73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18/02/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3324	b2e.exe
4952	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4952	cpuminer-sse2.exe
4952	cpuminer-sse2.exe
4952	cpuminer-sse2.exe
4952	cpuminer-sse2.exe
4952	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5104-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3324	5104	batexe.exe	75
PID 5104 wrote to memory of 3324	5104	batexe.exe	75
PID 5104 wrote to memory of 3324	5104	batexe.exe	75
PID 3324 wrote to memory of 2288	3324	b2e.exe	76
PID 3324 wrote to memory of 2288	3324	b2e.exe	76
PID 3324 wrote to memory of 2288	3324	b2e.exe	76
PID 2288 wrote to memory of 4952	2288	cmd.exe	79
PID 2288 wrote to memory of 4952	2288	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\9376.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9376.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9376.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\953B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9376.tmp\b2e.exe

Filesize
4.0MB

MD5
1a45685b66822143777bea60234f5b0a

SHA1
c0b7a7f35d5b8d9761a7669543e4bb91a363e1b3

SHA256
13288217458921cd9a27769e09813f68e30473c5ec6b5676abeb2e1a782cfff8

SHA512
82db6301dde8fd08cb45ad1ba6660e9ad91504b038406b1be948dac768179a345bb6d57ea518dddc4d4a1949326ad2ab63134bfe6d64b356be0a72b51ae52fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9376.tmp\b2e.exe

Filesize
3.3MB

MD5
b9f31e486bcfa9cfd83b0543692e9d62

SHA1
903425976ce5a564ad97f940c861b8306dc48f0b

SHA256
d69046dcf974b5a38d5b88dfc639ece30575e71b923f7d0b3b7570ff8c344314

SHA512
e93359542bdb9b055e25929a23ea2d4f5640d9453e001af4f74cb06abe9270e37fe949a1c9731a267b637d4c7cccbdd60c2f1c0a7b0555efaa5ec5acf5c12db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\953B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
a584c92690ddc01b962a241180ba0a33

SHA1
eb7cd3e0ca01605451979f8be7591a7d33c0f469

SHA256
6e0e1bc78673701db2e0a4a0cf8f526360a6b20e45c05d2de0956a84b43d778c

SHA512
ceb0ebf217d7d67451fa60130c04dce51ddf7df9f4148a99a6156c6bb76e585a37edea4490ec412aec1d663912908f9122cb277490647f84edf2759d6f795d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
81aeac5ddaa5017f8d44eeaef137b075

SHA1
b64c177dd04ac289a0fd5d3e2d2579d88d9d22e4

SHA256
89a5db98e8bda35d465cf730f76cd5db49663e9c6ad210545b28bb935d008807

SHA512
11235e5648643838763acc3d048cadfe87668ef70fbba6dbb1190ff417ac957cf9c8664d92cff8a94551c91a049d96482425bff7413ba905e6178cd1695e02c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
73172e051f3ee9810b878afbdf30952d

SHA1
4940bcc4906b5c0bf081bb9e209cc568eb41f153

SHA256
0cbf75dc8021a304539dca8a1498bc6c794bdb0f3780dc86f7103d1d5db17768

SHA512
2d9b7be1afbe8ea574078fed3b86beb83b0d9e153300e519184e131c565285be7fa398614d883819bb20a232f54095c39a78fa6a855d68332a67ffcc3fc85c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
d84488611adca34b5771fa8204a98345

SHA1
6751870791ef824df4b95660c819d6e028f801fa

SHA256
cb4429ffae9cc791dfed1119a1441476c34cd45e0b6a0522f69986c8fffd869f

SHA512
5c23e8136f1d1d885f84b8ccddbc40f448cfafe23f30cad2c45c0b5a709bad1c15c16c60e60b46834bb3d6456eadb893c194688d4e8303ba85038853a2833c8b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
4fb3509fa15f7ce3fdf8999e23f5eaa2

SHA1
a7009e94bbc84fe823b9659ba66f0c1debfb864f

SHA256
b3de4290f9d5ba19b90f8f86eef7fc224583cab31a1bc618fd44adcc62bd815e

SHA512
7a5d8e2a8a947e8ec3408c7d5afbca3ed407a17ad90d08643d7f787114be3070b7a31b34327baa1d04296161bd2d296727e98e81197d75598da6f648c5aa7a27

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
a7c542b55dfc2ca3e0b710d2de017cf3

SHA1
806b073371871a8649a8283f277cce0fd8922cae

SHA256
622bcabbceea42691f07f2477ebad3c60aa81c61e06c137f95ed93eeff56f447

SHA512
48513ac97d2fb158b3a250711849702cb7dcc4f141c7f9d71105068fb615173b553f35afa5bd053768e7803f82a3437fdfef55aaad49116334d5c831f7890d63

Download Submit
memory/3324-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3324-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4952-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4952-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4952-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/4952-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-43-0x0000000054820000-0x00000000548B8000-memory.dmp

Filesize
608KB

Download
memory/4952-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download