73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11/02/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4828	b2e.exe
2324	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2780-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4828	2780	batexe.exe	74
PID 2780 wrote to memory of 4828	2780	batexe.exe	74
PID 2780 wrote to memory of 4828	2780	batexe.exe	74
PID 4828 wrote to memory of 2692	4828	b2e.exe	75
PID 4828 wrote to memory of 2692	4828	b2e.exe	75
PID 4828 wrote to memory of 2692	4828	b2e.exe	75
PID 2692 wrote to memory of 2324	2692	cmd.exe	78
PID 2692 wrote to memory of 2324	2692	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\199E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe

Filesize
3.1MB

MD5
9e5955d9cfa8131d1d286d2024e45afc

SHA1
d99f4abab7e69916cc61ab775cc9274a54175511

SHA256
bf632d036cc4f4d6cc471d3a4c75d6ed060f1b17d64418966199e354fec70b4a

SHA512
1ee400e750b2beae0c8f4974de28baebf85b5e342c5da40cb978fb7d2623ab115ba514a9324b008fb62ab05f2fe702ba701cfa3c924979157a477ef4d2f3bab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe

Filesize
2.4MB

MD5
8df9a5024d52d552a6b6553fafce3d60

SHA1
c46107ad8cf0265501c8c9188fbe99d0c413f225

SHA256
1c0fbc60e0881652cd6fb1d3790f152a1cff21eac66cc9f0d1577fb7cf77d404

SHA512
e0cd2981fadc87ec8b1e97f49252d88a3345f1060ef46a6bb91fee9fdab644fd82c30f23d65007c574960a17ca7184dc799ae3eda1e9c5cadcd2cae579ac8453

Download Submit
C:\Users\Admin\AppData\Local\Temp\199E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
c2b9a904775ba20cdfc79120bf21c4bb

SHA1
3174da7761a956b60b46a161d23bfdcb611cf09f

SHA256
b43a65def4e9c3f8909599771c0610a94000ca14db077312c329bad10753252f

SHA512
390fd68731dc770fb7ea913e98f02ec9d54cf75417604e31d4ee4f17a96b7ca42dca6457cb9029e4cc0845770962b09ce4d148cdd6169a3ad497f1594dd588ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
802761b274baa0381ffd57d13a949e74

SHA1
a98b652034af8d77a2e5906fe875f3a8a1a201d6

SHA256
ac13098473fffa279efb4858068a3872421cb2712333281d0818a8e811518f00

SHA512
856e9868a01467500ec2de3a04dd70b634dee9775a1e044a28886d7fbadba051a709072b6b569143b4c9b7bb897fc1253cfd9df8c486bca935a46b35557e414d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
ab1864ec9dc225eaca9dab2f2b73fe52

SHA1
7cb70f98fa7f1b453453baddbe648bda7de5cdb6

SHA256
061738aabe3ddcaaaeb195fbe338e05b8a628d7039ed45710950d627bd240fc8

SHA512
6da456b5d61e29a08b35fe984ce7c07de82cf1eccfc3c01059f03da567674991b6c221e42bd2b296686088183da4634d57d4ae576eaa5709aa7f70b49d0e43b4

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
976KB

MD5
034c448115750b2bcbc78173aa12d839

SHA1
83d2b7ca341f33a1f9996f15f389a22213e6b1b8

SHA256
f79a0e4c9a6feaa823cc18e3f7f140ffe59dc2e406121dc4ccd3cee4806599bb

SHA512
d650cb3aa33ec922fcf63b1a09faa82874e0b00c88f5509876cd4eda5e1ac21d3f3225a82faaac5f03385aeec5d9d5fe5f570fea300bcd97c0766f61cade0447

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
740KB

MD5
d7baed8b3174273d9883fc18cdfb162b

SHA1
fadb047a00c03dfe3f6c9c22275e081eb18f89b7

SHA256
b2d49ca8f16e5eda63cc45c651793ad0cd3000e31874c2da1ea2f2ef0f293798

SHA512
ae4dc4b187b45a708e4a9e782c0f8e429e64defaa7207e52badbb0edf17146945c3a3c0a637580e9d4b265aa8ea3a297cafe0bc7f29ae266a8b45b1a59e2c0f2

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
922KB

MD5
efded653c9bcd314ed4d23cba4bf5714

SHA1
7688bf40b3f31680291d48dcc84c4e56c1f019b6

SHA256
6cb2e0443ef917a3a0afc41e8bf7e0725f20537f69110baaad07f54c5d1d0aa4

SHA512
fbe859aa568b782958b7d84799671b06bd7095a5bca2b6cf705e166e0dbe15c7de5c741c150e29e39e99172e3055db211420a15f353b025499559fb5b1ecd7cc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2324-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2324-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2324-43-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/2324-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/2324-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2780-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4828-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4828-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download