73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
308s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
19-02-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4784	b2e.exe
3892	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe
3892	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4784	1552	batexe.exe	73
PID 1552 wrote to memory of 4784	1552	batexe.exe	73
PID 1552 wrote to memory of 4784	1552	batexe.exe	73
PID 4784 wrote to memory of 4672	4784	b2e.exe	74
PID 4784 wrote to memory of 4672	4784	b2e.exe	74
PID 4784 wrote to memory of 4672	4784	b2e.exe	74
PID 4672 wrote to memory of 3892	4672	cmd.exe	77
PID 4672 wrote to memory of 3892	4672	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2DF1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2DF1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2DF1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33EC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2DF1.tmp\b2e.exe

Filesize
149KB

MD5
ec473beb674821c43200567f1fdc3f16

SHA1
137db4ed52b3260007950ab8189624a704e52a16

SHA256
3b30768b6e622996bc8fcdae5c2163cd90722918128231aba8548f431f2c0f64

SHA512
7317fb0604b143edaa4776129f1e06eecf6b390ec46448733022eba0b984add3541f8eba3396ae92bbc845f7cac4ca4105af882cdf9d4dc9e5bc8e466ae77469

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DF1.tmp\b2e.exe

Filesize
209KB

MD5
5399c7c5b71a38ebe648ba285c79e9e1

SHA1
045b01a65742ff04a7f42f1818f1d69061848abf

SHA256
61c887f215a6e09c4616112d6fc5e0041d3afc9c494a0525e50eecc4a8e2772d

SHA512
d7df7be3933ae055e82abf3888541ee0786c3af5912c3b56d6510cd8db687041b95fa9cd33703ccf83c9d205f91670e551c29e8356570385a21a0d01e0b7b919

Download Submit
C:\Users\Admin\AppData\Local\Temp\33EC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
876KB

MD5
77666e147c125a20546f8b8c5c37e575

SHA1
0c639ba0e47c5409aaa60f35d193ad4264d9ad3e

SHA256
49f5eecf9d34486f5c072fb96358ed4b0631c5e19ab7ac3db913a4e22c9d7d60

SHA512
e34a6e3eec0f84ff18b32d52f8f609f462b50b537943ed8c02daef383c0eb5bed87510efe719441c2b4f0d6786ef47bb921340df40af1992ab31d91618954db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
529KB

MD5
9202c169e3ad9a317e2df41e979e9f72

SHA1
6065df6870a456ac9ae77883652bb43245f7d5ba

SHA256
74bd75bb1879fb9453359ba6025e04ca1bb8321ef75ae89ca9aff32bb2934dfd

SHA512
cb6190b31aaa8ff2ac94872e0d89a536da3f9af28da27b62fa0a01cc98787373e1d12a57347eb4350330386665afc67f1d838cd2eddb599a1c88a47dd6a8fbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
519KB

MD5
e2ffd38b291d16461844a0aeb972f893

SHA1
c9fe0b18a04664f534872cc34b7a2e22f1ec6869

SHA256
dba5c20eae03f23c3640ef6e49a5dc5bfa2915b3cbceafe1d97694a13609fdc4

SHA512
3f5666e4e509ecb40837f11a094067e6d13d787fab18d622902a346ca16af4194a4b88cd1efeeaa3f88e4de596fc06671777595dc43d1d2885ff5eef8c2fba51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
916KB

MD5
d3bd68b76cb760c8a23035a559c41c6c

SHA1
b73e01b1ce8c02a5d00db2bd14392ea577f4c51b

SHA256
49897ece11c732c8fda8984ea7bc7dddb7406bcc5efdf161a1e845eb9606db5e

SHA512
793a81da7e56d5aa8dcb07688b2d4fe5163f14304be26f68a54188b9c734fce076b64bd72ebc46a72eb22b4fa29c7080c50ca4d07b7416510ea6584d51b2ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
437KB

MD5
51a40727b1a15c6870fbbdaaa83bdc0c

SHA1
2cd8c7586515e508b6db450ca78f849206e9fba9

SHA256
e8bc73f713eb0b1fdd6ae5e5f7a4db6db0bce52cd1b67608fbe598c0ec30e02c

SHA512
07b4473687fc32fb5975fd69cef6be323a3d2e01949e9ed0fc8fc2c9b7bdb2d953b76f21551421a0814f823510e691e1bca56e6b2db435644ea3e6fe6f0b9f63

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
287KB

MD5
3cde7bbd528138f05fbe4a34139eacd0

SHA1
aeaf1f91dccf3c5cb882f741801a5fe7ee63d36d

SHA256
4b65008257b3d0a46200bfc635764df11189f9fc5354b8ffffc5b14eeff6c258

SHA512
c4128baf458c2d2fb3ec0763f875021523647a412896ac03e084e8f69638a7794a2d2d7f1ce2165eff7adae6157d9e610667cf316342840b43eff1d504b9e17d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
649KB

MD5
f0df9c74394ed4aece31db64bf90f6ee

SHA1
3507e178294efd56e59e638a244ead5337f03b51

SHA256
ae145ecc9cf15ed7965c64a6a9e615d1f250028875200541e053dc734fe8db6e

SHA512
6ab53c89cd66f04b36849d1c6b2a4d0621a5961d336cfa25188290547fb84e568f6f41d1ff1385602214baf65302e0c5c4ae0fc2059c7e2ccb9757ecd7f16bd6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
516KB

MD5
191c5fe69b1c7bdcd8a99d299b101675

SHA1
5e7fd844c2ffd0e7cff7a86b8f6f77b90037d0b8

SHA256
ed761afcf953ce3cf2e89be895b14f346ff898b48aca09abdc91516bb626a17f

SHA512
b91b5a433725e182b76ed20c0845a6a56865666651d883593cfe364bcb9c1bff54021e35f522ff96873159fd0cc3b5ba357579e7c743aa4a322e01dfa9cc945b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
600KB

MD5
33d56573bdf37167ad027cc83cda7cda

SHA1
128b7e557bcfcd314f70657b93775de9a85a9caa

SHA256
e9b92d5ad35b8623d754499e864c4a4cfcc3f647c1e6b1bf12f89a9ca24d20d7

SHA512
cd6593647d2ecc2824b877f1a0e654756f31bb9e80fdd8ee54606234c9ad520a9bf04d41e799130552770614462a38eb84164f3f912b90d23b5452ebdaa3aa2a

Download Submit
memory/1552-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3892-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-42-0x000000005D8A0000-0x000000005D938000-memory.dmp

Filesize
608KB

Download
memory/3892-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3892-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-44-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/3892-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3892-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3892-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4784-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4784-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download