73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
306s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4584	b2e.exe
2388	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4720 wrote to memory of 2388	4720	cmd.exe	78
PID 4720 wrote to memory of 2388	4720	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\14DB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\14DB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\14DB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1A78.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14DB.tmp\b2e.exe

Filesize
2.8MB

MD5
dd9cc88c1a20e857dcff9a79d8adad45

SHA1
dd7a73d37b94589d9d5268b29a0cd8108c9ab8e8

SHA256
ac0dda0dae36e3ace474a809c64a0c5f9700dcee161636fd69a1505083f0c014

SHA512
4d578545fb79dcc102e82f4ba3f79e19f8f3ccdc7a8385f1aaa6911cbc7feb2aa3315e5ebc59c48a32c29dbcc9499e475e17f00efba5a098eabfdaa03ed656a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\14DB.tmp\b2e.exe

Filesize
2.2MB

MD5
998e9301dce0fbf032fca9df021fc4ae

SHA1
f503ee26148291430af85f8446e0f57be9aaffe4

SHA256
b369c8213fb912e0b3897919430a7d1d5df34cc0fec88831ed704eaa103a6c69

SHA512
6c8e0ae1c074762bd85e7d6882b2e1925def81670ada77624c5f8a63b4cb1e48ddc62f67b9c933a31b0a3ba0be87fae07229c92ca1a1b34bd7910e246ea4a0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A78.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
938KB

MD5
e2e4ef0d502c41c657c647d60ebac5fe

SHA1
2a32882a75f9a89f00ca4e154626a52fba9a6c2a

SHA256
71d714e8b2df4ad78c96760456fcfd700dc0a7c2a5be1b537e6f600d4cbb3049

SHA512
897be9e1382f1e7aaa1b275bfc2f69ec7ed718cebcaf1bbcd671df6d4c677bf4c3b0d33f9ef073db4f22ffc3b004511d0ebd1327dee86e548a5ffe5638502599

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
84d02d3a46ebed7203437fe3bee9e8dd

SHA1
2de17739a04b5987f7124e2e2243749c89bd7c07

SHA256
641f71e2779fb6725910c22d89647d187572b2600578d27964666decd867b46d

SHA512
91ea1ba255e4b13447aad2104e8d1d4899a24454c14b35969e45a67d15ab01a99d84b59a7f4c4df91964a873c1392973bfceb2435452e386400cd435d7d4e739

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
24d034466c38cfbb8755c1ca1249ea47

SHA1
eee2d1813f138f5483c787ad339fe15a6d2325c3

SHA256
1bd43d91f37df5cb3c3b0f91a856051f81aa0d03b116f115ac764e4ece442612

SHA512
0a8d3eedf7117ac47bcb046a35e0862fcd634ed9d3771757a0fdef6f0af273a8e06009b69ede5bcb60c97029539c6e4e28e278e6d8ea05ed5e9fa16b2a40baab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
d85c1c696d9bf4ce43b32b37b234f501

SHA1
f9bede2db72f7e35b336776684ef536a4aa870dc

SHA256
72e226dce114263ba55226d8be164f13ef43cdff913a7ee2726bd2a0481d028f

SHA512
224c604d33cb2eb13345624f7ec73173d7b4506758a9d769412a1094720e15bfb43b53c5b3eac9aade57dffd85ae7b0304286e8bc33286c062ce05e9b54c95a9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
560KB

MD5
dbe523f913fecbf1e0f037b533a25ce2

SHA1
8b7a4114e67ff1ce7a9beb812157e68b3182ce00

SHA256
f82be2acdb076dd256d7b98cb26fea42c27128c3ed9220794d82e81c459c8b76

SHA512
55e33f8aa2557e8ef24525bf4922430f2022cc553df84b40ed5cc09fa7341dcedf8e528c27625a581fce448afb92253f446f4580cf25ada40a7cb518ff14bb96

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
49b2f4f415eb0ab9424e05e091fdde19

SHA1
e08288b20bfa31c1012d3f3bda9abfebd2e2d525

SHA256
816b43c070349140e4ee89f37a562216a469d82dc92205f0c3bf46dcdf7366c0

SHA512
622514f81c9d4d6ade53b03bc68f4ae27f003257d0650c01b13bc6e249f71ea9787b591c206494924cdec2a449b341ec1ea134a123141206f57111f5494894c8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
972KB

MD5
b041e8e48bb0f5890a309c394cbec6cd

SHA1
6496ec5b0a2fb8349b84acb53caaa70158b9de5c

SHA256
9040a6a6a2c98c55fb0a171bcce3153b293fb03fd8c46eebbda5bf4082df48c5

SHA512
ddf5ed64afeb7fc134a1f9dfa99070a1d27e16d0ed69a1aeb4c851b771628a65389e9fc885cf606ff3804cd75bd6b63b37b59e433547ad97715b8fa0e2a9f469

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1404-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2388-42-0x0000000061B90000-0x0000000061C28000-memory.dmp

Filesize
608KB

Download
memory/2388-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2388-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2388-44-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/2388-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4584-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download