73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
295s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
18-02-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
924	b2e.exe
3768	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4728-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 924	4728	batexe.exe	75
PID 4728 wrote to memory of 924	4728	batexe.exe	75
PID 4728 wrote to memory of 924	4728	batexe.exe	75
PID 924 wrote to memory of 3512	924	b2e.exe	76
PID 924 wrote to memory of 3512	924	b2e.exe	76
PID 924 wrote to memory of 3512	924	b2e.exe	76
PID 3512 wrote to memory of 3768	3512	cmd.exe	79
PID 3512 wrote to memory of 3768	3512	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\A1DD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A1DD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A1DD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3A2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1DD.tmp\b2e.exe

Filesize
3.6MB

MD5
a202c43df284047b4026052f2015b382

SHA1
531129cc3cff7410080574b0fd1f8404c8c343d6

SHA256
22e0189ee48633fcbb780d8ce081c027adcfd289ce6b90e0dddf506b78a59a66

SHA512
03192f196ccd2100255c1fad56bd14019876f87509f7215f1af469e93a9e4a8686d7bd18a1273d46e05711d1017a87948b4299a6d4597fa66001b29ee310cea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1DD.tmp\b2e.exe

Filesize
3.9MB

MD5
9a99034eda6fbfd94ee3fc215c0d3c50

SHA1
82b8652ab4e665d4a4120a912421d9e68e973970

SHA256
382dfd4d162551b0228027f4c317bd957a4d50889b27b583f42dc60be3c71098

SHA512
ec15784c8048aa377461a4743dd056aded45d125c5309823d726a7eebb7ba66ef6c0295ec98bf3d613641c89b920037f7c0a25ccd44769c126db1b62743d45a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3A2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
547KB

MD5
29d628b13837dbbffe9a60db96520c62

SHA1
49fe23fc8e22c77d1b814cf16246570301dfae62

SHA256
1617df2f2cb11ebcfe1fd448ba97262d7b85a1c0f932475277c313ea97622d7b

SHA512
21e9439751bc11194f5cb0711bb9d68e81e6bdcee49f7f5e4d0498d3c97f925b579a2e188b7886b3dedf24b2714dff9a6c707a49bb4470657c18c6d91cfd3407

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
259KB

MD5
284b2a0c3b9482a1c976afd45510dfef

SHA1
247496821143a28149dd36f97428d9e5d1ce8bb7

SHA256
92ab09944d67bf94a9ea5eb6366e1a97ee38efa358870f59be9e5f5374c336ed

SHA512
59037cd3a0e93ecbf323baaecb2036b5756d63217939308e205bd57b38febeed5342be9dc3727caab04b5b7c7ab5c7c6ac344dcc0d00ad2e42c5fa765380ec9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5.1MB

MD5
1afc5688adc0f2b18ebb86133479f0d9

SHA1
ff675a9e763aa4accb1f3b76cbce56648352d691

SHA256
e3430a208561cd258e8fff79b2257c0ca124196cf84399f4cc7791f55dbbc254

SHA512
d1ad356c161bc73bc8f30ea0b4f129bc649d279dbda5f5740095f30fdccb71b1e14c47dbcc18caae8ea39e5eb736bf7ec73af72a92d9632f688547f2907eca53

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
70KB

MD5
3e909a12d6e8382fe9a00d65f0684bb9

SHA1
8261dd8b547d8ecf61a5852262d0d78883385553

SHA256
97170697e4cb5cf04fbaf11a12cfd33467411e5b5ccff1f296409fd0d1e7d1cd

SHA512
a6e918ee2a169d6bb6aec653dd1e5efa44e8b0c990a0e39d94c90e29e41a8f380fbc722384d2da29b03932ef89ea5591834cd85aa5ea7f963b3700cd0fd95256

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
576KB

MD5
bfba8ef054be5bee0da072ed080beac4

SHA1
090e6e60a6f0f1e351978e91b99e8dce8e63413f

SHA256
81f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4

SHA512
85a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
256KB

MD5
f8edb8dd2fb15f1887ace09587589dd4

SHA1
cbf7cbfefc0215d9500a98d9064deb9e86787152

SHA256
0465270288d69a0ec9beb7114707bed76756c14148293237d0d35423abdfc67b

SHA512
aa993112953225280c0bedb1ebd8288298b9c22a6a884a952ba60e48cbd21c4ce60724b7adc961a0528d7c569596e3420fec2670fc47c3eb6c00c691e0378abc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
186KB

MD5
1c521f2c334f7a72a5c29d6a524da6aa

SHA1
e6c75f0b728d993ad6fb75baabe3a01431a85351

SHA256
37c02fd0a64996574ddd55f5c6e252272686000bb0828a4051a61ff91cb444b3

SHA512
f7e5a57c946f6a88e388c6075e15bc0b68029150e23565a2d67d67144716fdd4742bec9c0524dc0244afdd4f7c3116bad96c10ca544b6de3a74a95c9f1f41b40

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
943KB

MD5
5c93fe53bf1ffe3d449f702a6c5ce817

SHA1
a3e9102723175da4ebaf566a39380bdafddd0ba9

SHA256
4fd7403427e51c0a4e9dfdedc6ba1006f1b3053311c161c73fc222709d75fa90

SHA512
fe061d4101c7d24976e3294a0066610dcfddb5a1ee00f70c3e447bcb1eb48f2ba279702a9ab2cf07ea16b367d782cd46221762edc88a4816cf33b617d9d3643c

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
memory/924-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/924-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3768-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3768-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3768-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-43-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/3768-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download