73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4092	b2e.exe
3476	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe
3476	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1812-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 4092	1812	batexe.exe	73
PID 1812 wrote to memory of 4092	1812	batexe.exe	73
PID 1812 wrote to memory of 4092	1812	batexe.exe	73
PID 4092 wrote to memory of 3892	4092	b2e.exe	74
PID 4092 wrote to memory of 3892	4092	b2e.exe	74
PID 4092 wrote to memory of 3892	4092	b2e.exe	74
PID 3892 wrote to memory of 3476	3892	cmd.exe	77
PID 3892 wrote to memory of 3476	3892	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\C043.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C043.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C043.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C043.tmp\b2e.exe

Filesize
4.5MB

MD5
b7870e9fb9b14164bbdb3d5d3653b108

SHA1
1dc2970ed823ddf5b9157757b0d14f03eacc08a0

SHA256
dcaf9af06b9fb33c0247e6ad4319d14688edc587776470f0bef92993f547e18c

SHA512
59e866d8a86fa7fb4a1b733f0197b27c55a75c640a984e123e15b0c6cec4a4b94e7daa54f2b54e8fc01be5a8183b8671a46159b87e0482254162b141ba88090f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C043.tmp\b2e.exe

Filesize
4.0MB

MD5
511088328e007b01c8e606b98a7a7e0d

SHA1
52d07a99b200cd65581b9dabe0aeb9eb397113a9

SHA256
7f7a010944cc4d0faefbf4cb08b40c3e6e972202cc480d2ea1a99f11969244d4

SHA512
d5a1257f2de255824c84c67dada5bfd6466ec88eb39cafcc1b3ec5f8cddad57aa2503e58ccde68ed3d185b9298e85bb74f9487c1d1a11517dfbf476f036e1421

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
603KB

MD5
ea8277010b7e82c058a29e44c31ec2c4

SHA1
bc125c92471c1b76690a5ece33d517194ce22451

SHA256
37e4fea94e34f60cda235abbf15be573127c12b6835d4d828ae3eba18a2774d5

SHA512
2a42e11130b1a0e4b482e450364af08140c4744880a07645823cd265c401bb5f9e8a316b2719bbc5d46ee8feddc4f187a4d4aa153d974f8dd965ed5116ca250d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
806KB

MD5
0d282003669616fca974c0d472d18585

SHA1
4149e22034d3a77043423aa0fe0b6c301e6b3912

SHA256
8306bc09eef4fceb04dc0c2a515a4183cfa3b53abdfb391c75dca38225c4e860

SHA512
721943b083f2ed2459bdb8a6532dbb75089f9b4a2a3d6a89edc1e467502ba541c864fcad9feed60e8544adaa0c20650a36585accc7ae07af35a06f4ddf4585d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
651KB

MD5
cc6fa347888863439be97e1bd4d60267

SHA1
bad707e7135debadf6f6376ab0d23748f34a5feb

SHA256
e3a964ccdefd58be3e93618bf0a7aed2aa64d1c6820560879c214703e40950cc

SHA512
be099d4dedc62e3e21fc6f36c58fe60189ab3ee4aff4c07dbbe135b43b215744f6dba6833ea9610bb6035b561aff7074706f52f0bf37b5897495b27853bc0210

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
703KB

MD5
2cf20452766a8c14a612b67fbf724c41

SHA1
2dad19eb29caeedb665329ca3018b2617d98d2a1

SHA256
60978eb96510726b321a270510b9f3e8c76dfb7b0e9cb390ae94e392f9e9f8c9

SHA512
36a5c447b4c858cd255d08dd348d4672faeb3f4ff34a64b0bbd264df94d5069de568567c2ad4f6ac3f5acbdffaf3d0c3f92ea8bfed6ecbb8774b5559f1e17c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
a3dea3777f14f1235327b648410a9406

SHA1
9ab139a0c947962b3c471c36e8b9cca4d750c889

SHA256
ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1

SHA512
b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
646KB

MD5
10df42974cc66e5500e0f2005764990c

SHA1
06e9547b4faeeadb662951416783e538992243db

SHA256
633047e54d244767557c76accdad2713422de15d9a116524eda71f5d11ae6b70

SHA512
95dc3bf468fb8298f278a54a2f87230e59874e21de8b54c52c2f220bff8d9dd58bc8ca9466a6cb3fb75f83dc5ecb7f9c49556d34c3ee62db9d0e1f3abbf92290

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
554KB

MD5
88b34edd2475e9e07e937598ad001721

SHA1
e8308e016968fa095118347d23a4f25d35c25b6b

SHA256
526c58675e2325929ccbe06b2492b55cf0807a9ad06d449ae3493cc371c55b21

SHA512
6d79ca484eb0a09baf0ca34047a4d655f94050a1e207e48dc9c1bbf21bca87791363d3a27fe667372a9d469d6ee048f1d6c04a94bd8f8270ab592d9aa90404c5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
357KB

MD5
42afa8ba65e6f49be5924b869fd7667b

SHA1
424a3df135aa22ecde8bb9d6d506daf395b64753

SHA256
5b71a9dd5c353ae707383b810978dca9520e3c1c10d34582fa818ee197eab10f

SHA512
8266c5949f071ddc72df8c40d7a36a864a49a2c4366148e4f15e66e8b71f82a8e15c827e6c2dfb1267c778e6b7ac4125bc072812ea5e9a1779df6ef1ce1e456b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
431KB

MD5
b116956a645b45f81972816a16ccd088

SHA1
b14db36e96da7412fd1ece05c70dc7c9d22af1ae

SHA256
8ac6c555260308cce2d96ea0fab0e0ed797a439b75a0f0e156dde98cdbf9311d

SHA512
a9657f1724bc1655270b215d2713a421a4a3ba20f5d536f35915a7fc70fea008eeedb887e3ba63ddd70fb6cb2f5b2b842ddb527f575ed62b6c9b41fe3b6be082

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
503KB

MD5
7164c6d1478473b18a528e85a44e7e6b

SHA1
ebb3fb7c6b8e8e6ace22e4bc5b8b5dbefc2c9a9f

SHA256
402c54e4446b2fef99d3ec706f57815c7943b2a064700903dddce7fbcf24c245

SHA512
ebc46f8018309b6260f58e0ee47eb4ed8914b4bf970b46311d6981941a584c6ad49b4211e4de01b921989de35b47bba6340a0b44c34f51d8b561cdf1f627f99a

Download Submit
memory/1812-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3476-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3476-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3476-43-0x000000006C310000-0x000000006C3A8000-memory.dmp

Filesize
608KB

Download
memory/3476-44-0x0000000000E90000-0x0000000002745000-memory.dmp

Filesize
24.7MB

Download
memory/3476-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3476-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4092-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4092-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download