73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
304s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/02/2024, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
852	b2e.exe
3864	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/380-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 852 wrote to memory of 4536	852	b2e.exe	74
PID 852 wrote to memory of 4536	852	b2e.exe	74
PID 852 wrote to memory of 4536	852	b2e.exe	74
PID 4536 wrote to memory of 3864	4536	cmd.exe	77
PID 4536 wrote to memory of 3864	4536	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\1BEF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1BEF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1BEF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\21BC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1BEF.tmp\b2e.exe

Filesize
4.4MB

MD5
f1e2dcebb97a85948916d3bad725bd5f

SHA1
23b710369075c10de442b55459c6bc292a47ecb0

SHA256
5290860743d90b1a9ed84a1af76d94907df48a000b511326d93cd1dbc16dcb89

SHA512
0ae204f46a4036d31f94e307a210cedf2e7a69fb664c9aece261e5d1be66620b85d4569c11a5d9cfb058aa5f1182c19c08e12015b60bc5c8da6e76610e1d363d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BEF.tmp\b2e.exe

Filesize
3.3MB

MD5
0e4490b04fcc2ffc1d11b7e3e550d1d5

SHA1
19b03d03206458895a308d46ff1f92d68e06be95

SHA256
ec8290376749135da45e66ad37b5933df6657e2cdd4ba0908f0d873ebcffa314

SHA512
28d7101e60a40378ca2e48e3c59b2061a494601ca50a843d4dc76c89969d539a3b76c6c695ddd8f14d18cba28608e0aa022418b15e27d8ebd9bc7cc1e54e3497

Download Submit
C:\Users\Admin\AppData\Local\Temp\21BC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
369KB

MD5
dc36db25b0111250062443aebd517793

SHA1
89fdf49ec43670ff0cfeb1777a485778ae5f01ca

SHA256
c6ffde93fd5df5f14b73af5ba5f1a61644bb6be917f7c668489e0db9f1bb3a82

SHA512
eb5354b50843b3833cd1ca4e4c20214814eb6147bab8bd8f5e17d99737575c43e219db2048ea73ba784ad4cef647190b7c8d7d19b008274bd80922f48363d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
300KB

MD5
0e41bf5b899994a46d0dce7649edeb52

SHA1
bbdc5f85912cb0fe3f4156835854d4f2001e48f0

SHA256
dbd99d9755715bc0faa02d790e4a5e39dde7a5139d4e4f9f2488272d774e8388

SHA512
5a154bd9c045ea4dac38bd931d3b1abeb1f2748638195dc9c2693b90afb77dadd19c65c504818e1b3943bcfe6d85cf94f2e66c9a08413f7adab3800ba90823a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
422KB

MD5
9097f937b2a5888283b0817487cba5b2

SHA1
fe99bc3ad94f3ee6e25ca0e314ca43143dd37285

SHA256
005865ba028166a096393647bbab572d4a98b96a5c14c9d2675573aa80927772

SHA512
13babd31e195d0fd589ffc2618a2ecdcd40d8c1ce66edcd9d1f3530aaf1a70e67860778863bb9f2c74f46d3e4e6c095685965d23b6df9cf4c7ea249dfbe9a0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
433KB

MD5
1f84b440fb4f9809dec97ade2890c07a

SHA1
b586b1f3dd80e640a90fbba452c3a07ae0a3612e

SHA256
42e937b6129529e99b406dd8d3018f36d18974327179762dea66673082993647

SHA512
550054a5aa49dece4260c4dd98a323b93333f9852d3d5a6c3302635f208e24c09d818a354c871e6e3a83999833c79de844626d793ba8bec3ff144593752c307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
401KB

MD5
21b6334d5d78ae4d95ff07271f829bcf

SHA1
9fd494820ac6923de3f47dc7030ae2f530268834

SHA256
b41f847ebde0783f33c037d11a772f509d22525f4d7a87241e67356e62aa21cb

SHA512
798e252fc7aebad557a88dbea683e6392665c07570e1d328541df45cd72f3a2f275ec6c865077bf9821bd3d9cf0b0e79235f141cadca59aa1e86107cb41592fb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
433KB

MD5
cfc275c7e4fc555c7dde6682c7bd1557

SHA1
8011fa3be2509cf46b43d90d2aeed8c4f188a347

SHA256
bf82e99b141a13c6fdd015cc041d1618245fb56acaad262823c6b9a2d9a31827

SHA512
06397179b929b0a410aff96c3fb3000eee63c7f84fde2821bd6f00b3950037586c1aa6c440f36e9ce414423ef45bfb4bfb2d4275cf0088345d8b064840d2d59c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
322KB

MD5
3537d391f44b8881cd180280ba1c1fed

SHA1
226d596ec6de64119029692a6ee7f142e16063b8

SHA256
90800e0c3e161f4c6c876807af9325a49f2f30d2b7311a220727920a06cdf4db

SHA512
7c8fe3d0c351d9f38a8516ba7ecd3eddea14bc850e1465b3cfe2a269511169cb4976733b056326b71a0232ebea581147ca0974a293c5b72ea38cd20b4761659a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
315KB

MD5
0c0d07c4b05013c8c38517ed7a72dcde

SHA1
938a6ab3bce9b2899a76e87f286ed6e8dc5cd9dc

SHA256
6928a654dd15325198ec175f73febaf94340ae7ebbee0ac850fbf45a74dbb418

SHA512
6bee525db915ee1338e7bd371b8cdc723a94b3e6c636af6b1631ec8ef18a56a9432657cb394514625b8008cb7312666583396e56232ade53b70193a5540f8814

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
398KB

MD5
97ba7cf7f2a68d6a0db90e59a1ca39f2

SHA1
1d9f0a046604c2ed84619d32c3d74022ee446a77

SHA256
4016b8ae77c17da0e27f92ecef0e336d85c848317de4c8e7ef4ad89139ddeccc

SHA512
b4811feca68f2fa0a06db2b4f814c8fd26fb22d0b7eb56f3fb47c155fb2eb62f83efcac8db965d7d14fa0381f491fbc50eee19191acdd5c40c99b66e62fd5022

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
313KB

MD5
d57b52dcd10cdf3c6c17df21281766e3

SHA1
6c190a45c7cbcdd66e0c4a83396c12978e539f78

SHA256
a98f970409b9d0f727f93c9bea2c3889a3977138d3809f2b1758fd3f19e4e436

SHA512
da9a61c6ca910bb8e9435b1224eeceffaa0d90ef668973067dde170eb43c7ff20643df6f30ad4735707f4cbde232228781319e340b79fbfc60cffb04f66ce481

Download Submit
memory/380-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/852-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/852-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3864-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3864-43-0x00000000505A0000-0x0000000050638000-memory.dmp

Filesize
608KB

Download
memory/3864-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3864-44-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/3864-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download