73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
668	b2e.exe
4768	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4768	cpuminer-sse2.exe
4768	cpuminer-sse2.exe
4768	cpuminer-sse2.exe
4768	cpuminer-sse2.exe
4768	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 668	1928	batexe.exe	73
PID 1928 wrote to memory of 668	1928	batexe.exe	73
PID 1928 wrote to memory of 668	1928	batexe.exe	73
PID 668 wrote to memory of 3908	668	b2e.exe	74
PID 668 wrote to memory of 3908	668	b2e.exe	74
PID 668 wrote to memory of 3908	668	b2e.exe	74
PID 3908 wrote to memory of 4768	3908	cmd.exe	77
PID 3908 wrote to memory of 4768	3908	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B054.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABB1.tmp\b2e.exe

Filesize
2.5MB

MD5
747f1299fb92037a6066fbc3101461ce

SHA1
070000b98589051b4ae9122190e28d04153944b1

SHA256
2088dd6c07fb3c9f7d4ff4617af9c280ca3ac0bd33bef866ac55396041cf281a

SHA512
1a5c8566ba0954183b108279c6ee05a5d8699fc60d9a662aca1d0829238512fa50bc81dc81a4cc8c14f4bfcd2d40fcc8937a3d5d8a8b727522b59e5d40c1549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B054.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
472KB

MD5
29cd10444ab7e33a0a561c8042d2e12a

SHA1
2da6fce42dcc30872d78c15b8a5b106c9056e2e4

SHA256
a477b6276c92e90848fea958191e65bca5a95d144ad6033088c73fea293fac39

SHA512
156cf0b62d836711d715d1c4d8b15108694cc666b365d21431f0fd7ea6cfd9865ea1ce4f74c1bfd3e321200c295b976d023e8376e01462e344ba2caf30a7a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
370KB

MD5
b8494a45045ad9489d152cd7dc61a4b1

SHA1
a790af2f9b6c93a91f689c0065515fccd0c2ea0f

SHA256
f01e05c57a6b92d3815bce8d735e36a46dc16b582ba3b4abb52de12651771707

SHA512
79b0741adbbc5acd27e72f542a9e6d2ae79ed2da8ce19a9e586a08bddcc3dcf065ac2b3653e0460d5611ab93129629dd1005c1074fecb129473c909309200545

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
455KB

MD5
799c2a1662e4030c6cfa0357c4b93d7c

SHA1
af8d6d4928b5cfc828d1c8bfcb318100a204ff47

SHA256
198a53e7cb41f03f9757a2472821fc24ee711f272ea20f0ae615898ba5ca0c51

SHA512
3dd99896e7e7b2ed2e31bf3f985a355b680f17585444df3df271adfa3e0c33179e85a5b7ef9c03b1940ea5bd1831f2980f2dd0feabc910e95377313a47774013

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
467KB

MD5
7f84afb143700a2c5ee1136400e72842

SHA1
c9327b0ff581e71f12d4863277b331ce34e71cb9

SHA256
fbff100156fad26e36a815decb3779aa9250d757127f343aad78866e31176679

SHA512
69e049a963c6f7d9b56b38a19e153e080ed54cb5cce230ca64e377a66b8baf426beeedc4a85b0fc94cd7d0cfb9dadc160006b9efa214cdea412191ae24251add

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
295KB

MD5
fca37d530f3e9a816391a99b82bcddb7

SHA1
231666f1c3a4bcd9a6887ffb0e28f4551aff6e96

SHA256
1046383142495ba6ebc9103806651535cce608334b2dcad82c352531376a3898

SHA512
51ae15a64c8e96b0a6f224cce17089e389c25cd7f5f0619ef2a1ee59dfb0b1df56a5a89443e14dd3d33e36782600e0444cd2f1d34479fb79fd431450c446651d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
440KB

MD5
46d9028b54257f266ed5a38a4cfc94a1

SHA1
87a3c924d3267568bbf80862b8d35e2503b6c910

SHA256
4a70f9c7a252e558a64b5870f3181d516fbefd87fe64250f2783b2e4ac2fece2

SHA512
efe420d9637cca2e9cafad551c3901f1556024f3c52d3f62985eef996f2b2756e96a90f72722d8ca1d69adc1fc22d006d55f199ed4be95c1309b6d326687ca5d

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
450KB

MD5
6d703d170a1cdf913c925d2012ba29fb

SHA1
645714af10719a09aef3812e6d59b415f47f17f0

SHA256
274bf7c6319e29942fdc7ff0e1a0ddf5513244dd6a29348b7d4d3d07d2526684

SHA512
e1d45b2a97bfef8060e00b1c30d192d22106d9d0c373baf00bc9384c849498d7fcb747f826108724af5800c0507e1ea485591879ac6ffe3d60b7fbd48b03a67b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
338KB

MD5
b4ef87a7661758749dfefeb833e67b73

SHA1
b2ed91e3f7bb9761906008fab113a6e09103da0e

SHA256
22ece8d68eae76ec7e63762ebc29ff3a86cbfba7d57cb36a5e99b8b036d1b494

SHA512
7460557ca2df7e7c760048af70119959d3d45bf90aa3474e981c34c19d87c72f34a2d2ea2aa0c6ebf486f5bf2df0ca7756e92bb67b57fb1f8d4b359d1a0639ae

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
280KB

MD5
4f3b78ab622ed89eb401da2ecc065edd

SHA1
5e4b2e46de3e1460c12cf0094ef30b366efb038d

SHA256
7ffd02f1254c7523de77cfc60e22f8ee56660fe740e98f190052521c482e87b0

SHA512
173b14931a6938989fe47c1143e5d7440ea5e0ee6852a737972c55a2c848ed466d8fb7cdbba5a2bfb3cf1e6ef429bc8f1e2bb90c302399a2e47e52c93e70e360

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
323KB

MD5
8c276901af272b2becee31456278ce2b

SHA1
1b49fef63b1423bc89172a23a4f2bd70f241c10c

SHA256
339b4afa78201b0ecf423a835102125ff2a750311c42df916958af01304c4972

SHA512
1d8460cb9f3f65dfe472b9c6e74d56eba5da811103692618298c3d4b5cf9824fe9809d9649c20aeffa4cb86c09f507a223346e8a5d99681560f50ea33e31a7dd

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
273KB

MD5
3c3e8a3637abde82c3747151033a7776

SHA1
54c19d7feef34b00e1940f31c0eeb4a233d69ba6

SHA256
dcc2dbd2a1f3a975f275dddfcedb5fe30ac514d238e17dc3e819cc15ebee2193

SHA512
52f345a61c92e9ea010a381da3fce96785183785b8d1825ef9be610fb61ff743a60915b7b6e3a1a2896eb157ddcd4718e94d9fa56a49de7e6e5e8b2f84970acc

Download Submit
memory/668-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/668-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1928-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4768-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4768-43-0x0000000071E00000-0x0000000071E98000-memory.dmp

Filesize
608KB

Download
memory/4768-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/4768-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4768-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4768-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download