73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
684	b2e.exe
4664	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 684	3156	batexe.exe	74
PID 3156 wrote to memory of 684	3156	batexe.exe	74
PID 3156 wrote to memory of 684	3156	batexe.exe	74
PID 684 wrote to memory of 2432	684	b2e.exe	75
PID 684 wrote to memory of 2432	684	b2e.exe	75
PID 684 wrote to memory of 2432	684	b2e.exe	75
PID 2432 wrote to memory of 4664	2432	cmd.exe	78
PID 2432 wrote to memory of 4664	2432	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\296C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe

Filesize
250KB

MD5
5e860731fd629f315df8a51f72185c41

SHA1
61039cd9514d9923dcde7ea09b678c10e749e912

SHA256
bc0a0d9f1c05c8b5a3f992505b10529dd4d4b50f2e0ff6fdd7c5b7c19b75d3fd

SHA512
c60d8259931cb674e22282b040b26451beca1a4a267df8836392308b1dadc5fa14d4d3623789ceabb17603e5da7751f2fc5e38956d92d0cad44df560c413c237

Download Submit
C:\Users\Admin\AppData\Local\Temp\2296.tmp\b2e.exe

Filesize
446KB

MD5
bd66aa41ce6e79712e51ab22ea956731

SHA1
45853ec4762f33866bd34ab95e5749127b0a5442

SHA256
ac08d4810e4c1e69bf849840d9e783a82ea1ee4fffcf6e08fcc75bb0b1198f2b

SHA512
ec5b4b984ef022c230122b7fd4056c3d5ca48be3a39b93f652e591874b24f755e7e299caefea09810cea3c3869888520378c23397572221053bb51bc088ae75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\296C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
dcacf6b34f0587f889d761149bbcdcdc

SHA1
69070566db83ff7c7935fe6817e2c99d7bd2271f

SHA256
2610ab9011861b036f1bec9d02b7456340c3114eb8820ee5f192b7151093e3fc

SHA512
90a2150d15243b231f6541b4c5f20f84ce1684f920642f14fdb8b2f5879542c6f7e2f5b5d57f43f30441fb02a50a5c10a48f52a6088074e8224d998470df3bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
813KB

MD5
02f4187a83cda104595fc9386622418a

SHA1
83efa6487b3149d240a5b2a3aec245aa47f3a9a0

SHA256
7fa5bb38c7a19620e6584f1775be628ee123a22ddba3abcbcb3a849db49d76f0

SHA512
45bb64d5040a111b7b9240869eedef23bd93683cafb23204dce3889baeba515fcc0746f38e17fe96571f1fd03db5aba37ea15c3b3440780c2d4cb51233699fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
698KB

MD5
57c21501bef78baedb03631866e8bac8

SHA1
5eee508b18243a47e4127d539d0f75ea4d5b6d17

SHA256
a1e285160e0f833a77d113141a10578f91e9921b7753378511acb93dbaca9a01

SHA512
664af664f1ccb0e0cd620b486d12d46c297b4ef11c80ae182e9dcd654cd60168de638d8c1d741c926d1964d6e1c61272eecc56e4221a198f01e148bc93fb5ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
721KB

MD5
324989b7152106d867d42edb2a82d67c

SHA1
5c4091d6dcecbf20c76d56b2f76ba050337b1daf

SHA256
2c3acc7f5c672f6aaf04b1aff8b9af1eb25698a7a175e1b9baf68434a4eecd20

SHA512
d7b26d75313bc73e00e50ec8e438b54693ea3d978a64afebc8b83fdd64410934a828ed50cd3d29ddcddb0c62beef098d85d604ba995f79cc80c85d7934695386

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
537KB

MD5
ad91b952e549e260ae197a7a50d451db

SHA1
3da0fbfaaeeaf45d60fab5596a4e1f209259b7f6

SHA256
a0d057506d0ce3c1507117e3de79d9764082a4e3741f90ab2fe87909fb439e62

SHA512
3fd862444c16bb30fb730891eb44bb86974cfe467b50b207e7f162b399206475abb5a5f838e9865e594de99cc8612c6918c8364bc6ec1dc539b8fe9b62571750

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
595KB

MD5
b4ae708fa3d4095a72e39f6e1cee4c49

SHA1
2415bfc503cc34979398c5ba897e711c5a153b4c

SHA256
061292bdd8ccb06367e2f40ab3e05b43b9509cf6e991ec7997fa720d5f33e465

SHA512
37f6055f40db2b03644b369b54e25486b0b721b75c9b6a49f7357c01b427ad4ac0b9260f0ad39e899b7fde3248fec859902339b31d89ec4215ab191faca3146a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
615KB

MD5
a80d7af2ed3d300260e18fca6342dd53

SHA1
5950be99583b8f28413ff37d4067af62ffe69ce8

SHA256
6f1a0c25bd41c6c81a2f4cd1c759967de5caabc51e3a7b38e4b0c20da8136054

SHA512
4688cd80a13fa9b34658c683044da687c0fe16bd5c3ce7593f30537cd57b0daa4b930cfffbfb6555158c589bf3d6602dd389e8971c98661259a7e9ab0c846e56

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
731KB

MD5
51860bbd3aeddff4e854d5fe49e42eb6

SHA1
9b1fe2d02f91cf1e06e62f463e2386dc365eaf1f

SHA256
703ab6066c4673e900e579cdff15b9de9c58cf84fa522f718e00a475c8984d8d

SHA512
b0cee7625bf160cb78845f2d448f29d069e6d0db5d3dbba20808e1494891e7876af32fb264815527b6fd2fa5923faa860f33ec22155d7cbc71cba3925d75cc91

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
732KB

MD5
8f7627f8638cc1327d42e27e34be1411

SHA1
60c9ba6d42e099b998ed65aea56ecf9b4465d835

SHA256
feea723b2ec77ce6172ba2c7e35c05eee1ca39afae832215cca7f4f1043134a1

SHA512
8e750c184edc0032eca32b67642f2c85eb90b864e409c1622ff572816ee14e57776c09ca8d930cccd1219789cd86a30d36eafe3fb6927ff686e7ba86029b346f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
558KB

MD5
63a309e002cbdcc1673134c69be1d9c8

SHA1
dac06091753a8e45d46d489b4009a42ecbf1370b

SHA256
f594f8a4782cace6882cdcf9ec3ccbe48d83deacf988fabd72e73d778bc5d9d7

SHA512
2723df938522edd2bc6807cea3151a08f57f210e11f973383e92464d42ce5fb80f1205ca2871b65036732b4818f508477f5fbbeb0e85af370145d5c97d2b0e7e

Download Submit
memory/684-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/684-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4664-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4664-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-44-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/4664-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4664-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/4664-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download