73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
23/02/2024, 16:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1012	b2e.exe
1492	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1492	cpuminer-sse2.exe
1492	cpuminer-sse2.exe
1492	cpuminer-sse2.exe
1492	cpuminer-sse2.exe
1492	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/956-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1012	956	batexe.exe	73
PID 956 wrote to memory of 1012	956	batexe.exe	73
PID 956 wrote to memory of 1012	956	batexe.exe	73
PID 1012 wrote to memory of 3636	1012	b2e.exe	74
PID 1012 wrote to memory of 3636	1012	b2e.exe	74
PID 1012 wrote to memory of 3636	1012	b2e.exe	74
PID 3636 wrote to memory of 1492	3636	cmd.exe	77
PID 3636 wrote to memory of 1492	3636	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\318.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\318.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\318.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\318.tmp\b2e.exe

Filesize
3.5MB

MD5
eaf5e67e369e58baee4a43c61c802733

SHA1
00f9c79ba1a2bb31c78ed6b0190feabb622f71f7

SHA256
0b372d7c117ab199c5e94954e98f3ea8fee8c7d6b7b99470a92b146e3a4f730d

SHA512
78236da93dddfc5956d1bdadf1ae11bcbc250e853d6555b6959663c91ddadae7554daa91d98c697e5cc799826fea4440327adcda9f4316ce4508c1a2aef19ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\318.tmp\b2e.exe

Filesize
3.5MB

MD5
5c6d3cce7482e6587eebe0d09be8fd27

SHA1
64a1f08ff96681f034f596cedd42fce1d1bb9899

SHA256
b463f21b5dbb2a6526448b911a4c428b46bcbb484b91aecedb977ec11200e52e

SHA512
f1f30b9178fcb21d85b586f475f88af2ce3c9dd9d7938a98d895e915ee8a13682fc937ad1bcaa41030c04b2ed5f5ba67a586ec012edb2e386525c8286f11306d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
328KB

MD5
3ec6cc5d067fcf3bb0543143cda260aa

SHA1
d58d7c665dae2bb16ecf3b5e1cbbc112dbe9d2ae

SHA256
15f2d25798f0f141a3a98ca2b81caeb1d55652ca03a834fc957dde19f40204c1

SHA512
cf416c89de1f7e7471a0b888dd9761cbeffd060f07374f1e8f9a9696c9053be371f7fd5393b6b0a9fed50d25f709e61d2360ba6a0d71ffae0b0b0d610c390e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
362KB

MD5
ec076ee2872a2dc1408f9061888b502a

SHA1
3dd3e9ce7a6349506c18a8bb24b517bd50822bb3

SHA256
782316b86be72a2f3ef43b734c2e5ab243b935bc3bd42cf2704f208558fa181b

SHA512
b98b6278862bc66c010410b33d8876c9bbac6c7b6deeb27748fd98c8fa7eb2c2c6c0d703176e6786886ac91a3fe1bee1c4cf064f12ae514d0b382124785b1383

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
212KB

MD5
9c4fa37390d28cb81bc2238cd1dcfd37

SHA1
3b4ddf6360bacf133a99544b2332a065b344dcab

SHA256
687dafa63c5bfb22c2db97a27199d4dac75af1a28443c39f4ceee19f219603cb

SHA512
ac9c2a41806215e80eefea474de389edc61214ec7fd56004d28cbcca8a26587e43c842851edb9e437a12b39103d96d2bfa836640b09c1d716dddde8cc373e629

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
279KB

MD5
442832f01325432fb43224cd5707cce7

SHA1
b35eea0ec32f2db5d08255b6dbca8e1f6a4f55b5

SHA256
23cf288c7de4bd6da02d0b83551fd0ea8eed45f2a2cfcb457e7d3e2169a469af

SHA512
3bb4367ac2416171a883c96d5592fad0429fd3837ea40ca18279b8a64c312db4c245bde97b253bcb93515ce1249ec7effec0ca8112a7c9602562ccb48042059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
272KB

MD5
a7ac0af9208e6917d9cb23de4aded89f

SHA1
89acd3e78d821212e51170c23e2b00c3ee97aa68

SHA256
5914e5ef678efb97f3a93d685b043a0fe2394acd722cb476fb731db957c53f6c

SHA512
11634fe0fba4eb93733b73e21ebec534931a5c29ddc6384dc158423b1af20b6e80beee1621924e88eb2d01d6885d06793d939b760520afb672dd2bf17ca6d946

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
216KB

MD5
fec1cce5b938c69a7b60bf153bc6e0ae

SHA1
75ff35e0ef06f864f03257f1f71469a0b2de7f97

SHA256
5681c2693f146063b0c1093c944b39f08995184d19f73823ed89eec1ccf18962

SHA512
f9288e940063a18140e9c1758f157d6ea6ec68b35c2e58c68fe59e8edd08a0e879c687ae56b42db87e2da6031902705c7c82af949a8d9fbdbba7cdb514ff8e18

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
153KB

MD5
6398a372aaa286da9f8259f42937661e

SHA1
2ea8d2f6112c1c2b9df1c0b65c275510be68424a

SHA256
3d40df6e6c116dffa53a3a5acebf877208e68aec5a2b8569576d1e4536c25d36

SHA512
7820d832380e5a148d530f843920c87638c2dfb1a2c4053984b2862bc9f519f66c95b58f0e850051ae2e53ed1eb1a5472cd3bb5224c216190c425c049df1d654

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
309KB

MD5
60fba6658511ecb222bc5a9c479b3f32

SHA1
ee4b91ec812c2a0475e6805fc2c1708b5528801f

SHA256
6bc94f4fe5e8f5c4237dced4e6f71596c77c9ad8c861661582c1e2f8fb9d791b

SHA512
a7549de03fa76082a13673a415d7f576fc59fac3ec71e3eb010af4ffacbaba258839d7acc9c870c19c4d0bb234c30b3a14114d92d8cb1a28ad5a90b2749af45a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
137KB

MD5
9ead572f4491b265627b672247490fef

SHA1
b8e3b9b853dbdf26d15b97b834643eb243440563

SHA256
0eab5c980b79727bf24a2c8879fc09a7ea408be83f0944229dfc3337179490c5

SHA512
21c36c87150ea46d9d3c9035347e126062a43afc7f7e221651587deedffc1f36351b530a8a22651663daa10f4e67282fcfe15d8b655e8a20e141ffb516436efb

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
198KB

MD5
ebc8dcdfcc28cc413cbefa7600d59250

SHA1
7c344aa74691469a7748bb75cfd09a4ced4a2b4b

SHA256
b200e2d7abb1388c80cae0c972ef0b33419a3bc696004b7707ff51ec2058feaf

SHA512
c2d753c9133f5d4300e4ba59b06cd7ad09c8f0638fb72ea0515ca732cde39d4d82465d12f3bc0180331dc173acee57827f0a3a77e6da8f137629b0bc44d16ed6

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
219KB

MD5
7e7f6a9cfd66537fedd730cfeb91cc42

SHA1
de0efa0fdc01a2881ea671d46053acb7c0f60a63

SHA256
7d31bbd5066fa8c3d9bca298aa47ccfbec9ff5939c6782ab62bc72bea112cf98

SHA512
00c9bcf1f5d57a1398482da8be5c42b1808dab81dbe7d743f3b657e007a920bb147c6416455c48a008ffac26b9f79f72762c2fd1e028a2201bb88f6b89136dab

Download Submit
memory/956-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1012-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1012-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1492-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1492-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-43-0x00000000660A0000-0x0000000066138000-memory.dmp

Filesize
608KB

Download
memory/1492-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1492-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1492-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1492-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download