73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11-02-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4584	b2e.exe
3744	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 4584 wrote to memory of 3120	4584	b2e.exe	75
PID 4584 wrote to memory of 3120	4584	b2e.exe	75
PID 4584 wrote to memory of 3120	4584	b2e.exe	75
PID 3120 wrote to memory of 3744	3120	cmd.exe	78
PID 3120 wrote to memory of 3744	3120	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\15D5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\15D5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\15D5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1BEF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15D5.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\15D5.tmp\b2e.exe

Filesize
1.0MB

MD5
a8a1eb76830d9c63f136503ef7eaf6cb

SHA1
9eed6125f7e0d0125b4523b73bc6d2f87bcf759f

SHA256
5a54bb37f712094085110c93b36c6d9d8cdbb99b91e49ebb40a472bf397d5102

SHA512
44d6572ef055f43b3b3258e461729687177ae29522bfc81843c61cc41d5eee7767d169c21d1503d74678a26c478a6a46d0c8ae1b3ebdd448fab9285e6ef95e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BEF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
448KB

MD5
ca0b33f54480aa9c590d09f72e3feb31

SHA1
d50dc7dd964feb0d7516c3037e7dc7e008420ae5

SHA256
67833a9e63d8b7469a3a3415124a2426893a6174ce2bd88bea520c68319d182d

SHA512
266dcd9c5bfe2b117fda6bf7c4250a908233d8474bd0b09596a0bd0fa2e5bc75446a20b46cb7e516ef75b5661bbe16c714e8dcc5962a0f481cbaecdf6135affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
621KB

MD5
1a5df7b3556d078854ded3c22ffcd434

SHA1
3aa9c9480982d6d358a2925d077ef40eed2b279a

SHA256
4b61757d054c3ebe67df4c31819c2b482339bb3d010d85dbef5d07300d6dd335

SHA512
7a5463983b8c3535fdf85cafd5d04f373cddfc94102d4a52de3430cb68adf4ed0e4bbc4d85cfa73a61fa55a5d2c160d4527fd02f0121e0a025aac47f139a9070

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
628KB

MD5
872c48e5aac71f0b9653d006a356aa44

SHA1
2e06b4bc12a597234d2ee02ff944f5e19be9c621

SHA256
14a4f0bac55f1816eb8101c88e0d418875d76066755bdff18dd2f117b2d9cc63

SHA512
1cedc0b734969f3f147518bf69190d20e8b724462a345e94795cdd81489a68627be52bfa429f98a69edef1a450b6820aee3176bd9b5b1aa397441145c23da785

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
459KB

MD5
9594118b151cabc631f37a9b3e23ea8f

SHA1
c280bd283f753b0109d66d1c280beca3cd148c7b

SHA256
fc09c850fb4506485e784c2e1a7de1ae10a26a8e0caac950e4c5c097da10fea2

SHA512
b3751a0bdfd151321c129b25a3d7f1dda458b8d7a518b8802eb1e857b728412dc69528c792cd2e3625e05bdd2a3c33a432a2f220fee7e4440b9b7c96e4172684

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
401KB

MD5
a7d11dac9c0a5fcc9854e91a605d1ca3

SHA1
8d3a29736361690a3c7943670ddf3b80546cd8a2

SHA256
5a72d079ba100f7d521cf06e5cf0e2faa47dad479a59ee65707793530ad106a2

SHA512
2d0ca70b1ff2d64f4e8d69ef6b118c2ed3cc679d55b695f2108e9692b431ac0dbfef7a36e5d9aadf4df422aea86e9d1abe904e1f4999f2eda46037dba85c1254

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
393KB

MD5
764bba7d7469463804743929de60bb67

SHA1
e868c688b51e4175d16223c9c755c7a5fdb00da1

SHA256
b143308d337b81964ab9f3089dcf717ba3d3f8c90422bc6079a41a2918fb4a5c

SHA512
5b4dcba60df8b24f653c76e2b8edfab684173041c02817d97f8c73b7b0b5f41e524fd2e8926fd60b434681f9557e85813f841ea794035f389918d073673a96fa

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
370KB

MD5
ecf831530f02cffd3fe903096f96b5f1

SHA1
aca797a7ff38836de2a9bf7d34a65cbd2ab79335

SHA256
42f2d3f89f23ad937e3dac7e13f4c18a6a2277f3f570819216b58bcb0b035e7a

SHA512
08bcb4eefa8e0aacc28f2879afc1bfd57a2e17eb9df1421a35c0764d98fedb26e2866d6ab9e671a6a5ef2f70677e4146772043fe73c7517563edf810c96a4c37

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
436KB

MD5
01ccca9a4f807839ce204864165ee210

SHA1
c16453f2abb5ce44fa7deabb247ff0ec8effa66b

SHA256
9b2baf553c3eab758852ab7e0b96d73ddde91df5161f13aa9cd096268244ae89

SHA512
9240aca40d1a5ddc3ebe47f7112dd745e808ec4c98067f182e2ddfca634d13991961d996ded1d3a8874381343946d5d6e3a5a666e2a7c2c99c08a554aafe6282

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
320KB

MD5
e748e3357af6e4674ff8962691273b0d

SHA1
0acfc30d68a1ef7c6790a79270864448f70f0aa8

SHA256
84ff770c784909548dbca7bd2a24c8e82338b142f2d4893023e25c52f70e8d14

SHA512
0bd15154698983c85b46810d8fef9092f4d0725882421d6db61f168873af967808c467b924dcb8ee72aaad6e10202edab14916580fc442e14b9d8c85f9d07dcc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
243KB

MD5
41241fa489ba4de19a3c80a0af593567

SHA1
94cf9e6efe6d6d40c01384156f86bd1155400bd5

SHA256
27fd82a54c389a207877e7a996a3426d76b6abbc0d677a6ea9a41724da473ff7

SHA512
d5c3efb64dee3b694deb62403646c11130cec36e2df5e53d7a9f055b8da5a612d4f9de0f084d84f6afd50f4b2526f953b617facf3f9b02be685367eff9b2e188

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
307KB

MD5
7b4326be59dd73c326ea29866585f0e1

SHA1
2b9cd6eb86b762589c3c4ed6ff4bcb86bb3d0da4

SHA256
9a9d477aaf0e0dd4402cea36d6658bdbf99629acfe21dc2bf8cadf11cda09c96

SHA512
ab24a9b29d7ee7fc13797831953f65e1ff58a073db239a27fad994306abe3973656d1957706a5b86f6e70c51271db2b6372f4aa80342570d35463729cb4f3f15

Download Submit
memory/1404-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3744-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3744-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3744-43-0x0000000061B90000-0x0000000061C28000-memory.dmp

Filesize
608KB

Download
memory/3744-44-0x0000000000E20000-0x00000000026D5000-memory.dmp

Filesize
24.7MB

Download
memory/3744-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4584-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download