73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19-02-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4044	b2e.exe
1832	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1832	cpuminer-sse2.exe
1832	cpuminer-sse2.exe
1832	cpuminer-sse2.exe
1832	cpuminer-sse2.exe
1832	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2904-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4044	2904	batexe.exe	76
PID 2904 wrote to memory of 4044	2904	batexe.exe	76
PID 2904 wrote to memory of 4044	2904	batexe.exe	76
PID 4044 wrote to memory of 4532	4044	b2e.exe	77
PID 4044 wrote to memory of 4532	4044	b2e.exe	77
PID 4044 wrote to memory of 4532	4044	b2e.exe	77
PID 4532 wrote to memory of 1832	4532	cmd.exe	80
PID 4532 wrote to memory of 1832	4532	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\9395.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9395.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9395.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\975E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9395.tmp\b2e.exe

Filesize
3.2MB

MD5
26f4f69f73ef6c54c5da56559b560363

SHA1
f4ac605a2159e7aa60748c84ff96cacd475f2855

SHA256
b9fb9b7dbd88c7cb7c7adbdc0e6b4181857578774fde98034e514e1489db4a49

SHA512
742a7ea8f1472d1459e252caaaf5aa9610cc23180116138490d568fc0cc672eaf4cfba302abf145b4af582dbd747f028d6f8a406f6b045a0c0b0cdbd93e08ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9395.tmp\b2e.exe

Filesize
4.2MB

MD5
35f1e9efb90bac74f74c41e6ce38272b

SHA1
d91d2f4aad1deffa0954017e050fcdc91f51e38e

SHA256
a74dbdcdc2df9892add4dcf9f1973ae4dad943cb85c325be65a4ca0219c12dd4

SHA512
26fab0dc8ed6bd327c076ab040e078a554cd9e8d91bcda4c4104a4e00a9f44909f5e89dee5fc9f7b477e75105ab606070c543de9aa89c9fe9c09e0b098dbec6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\975E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
111KB

MD5
4c02c04eb92a3d34dce52a89be8efe40

SHA1
16ef0780722dcb8904d7109ed36348e6da00bf86

SHA256
a875f9e0778c76a6740f5094120dbd8517183a2054c2e0aa6151e9f6b9efba65

SHA512
08bcffdacc21863461b372404e7ad742c80e7cc880b6aef0a7d77528b4ed4ba69549f486c62dd11cfad713fa36be48665be9df7549efbf06f310cfd786d10eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
41KB

MD5
c072797bb524ab88e99897d71429c609

SHA1
cdf7d31060b162d06a95925ac6fd567e554edfa1

SHA256
14b28c85ae4f811349d15f044173f79b6bb5091e8605d11ecb258e911b3e0741

SHA512
1c57ee4b7c2b62e12a8ef21c709c610fae07c2d88ae195ae186a98f46e049176d61643c23af73a2747ea84fd8f8b0570b3b66d317e7b6795eaf09dcd3a90a867

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
24KB

MD5
6ce091412c4299dba5ebd9c24a295ea1

SHA1
2600afc0e213c6e80d895c36d67800c9e1d21cc8

SHA256
a5221c93f9dc617ea48fba1c97d1e363cfa3a648e259809d567dc4b34e002db6

SHA512
c6512a8912eb8ea3b52a856456be84da569970fdeee9c09887c526b2a8f2e0fc345a57ccd93d9567b37c1389d547a7f3a8add7ee6222c5f76810936e3bc84556

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
33KB

MD5
5d1202a074e1a4637097ce7fe80b264e

SHA1
a1732800b44eb154d75b5f8188f655798e02c248

SHA256
f08f54d61c722ac0d5c4b3181f2cd9ea5b24371f89d8dfbe72767155285823d7

SHA512
32501d35768fe9413cfdabd7e6744571df32d088816c555c8038c8e47b0ebc2dc5b982809712aca3c978c81532842908378dd7320d584cc93d5a35671f00c14b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
29KB

MD5
80b993ebc9cc7ea7e2541a257a5f250d

SHA1
17b553fac2997ec94b30f0e6d85265384e967b2c

SHA256
709c538c076e1201d8ce9c10bf91d5e9e1ed38b2dd27ba98736a2fbb7478426e

SHA512
3de31e07e6111c3c13c32d3d00304e2a7279710bc03257341746919778acc8ffb0160d223c0130f544c3b8c2cb76ad85caf5b486b9cc715f3f5c9ae225971d74

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.3MB

MD5
134115f22dd5f7d81f77e9bb73def61b

SHA1
92bee5d0cfb6b65572bf5325bef3c63000380803

SHA256
63b290b3cf46d99b8e2f462cc7a4cf5a85de6c48e9e3551b9cf77090f33ec53c

SHA512
a9f010ec1a47629b6f33bd59ee07f50fb5768fdb15b53ba5291f5d64c36adc62a416044ce3cda05b2388f19f4080f3b4e4455c637497e7a8aaa57f6bb1fd5628

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.4MB

MD5
c09abfc915f98130befe35c61ba6b13d

SHA1
607b016a1b2d97c356e4b358803acb8c8f12d0bf

SHA256
67751a639001bf59f3558712a650d9a22fa9876fc9dacaaddcc364bbdfa0e00e

SHA512
7768d5d41c860e8e26e8ad7d8953d080da79ceb1424563c85ee8a005dc865578b2c48edf7525f327d43cad39a7941c596b2e617abb72ed6b97637cde35d97420

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
3KB

MD5
9974e865876256370a90f4bb3d5d75c5

SHA1
32a269fea501ad0d81f5350afd3cfe7f2e2383ac

SHA256
e4433e9a889511b12fd8c53f6b7e6d6138659eacea167f97a0bafe63a686f206

SHA512
3e7efca2e8d88fce6d6290fe2b555b62a94554cebc2c17f6cfa4478c428fd178427e81fbdf62ae3ad2e121d65106f0a9dbc6339b2204bfcb89a120514fdb0a34

Download Submit
memory/1832-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1832-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-43-0x0000000070380000-0x0000000070418000-memory.dmp

Filesize
608KB

Download
memory/1832-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1832-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/1832-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1832-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2904-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4044-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4044-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download