73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
20/02/2024, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
684	b2e.exe
4664	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe
4664	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 684	3156	batexe.exe	74
PID 3156 wrote to memory of 684	3156	batexe.exe	74
PID 3156 wrote to memory of 684	3156	batexe.exe	74
PID 684 wrote to memory of 2432	684	b2e.exe	75
PID 684 wrote to memory of 2432	684	b2e.exe	75
PID 684 wrote to memory of 2432	684	b2e.exe	75
PID 2432 wrote to memory of 4664	2432	cmd.exe	78
PID 2432 wrote to memory of 4664	2432	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\20E1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\20E1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\20E1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\25A4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20E1.tmp\b2e.exe

Filesize
1.9MB

MD5
2485de59d953a11ab833d7dcd44a728d

SHA1
5114b4a01a6142b43ba5bbb8be0e14fc35b50298

SHA256
6f5270c858b67722c1a82368aca08cbb995608a53ba5f33233ae404cb0dc47a5

SHA512
9b603e1217f3b51c62b930f094c81bb7a8883ef1cf03a9c2ac50d7fded82a576524e2b3191d7ce57a1c10f53915fa72e503dccd1af0b5b491c78ef700d287be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20E1.tmp\b2e.exe

Filesize
1.9MB

MD5
0257dc4b50993fe834144f933f2b4890

SHA1
07b64612aafaba52e29fb458e1fa6ddd961645ed

SHA256
953d6969e100c5f4a751c7df33a353d92fb018a7696b245516b69ff01bf63177

SHA512
083396bddae4ce4d5d39c1aa4695f1698034fa99c4d3412af1e39ea54adb4c767c5236bd68d16ad456ffc8f20a54142afa764f41512a630b38b4909f2b5ecda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\25A4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
741KB

MD5
c0145e27f41844e9d970eef280013213

SHA1
456f846b8a7c47d3c1668eddf2de8c3674f0f38e

SHA256
ee812ba8e8b9eb293268b5e1f79a22fd2b0a730bfce2fd2858572c8a07637fe0

SHA512
a7d5fb547c07f7669abceddeaa5f30f12feff66499862bbc1ba9cd95fe935d3e7e006eae1c57c0a8406f4534291307c127d56dd4f16d70b3043fed02128f4df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
522KB

MD5
439f892f4748f3a42b628c22131f7411

SHA1
f6db4c58eef01c4be3aea2d1719902c004de757f

SHA256
ffe686b3dcf63281199ac11ea2f04eb44a1f42b365fb9bbe5b9c66b821bb981f

SHA512
234c023aff0b42fd9316a1cc3c8945ae8ae4e9cacf54af8e2fd9031b2c95063de7aaa131febe1ce83ed99c6730cbacd5a861eddd817ef72088417b1f353c8b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
769KB

MD5
7c0fdd47119f65421dc93b929aeaabb2

SHA1
8de579a3b131256b0fd566e0c271ec9ce57b21ea

SHA256
32de32f438622f2307b9d6eb1a7e1c48fa0ae3510da27b4c83d4b5428754edba

SHA512
b7500e52d59da8af9d0aa1baf6fbff1dad95f64f6a0ff778d3d2a959b7aa651cb515fb9e0bb424291915314cfaf01f58e086ab02ea9d27a90db1da63d0ab1bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
770KB

MD5
7b38dab3e6a55af5aa8b01e4f06d7fcc

SHA1
1dbd22089b23ee108ab87296624a5b9acd791e9c

SHA256
bac5763bacdcb1b8870b6ce8b8ab122a9da259ddecd01b68212fe401075f29b0

SHA512
6151165caece59ef46c295a3de007dd583c5b1cc916ebf12bcd0677d1599036c2cd1c0ea353704552f6ee6d51386362804ecc11a44ed2fd492519531a83d73a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
960KB

MD5
f3707fd5b389e53285dfb3815a4785b8

SHA1
788b2ac7be4acb28e804021893e11cdd44ee0784

SHA256
f7ef0e3e60989fac5636e6e5a018b730b403b75889125b56c4d07d6279e94c94

SHA512
f11d8577758db08f597987f525b4fc4c8c3f5181255f89281300968dc90fe4b298c322e3f531f768cd5014d116bb7161365c9d3fbaa76ab835405d8a1e231f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
395KB

MD5
1800e66d52f4b191255b16e596b27639

SHA1
fcfddecd7d49c66dcfd2342d4e5072ff601480fa

SHA256
a95a63f41b368c8e58c8f4a4c395fc075989f78cf669d4393948aeb5fbd932d9

SHA512
e675381b004edff7c4b4951186f7e8186791d58f60e21e94d762bda79768ac1a2f4ef2d6d36e4592a4e8306ab5e444a30316e78cff6f566a2d1648ed6e215033

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
758KB

MD5
965db4801e4fe9b6de24aac253fd969c

SHA1
1819d7ce7cac91cf6bb3e782afe14250f1cf7dc2

SHA256
34f2c95e224d6cfa3f18d2cfe287718c10392f1003777545a3d29688561fb12f

SHA512
dfdf9c1a32864947ff7701b69ffc7818c4c0008b3a6272de3c440da0504382cd2bd673b38992ac8a2433d849be6c1d1c0796f2e4bec7744dea6c08779b461a88

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
574KB

MD5
2bdd59174eed8651399864101b4557fc

SHA1
b0beb0d96668ae1e588a6b640a1c001235a74d27

SHA256
49b4e5cc86a36c47f1068892c5586e9b83c7200c2212a01704eca175001567aa

SHA512
b3895c10e7012d8cf09e71cfa2a714cdf2e25ad2af19d8a05a3a0a808ba5146a5451cfc5a3d1b02b873955f2f2ec166958c7811e11a6c925762b7e1f86a99c32

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
505KB

MD5
48d67c354643a1d7126685b692501f05

SHA1
b65336c79d03edc508772e816b2121ee78112ada

SHA256
a1bc7e4138a82f34d3e4c5deec44d437fc48f2fb55ab850a750b6030ff6bde65

SHA512
df529bf60d5d57e184be67c762bd960fe457f5821a452528f87f36b531bdb1e0578209ddd17fb5723f537bdcd0a2bc365ac73812f601d7931af3c1cb5a658159

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
466KB

MD5
7ed5f936e2413333b174dd48d81b98f9

SHA1
bb23a8ae2766aa9de235ee4f9d8d0875b0a744e2

SHA256
341adbfe53de05f3b32770c7c0037dea762ae701e6de99cd3de7adabf4d9a861

SHA512
82872937b0217e75e24bb80fccc3d025bcd6b8c27437071a059af91acf3f3e0208b0c14f95e0c6131efbbf4ab62d4291aedb98d87eac43477b3d7e3be618b86f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
514KB

MD5
906d35f2e6c440a4e2c4fb483176a31d

SHA1
dd17db3d19c4972e60d5ffa6350d4ad5a6530ca7

SHA256
466f7acd339704a10f3fd43a020c14b6b427c693dd323f9e773205ec5fe4936d

SHA512
eff3dbdca912785c710c2f40dc3a80136370a646f8d6cb1e5857c6d3ac4004f908294a7d18170bbe540bc70117429925556122bc168b5eb831a8e2280abcfe8a

Download Submit
memory/684-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/684-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3156-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4664-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/4664-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-43-0x0000000050AE0000-0x0000000050B78000-memory.dmp

Filesize
608KB

Download
memory/4664-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4664-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4664-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download