73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11/02/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4544	b2e.exe
916	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
916	cpuminer-sse2.exe
916	cpuminer-sse2.exe
916	cpuminer-sse2.exe
916	cpuminer-sse2.exe
916	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1536-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4544	1536	batexe.exe	73
PID 1536 wrote to memory of 4544	1536	batexe.exe	73
PID 1536 wrote to memory of 4544	1536	batexe.exe	73
PID 4544 wrote to memory of 1032	4544	b2e.exe	74
PID 4544 wrote to memory of 1032	4544	b2e.exe	74
PID 4544 wrote to memory of 1032	4544	b2e.exe	74
PID 1032 wrote to memory of 916	1032	cmd.exe	77
PID 1032 wrote to memory of 916	1032	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\A671.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A671.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A671.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA3A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A671.tmp\b2e.exe

Filesize
5.1MB

MD5
6ee4e2b0db99e98a52bbff50c6d6dcba

SHA1
6a363a1d9872cadde27a66ca7e88b765274cc8ec

SHA256
2a8806781e17a2dffbf5906987b9dac15b70b0a8d18b7c29c94758f3a688c676

SHA512
94fddb6a7cf9a3660edf3bc6a65f45ef46bc4bf41f89357c18ad841276d80f77d2819e80699eaa63f07df2734f902e0f8719c98ccbeca6bead05df7f0b742d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A671.tmp\b2e.exe

Filesize
3.6MB

MD5
a202c43df284047b4026052f2015b382

SHA1
531129cc3cff7410080574b0fd1f8404c8c343d6

SHA256
22e0189ee48633fcbb780d8ce081c027adcfd289ce6b90e0dddf506b78a59a66

SHA512
03192f196ccd2100255c1fad56bd14019876f87509f7215f1af469e93a9e4a8686d7bd18a1273d46e05711d1017a87948b4299a6d4597fa66001b29ee310cea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA3A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
23d79e5c9aab672f8f60c5eebe49095a

SHA1
a104fcef7239607ddf1efe7b2c23e746dfbd0dcf

SHA256
698e05c0e81105d7f7175ef33574ef428340bd4729564a58f6190349283e636a

SHA512
03fbe3b84107563ea0e7b6b345b4cb4a3bd09153068643c1a96e53bf7504b004458859dfea0c66da065defc293436f3449e568b922f1796f33850f145f8a07eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
128KB

MD5
87bb74a6790018700645a8310bb9a32a

SHA1
b0e3e91efa12e0df5ed4538d3b549ab5d9f6c16b

SHA256
ee6a846f1dcf082d5216bf314e65e1428af13ce54dfaaeb371d1c54f330c5298

SHA512
702e12a0858a1dd987d6a761f0ddc88fee9bce38be3d71f8c9be3fecc8cc6e88763967140f83caf4f2e10109ab95b811bb70bc70ff0b5cce8f0f32713ad3683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
c89e863ce2221a0f49b45a55100e468c

SHA1
569ede311983a53a8f23f254fe37735538cbfa5e

SHA256
5ca5fb55f2e5ddee30c893b0e78d1ad59f593c2c3e5ecc155f14a088c65cfb46

SHA512
f65476f7353ef6ca7378752551c28736b61916cbf54f0a17b211a5a14ab93ddc2830a1d9c3cc1118117a23be95d49b06fc8a174d1a87f360ae4b96a6bbde04b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
94ad3e38b1779a58c93311b2a21903f0

SHA1
fb3ed6a678515ba27bd0651de44483c84ed4441a

SHA256
352ff12bc502849854c27857642ee8bf6bc947bee4495f67f3c8e5c95be4cd19

SHA512
8e7e840988bbd7cf8bf88313e9b905cbfa10f188120ecd793335e2d4fa84ec530875ca3d8721a68264c5df639ef456fa37896f70d5b6d661753743a2040bd21a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
832KB

MD5
9b527cc7775e3fefc75ebd6cf497b81b

SHA1
7405b4528854589bc404f55c0e591d2e534d8d63

SHA256
eb4270d5203fe07ee63a7161093d69577ada5ad4ca659a6181d63953a69bca72

SHA512
6471f61ebc78e6ab30cce7cb444c582a8a24cbcbff1a8cc3d22d20d299d53c6377127e76bcc2a1e2c9108cd65d6fb89d42ddf89b04140c8e225f5115984a4b85

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
745KB

MD5
3dc49da1d2c810b995f3e3bd8d4190f9

SHA1
b71c193f6ffa8f7c3d53ba4d5db676199d4d051a

SHA256
a91964824e21f09200ccf492aa535b43e982589c9a4c2c48f125d68d80356d5c

SHA512
8da1b34199f34ddb8965650cfb6408bd784ecca643054a0d642419cff1b6e6d8b26f946938dbeab20b367e4049637a6e0ea72d3f89cf499edfec0247116b67b6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
ceb1ee23d68e973e400b41e7324c71b6

SHA1
0ad5540864cf9bcbf52870ba72566625ca54e67a

SHA256
66f2f5bd30986e28a4c43ed44264cc56f63bd7a3ecd6aeb5845ac7bcd724aeee

SHA512
51ce4a101517339cb1f5c23fc953dde73f871cec2bde8ea5c9fad9376366d7b8aadaa8668ef2f7bf9d873e8817345e4e337a7a94c42c3ddf6a168377af060e9c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/916-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/916-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/916-42-0x0000000054910000-0x00000000549A8000-memory.dmp

Filesize
608KB

Download
memory/916-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/916-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/916-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1536-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4544-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4544-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download