73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11/02/2024, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
4692	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4456-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4652	4456	batexe.exe	74
PID 4456 wrote to memory of 4652	4456	batexe.exe	74
PID 4456 wrote to memory of 4652	4456	batexe.exe	74
PID 4652 wrote to memory of 4580	4652	b2e.exe	75
PID 4652 wrote to memory of 4580	4652	b2e.exe	75
PID 4652 wrote to memory of 4580	4652	b2e.exe	75
PID 4580 wrote to memory of 4692	4580	cmd.exe	78
PID 4580 wrote to memory of 4692	4580	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\120C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\120C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\120C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\176B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\120C.tmp\b2e.exe

Filesize
1.6MB

MD5
811051ada120e79ec938ad5f3f771b6e

SHA1
bfe168ea6f230cea7608b07892ec500b8197aa14

SHA256
b03cbf59639dfb6689615f2adfdee82cbe3ee9b2a05f434a8dff53e83e59c70c

SHA512
61b1e74bb53eb3c28812cf7b69bde1ff4c4e86196d89343965ecba22aa160fabf52d01fb9c1e4786d06580b5b617cc46b3e90496f285171d0193ed68338409fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\120C.tmp\b2e.exe

Filesize
1.8MB

MD5
91eb6a6155b912076b4898de38de9971

SHA1
ba687ee6e76f8b199b8ccb04e00bf60c03c1ef5a

SHA256
414d19c970e9b7ab5965f101a7dd858ca201ea17dd434917486e85804fe641f4

SHA512
f6615ac0155e589789a3e38012e2e4444eaeeb63e60462d1f43ce2188fdfa919faa834eba41ef25c4ffd53dc562bff902672e968a5eae4567f08a75695b14e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\176B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
854KB

MD5
aa056923c48a53c1ad89d7fa29ddb8ae

SHA1
2feb1deb526601a044b175797ad09eecc83cf62c

SHA256
96beceffea00f68364a724859f459cec6a541639b44f6f9c20f5cd1522edb608

SHA512
ee41176dcca4db628e32977400316d1bc629e7922bdbac4264096190226d6b100678af5d1042bd5a556fab0ff7ac7fde84fcf2c9037aca97eb1f7bce125275e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
809KB

MD5
e9569c90f559a3fdea6a37517acaa91b

SHA1
9c881cc43ed9f64b8c3f7047e40a2a11d668779a

SHA256
51504d4a573d38ed9b8e0a79f6604262e08f63232b42b7b1bf876691d35d63aa

SHA512
d2ec978f8448a3f53181eed02b5d59d9f3f60159c5fcb024b1a4c486ea42e03f40f634d0c6e261471af4edc44a3f5306db7b43b938fd00ebd47ce5018a150bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
766KB

MD5
9fadccd49d3297f5e92261dc147f3244

SHA1
61634e1f96a25a35edc742acc2530d2117a889a3

SHA256
0c6b825cabcf7934b0c4ab62277738aaf56129b64fb9cbbd7833bcbf31b225d1

SHA512
fd8dc881e47490357a7ed22db6c69ae928ceb094866c0446b83c8d438d54a9a9b3255412dd81e868d31b6ba413cc814da605f0b34acf252902e683bb963238e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
660KB

MD5
57c28cf56af7bfe8c3861b91ecd70f1c

SHA1
7a17c1691fb5e5990fd1ae13af78eba517ac0820

SHA256
822d9428aa3be0e60fd8756ceae66064adaeb6bf317159c3fe858a6e19f15beb

SHA512
7438453ea4c416e4eeb9dcfd3e0c9073e64f759b9a3de1ae4f665a34dd5147b12b761c5dbfc1b7fbdf5e3d4055197bdf72934ec4001bddf7320a6af58863ce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
783KB

MD5
8dc10cdccd54017e64a4881a1952a74a

SHA1
f2e0745729817aa847ecc68b8b06e1514f51b00d

SHA256
eb8256d1314d1d65d3206556b971d0e4cbdf2ab46f06773c6b848e2c5ec05b56

SHA512
7cfe970b675f024c0f0e7e913298837c35370060d61950d61d721bb03de4571b5f6e91bc9bf6ba9b9c4b887205dd8e2eb42ae5bba100aa7ae4316684a7cc45d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
510KB

MD5
a996e6addc6955544950b89da74b8869

SHA1
dfc513a7c48a8fe7d8513b9c2153606f0c9a7040

SHA256
f66469158ef529c0cb817bee87f136c6a41dd38621c78250f8dc57a0357f3408

SHA512
f25704d40bf760b5e745af8fc43b24adc1641a1bb448fa0fc0bfac1a6256f9ff40a45c559235ca5fd5d35e234e2567444c9a38a3cb7eb64f463eb3feaa32cf14

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
580KB

MD5
13ad681c2bdc90ea413b886a2f0074f7

SHA1
28615415db4f07961d8ff5fb6ef9b369c626b4ed

SHA256
ea508549107a883f87c300345fcaeeaa4162875730a8668b49fd6f62397c53ba

SHA512
e9aabc13017434f054ad5da12cdfbd80b9b17f648ddd10173c7bff5cead3339ed58fc1229b42e00466b926572b194b915b58eb53b49a52532f5dcf3a209867c1

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
529KB

MD5
71631cc597f10564f240ffd2a243bc24

SHA1
dec394ab6ae2908de7ca1447cd4f929878bf1041

SHA256
f148fe550bc323dba41454a0a64fa9e11b7571d307881227e25e86b19126042a

SHA512
4a15ff94206aa17667212e0d37f31ff2b4a5f95c31a8259043594398b730926996869c9e7f52701690277ae56ab8c7de32da3a475e8868d64e40f206086cc4e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
612KB

MD5
bf83feaf86f30292bbc101ab6188a8f7

SHA1
d991e941fab599365011a687913cda24b9555a6f

SHA256
61426b1ac501ccb41ba840e5c63a3446df1105dfb8249f2c079e1c79b04aff93

SHA512
86125eb83223b697d95fe2460f97a248fdad285b568b86412239e936fe07f7ec0ec9d4eb38f533eeca992c78fa5ae38e9bac5a9b1c85cd15376c4c250ad4cee2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
634KB

MD5
001f35a3799ed51e964b277507d36c7b

SHA1
b153cc42bd3360f54364e4b6cacc2cecf238463b

SHA256
5092ba39e3b36545b83cf41e03553327c3a1bc6cc90e30186125eab2e96a6a07

SHA512
d12096df2395df957a5cd221f554abdcf3b46c6bf182a9aa2ddd6f35dc5218cfb71299a8f98635798e9836dffd5b1b310a86dda41c6c579bec0d72aa1b44c9a5

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
536KB

MD5
6efac05f4938153fc9a3d979c052cba2

SHA1
b3d955151e3f92e6b5c29d983f88bcb097f82b2f

SHA256
4925f16d0577b4840edbf11d0080ca668fe4c7d3223f57506e218bac068bc47d

SHA512
837430e0c5b2fdba874d5123bfda3c344bc8d6a824a7940a9d6294dd8962082f56db292adbbfa2fca3f62bbb6d500f6e8e512422f5d4cfef78b860f274269579

Download Submit
memory/4456-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4652-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4692-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/4692-42-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/4692-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4692-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4692-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download