb9892f3

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
473KB

MD5
a3fa2981766442458ce7f69f6c436933

SHA1
1abd11c07eb2044e830735bde49824374c99e4fd

SHA256
2614d77e6cbba83accdfa0e4a6006cba15a0e30c6c49ea5b0c9f5d5005ae4bfd

SHA512
67b8f21b8dd0306d9357de94be7d337d677b9d3e61807a8f692715aa9ec8ecb968344edefdac63c88822ad961e308c386222f3cfefa1459e6775b265bf4e809a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
291KB

MD5
67f48e7f0786d45fe05bebcd3642642a

SHA1
8f7ea291474eebde37176533a77efb63ab674803

SHA256
bfd1cf5cfc7f638b1c2fb3a15372972bf46bbb1f9feb4ecb1588c6a805c3b3fd

SHA512
bcdc07652dad429751ef2223e3bf2f7f4c4e89882c8079dcb4c037f673bb0ea9415e173d0acc8f76821b4e09c341ab7e7e33dea7275b6548f37101edd77f83f7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
262KB

MD5
c029c847b95b612696a9f2c6efc1a1f2

SHA1
5d46a6a466c71c8aee1af055ed6ad86512c0c9af

SHA256
6e2e40a14f155e5c32557f5933f09c96c616d45d85ccc47edc8af41e1ca51309

SHA512
f0398a808a5c944e5e99c3507c6d658bb915209009c3332cca34acd7fe9ad1ef90ea600299e9e9c4e7302e1e692223db27c603661934f85e3d7ff2fa13f8126a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
357KB

MD5
9e7a4fbc515deda3d5d35f1e970abc7b

SHA1
78183e168f9ddb59a27ef4d384db0edd7652d1fa

SHA256
79a8ab9b788c3b2ad4fdb9c1314292a210e3367e062278916da4d791b1d1882d

SHA512
f729d22ff550dc08c68d1a393dc440c9dd20683b01e90365647184a521b59cf158cc5edb10f1a605abc86410f6fe8bffbd13f2cb9d6de9aed81862d6166c94a5

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
329KB

MD5
13ec830529e1b469bed0469c94d9a91a

SHA1
3e572deaf743a349b5e55d4fb51edacca9dbff99

SHA256
2a0f4510434e6eeaa6e2b76595285dfc66e4602a24e36338be6f518d445b7af8

SHA512
92283f24ed889f9fef50091fc64c22bc8b17e4ff0c9ea8ff7c1d0d342dc05da581955947f902e06d02168dbc876c1e434b89257a79f42c665aa6ab685153abed

Download Submit
memory/60-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/60-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1096-44-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/1096-43-0x0000000052D70000-0x0000000052E08000-memory.dmp

Filesize
608KB

Download
memory/1096-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1096-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1096-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download