73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240221-ja
resource tags

arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
24/02/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4580	b2e.exe
3228	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3228	cpuminer-sse2.exe
3228	cpuminer-sse2.exe
3228	cpuminer-sse2.exe
3228	cpuminer-sse2.exe
3228	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4580	780	batexe.exe	74
PID 780 wrote to memory of 4580	780	batexe.exe	74
PID 780 wrote to memory of 4580	780	batexe.exe	74
PID 4580 wrote to memory of 4992	4580	b2e.exe	75
PID 4580 wrote to memory of 4992	4580	b2e.exe	75
PID 4580 wrote to memory of 4992	4580	b2e.exe	75
PID 4992 wrote to memory of 3228	4992	cmd.exe	78
PID 4992 wrote to memory of 3228	4992	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\1E60.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1E60.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1E60.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2798.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1E60.tmp\b2e.exe

Filesize
1.7MB

MD5
fcdaac455c42aaf8163e516f98703cf6

SHA1
092d176fd7e842c45a27f6e4a0b7ff275209be2c

SHA256
72f56718806a09958ae1a2e4507c8948015d7c3f6545b5528bf2480e76b68cfe

SHA512
29c950273433e71766a5f7447b0269b0d86ad690d04a2f9c925f80b43011967ff8266c0740b095742aa4d6cbf9d84288af01ea400cd555ef08c25f50bc78f1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E60.tmp\b2e.exe

Filesize
2.0MB

MD5
1b7e5e6be33890874e88b65acd4df26f

SHA1
147c87ef3b4dc2e38855db13e1419ed3c1c716a3

SHA256
eb8d1f2cc58ad57a04bcda829940ee21e2c3919129c11b0906368fdf85cd497f

SHA512
a1bcae55beff013e83b5d9416f214d7ad13d859bcf52f78a8cfc98e1a79ee76a28f1f2f71e808aba12aadf2bfa27f150afb4e233a5dae33dbc574b67d9c8a2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2798.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
766KB

MD5
8d0b5dc04f584d5e7d220899bf040535

SHA1
f7ab48538af70350eea9ed6c19e69df6be25ffd1

SHA256
21346036cc6c0f87e285d3e4e440d6929ad352be08340c5b8521019d0e89e9dc

SHA512
67879a285cf79d713e181fbafe7cf762030a7260f170a85ec24dfb7120d37d6920055f69f76c182b375c7995144deeca4710e879e8abac58d2ef55f1b4637938

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
894KB

MD5
0c1ee5462c69658bc4eaed0ab8ff0497

SHA1
a71da531d517eef2053feb0f8e6b4966238c1166

SHA256
d5b2e49fe2a88d6b237f75923d32f7ccbd8277a5e5f9bbaeeb8b11763e328d19

SHA512
46c44fbcb787d5efbadaf0cb8f806ef9a7f61881cd3a403289122fce1133bc5bc1ac798f4fc75d42c0c0c634ebd580de8db83cd396a861f75cdb3e509b2e41ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
732KB

MD5
42b8b2850d097fc050f02ecc5873860b

SHA1
bb3701fc078c26538a912c1d1964b94ae83d45ec

SHA256
e6da863fd5352c11f281b9c0b97bc8cbfda8534b5dbc9f50279f426adc62cb4d

SHA512
9c2ca1ff98ed5578a9c3b44c68219b21d9bade41acbd25e1f3942fb33e1d7d146d61131bb15d32859abe6a4d7f08843623f74780eae1da5c633de9d1dfe46df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
c16228a16f6eb88cf315c5a4a6b8392b

SHA1
39b4c815274f8b2939c181cf4c7a373b2eac2ba0

SHA256
3d8f1f0be4b86ab845c04c7df81c17d62363d87dc42113fc4aedbce3934f871a

SHA512
f0acfc58fd978a2bd579a079b45fcf9c33f564125e1cef00e1421b7884378ca1d982eed1ea3994ee80399f366568947d8b1a5e7e8690d5a4b878421131f9a52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
794KB

MD5
6e276d96fc87b79edcacf3e06794c353

SHA1
61fceefd8d402a76cff8a36719b5bfb8b8680302

SHA256
9903395852488579bedf39ec120dd3f60077808daaf5924e2902cb1ef8e9641e

SHA512
dbc7bfe6d54305eebc136cb8e455264f6aa50f4bae6411f64e4f9f99cd6b9ecb5536f61e080a38cda339447970e2ed283aa960edca6590d30d20e519badb0f57

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
794KB

MD5
38a9d60da4057467a122ed6dde0bae78

SHA1
32b72dac50ec26272118486bd8add8b05cc0f42f

SHA256
49df52fe6bc83028b2c6a33f5ea667b3395c556a1e7484f08fb4dc48084a5048

SHA512
d7a63b5e945a9929bf299dd13bf16205047f084f76b9ed727917a0e53b1d479bab2950578ac72ca8d28665240a89b5e4bb8c7058ba2f2a4eeff6be3afdf2de9c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
990KB

MD5
73faa7df93ba2155ae248233098e8f35

SHA1
299671ddc816b53e79fbb702816522bb8e85d336

SHA256
af03f7160f3f3fbcf914cefedb9dc118a652292326d1d907e4c62ed3d15408de

SHA512
9204585159ae73ba177bbf367e191cc77ce033f4052ab0533ed7043a2b15eee287c94191afcd3258842f72acd27d5898c799406a24128a58c02dc0025e80349c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
86c08c3eee5e42cb69bb837e2c94764b

SHA1
e374d94f321775c3d97d87bdd620fd3b4e3f1b4d

SHA256
c7703c08dd3377643ca68002ed45f73cf42b1b6db59ea8f47f788f28f844ab6f

SHA512
c7859134d07aec57a245183084f02e19b5e80680bea8446d7cac6cf9a27904fb584a0188b76cd20c3c3eb11fad2243ae72bd1e929b3e73e06f47a4d2e4de65e6

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
677KB

MD5
e88b7cae00b8519c07101b0b8ec26784

SHA1
1963dcf95d9117ba0c25975f22390cd79fd39bb1

SHA256
fa0fcd117abbd45abc34d62a67a59a65e47d1a35da66590f1acaff035e9011e8

SHA512
afe756b0d5142f473f157c2d74713d28b23628b3fb94a889b47728ba8d69d1b495389a503489b9ca5a17ff1cab2a1f2daeff3df8b158369339dfc70bc493b15f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/780-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3228-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3228-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3228-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-44-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/3228-43-0x000000006E300000-0x000000006E398000-memory.dmp

Filesize
608KB

Download
memory/3228-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4580-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4580-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download