73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11/02/2024, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
648	b2e.exe
3304	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe
3304	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/520-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 648	520	batexe.exe	74
PID 520 wrote to memory of 648	520	batexe.exe	74
PID 520 wrote to memory of 648	520	batexe.exe	74
PID 648 wrote to memory of 4860	648	b2e.exe	75
PID 648 wrote to memory of 4860	648	b2e.exe	75
PID 648 wrote to memory of 4860	648	b2e.exe	75
PID 4860 wrote to memory of 3304	4860	cmd.exe	78
PID 4860 wrote to memory of 3304	4860	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AA7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe

Filesize
3.2MB

MD5
35d614acc52ac1f063676559357ef3a0

SHA1
38bb0f406b81b4c032d7958594010287638ecd96

SHA256
397dbf36993a3df62c00ff4c243d4fa121db1cedc849f2463fde7f4b6b8005d0

SHA512
0c20d72bef049a19448ff7864f4f57a113dcbaff81dad6c45b4073cddfb9e719f5053242d98d312263a7bec791a002f26c62a24b83fc755a5ee1f47a7f8427fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe

Filesize
2.3MB

MD5
95d0895d47c630fe64aec4efc6503ff1

SHA1
42d51bf0d6d09b4102fc60448ff483bcd264a897

SHA256
c998279cbf40944a56e0e6f69f5c92f4aa319880ec14dccfdf6c5b76de5ccb0b

SHA512
b7f633d7396a0386e6f6f04602982a66305d3c9ec97e4e8aba616728d15ad91984f1107bf3b1f65e9cb41c9a3d835538c53239fead4bb06bb5253ad36f45ed01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AA7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
762KB

MD5
3e70e1a00d8117011a919a6c5a231787

SHA1
dfd5fe9d6b1c798b5384310ae4523fdc6bfdbb2d

SHA256
e033d3196cc647e764956749aa299d458825029f24c1d9e478ab0e03ce86ef14

SHA512
1c72ef6f75e266c315cfa2a538c26c94795757b6af7ec991c327ff643a719753cf3f5417c8440be13139336d4f2209d332afe52e10406ac0a58124d1aab53401

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
ab883d8c26f9a5ebbe45d5be4e2896b4

SHA1
55b83d7b58866db48f6e6caedec16aa8c2849a12

SHA256
6344788b16d68c729821b0934505d0b9bdc4c7b21dc2a57b9b764d01200469ca

SHA512
6571fe74ad601078121502efc23a2fa4175056ac0e52ef3deb3a851db3ca31a236cfe060830a0a4ecb2bfbca04ed7eddb04f7d4060f7db72e81a2b901afbb5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
715d6847edf90755983295df67635193

SHA1
2d95fade0cd604195c057057c8aa4ad91bc0c486

SHA256
ce8bbb2e9f0991688e93b66e5e4fe69aadd9e1782671178248bae031d99876e7

SHA512
0b2d77adf46cf456ed4192177e2e00fdaa3a0a9d10e5a75c71cd11b3fe11e7a9932d03d9f8b6ed116323a838af01ab80f436a6878ca6f11716a494526d4bfce7

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
314KB

MD5
708ba341c1a9185c9eb26c2ade842964

SHA1
c697d45513a642940a7bb109bc682e5ec55b72ab

SHA256
a0eb044e3be3b36cb1dfa13a100ebf7aa83b152a20fe807356e5c3f592f4c982

SHA512
5af1aa1b583c4b3113c04245a5f5d813ae0417d4cab06d70a570518f14b65776c3af23e33efce1d9d5b509af2fdd42112b29505d299dbb443fe0c56cfafcd002

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
575KB

MD5
5a0fe35da6ddbe21ff99d857d86ad697

SHA1
d19d524f9ad86442a96462b49adac5a13077c05a

SHA256
23bd97f62d12fcf3aa205492b711b3b565d12b13786130eedd2145d94a55c018

SHA512
07f8465c67d81b645985c80e7c8dca135943c80ba4fcc5cc907515c020cf82ec254a10c954b2cd4060eb2558b64852b6e28836052d6a7805bb280e3a25a23b2f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
568KB

MD5
d7f3eb63f5a9151492c59a9c5124aa8b

SHA1
3dd58f0b302a4ecdedf5845751a6cf6db635a3f1

SHA256
f2f16c407d63a0ee18f4cc805507d1ddcd7aba8c15c31a1a494c9d8aa2e2666e

SHA512
78fdd9850b662ab593d5a88879fb31ee5f68e8b402cf1bbc8fcc6d5f8ae6d98e578e195870331396762b56d5aec8022a916e962c06063404381938129c2300ef

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/520-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/648-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/648-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3304-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-43-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/3304-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3304-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3304-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3304-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3304-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download