73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
17/02/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4652	b2e.exe
812	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe
812	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1764-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4652	1764	batexe.exe	73
PID 1764 wrote to memory of 4652	1764	batexe.exe	73
PID 1764 wrote to memory of 4652	1764	batexe.exe	73
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 4652 wrote to memory of 968	4652	b2e.exe	74
PID 968 wrote to memory of 812	968	cmd.exe	77
PID 968 wrote to memory of 812	968	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\2AC4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2AC4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2AC4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3227.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2AC4.tmp\b2e.exe

Filesize
2.3MB

MD5
6f16fd8f1a73ef22ff3169dd2f29e5cc

SHA1
56723aa22feb6ee335863294e01618bb6f03bc51

SHA256
ca512ff46f2dcebe3a64abf933daea4400cabf836348c3bddef066deeb702941

SHA512
791f069e3d2db02c8ace098a29e6b58c11be83f663ab81d8ffb1ce4a7aac8724b31aca9eb5665840de57d7c96d802d1bc56c1439907f22225906ab5becafbb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\2AC4.tmp\b2e.exe

Filesize
2.1MB

MD5
7697c937989ae05f6dcfe8bff543c735

SHA1
cd6740f5b2df48f237a214098e515902ecaf3179

SHA256
b3d06a460ad9b85589e6c35e8929f551dc18b0ebf39889b0604a9834d0d4c2d9

SHA512
1f43aba24f9fbdade5ea5c39c294c275e4d6b993b6e39e93bf598abb4c62ec1614ac15c8bcb100c733efc0fc5cc9f8b6a6c7e11b480482598e266d341183856c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3227.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
a19d84b3fc52bc5948516e0cf4801dae

SHA1
6e970a8b6309f658cd17c117cc0ec7319f8d3551

SHA256
071ed1536a706798e5e06357e2e364336fc69968830df253c781c9fe796bf409

SHA512
6b45d5b0d35a6576b56b4f82159a1bd80ec6aac1a815794f8742d5d5a36ab567d580ac4c48d74f792cccfd412210b37fccbeb10aa140d40c433a7b050df70f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
fd2278453777aea988c5d03679d3b96a

SHA1
dda11cb81ac72e225f323824e306656d99700384

SHA256
40938bbd809253f39a7ce990a1236b15f3c2440cd97a8399ceb532bebe3ed544

SHA512
63d064dc39be1493bdb0a2368f14999ba06e69597a98c26081d5bf3b7a96e126512ba4391fff83037a7dba2c995682d1f366f0765ff538028e7a5b937b93ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
809c8c12ec9a565245c579d00e529fba

SHA1
e51cdd25adaa26d514e5b1effbbdf853d3ece8bd

SHA256
03102a43bed593794d85fbd66b65e6a133aeb1fe48d7249b63059e1f9a08f49d

SHA512
96412b62b447fc2f2bfaff60ca93c6102b34340bf9e53f6cb77f97a0c632613477d70f2e3b78be8b1e73a95a2c9d419851dbbbcd1851be691908e293b84be655

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
042c2c44555153e21fe00cade511b3ed

SHA1
e754b410c0c3ab2c11dcd148fc81d87e28074220

SHA256
5d3beffc2d9ebe9d972e207d46467d57394a03a53b6d1899b562f5f651fb59f4

SHA512
03a6555c21ad6c233ea8d27f54e0de3449b8fd707f5524418c192f8cf55170fa43d3e43b4975e6ebb8f93ef914a100301fe9b72f8e21627959a08bfdd3034a68

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
4d74bbec58d172370360429754ffe94e

SHA1
84ba0148e399f30d8e1cb533f73ada5f9720995a

SHA256
24c8fd3b8431d3c707ca7f4ec2c2b4ead8676777dadd2afa3ae515c0c6cfc3bf

SHA512
4db886627ef1a3b8a3404954ff222afd79b0217236851d0b7e0c3d0d393d087fd89dd2afa3e6a16daa597c92334a225e562d3b5328d21013be2e7c43c25488c8

Download Submit
memory/812-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/812-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/812-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/812-44-0x0000000000EA0000-0x0000000002755000-memory.dmp

Filesize
24.7MB

Download
memory/812-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/812-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1764-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4652-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4652-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download