73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11-02-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
532	b2e.exe
2652	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe
2652	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 532	2732	batexe.exe	74
PID 2732 wrote to memory of 532	2732	batexe.exe	74
PID 2732 wrote to memory of 532	2732	batexe.exe	74
PID 532 wrote to memory of 3504	532	b2e.exe	75
PID 532 wrote to memory of 3504	532	b2e.exe	75
PID 532 wrote to memory of 3504	532	b2e.exe	75
PID 3504 wrote to memory of 2652	3504	cmd.exe	78
PID 3504 wrote to memory of 2652	3504	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\123B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\123B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\123B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1865.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123B.tmp\b2e.exe

Filesize
2.6MB

MD5
37d91ea61e8b034ac41e9a3882d03b01

SHA1
aa562e0631ae600f3f6ab38aebc2db021c746ed5

SHA256
d720bc84c02c972f9a49ff841fc79aaf98b12c579a0ff0ce61a8748780b4a9bc

SHA512
6386bdcce36fe598a2cf4cf0ef190da6803fac0f84a1723f7cce4ee56d8d88c05bbc6614920dfea09fb85c76c3ef0e0793de3f7ddeb80e50ed365de4a40271aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\123B.tmp\b2e.exe

Filesize
2.3MB

MD5
c04d8f40812d02deada5af690ef18438

SHA1
f9a88c696bfa82504bdb3624be7594dd9bc4b566

SHA256
fb27e8d63139f20f1fc197c647e5a872f8c69a3b878b5645a1175f85337e248c

SHA512
aca7519962ca84c1fab2bd303785ec0d43585420dee8580d2d2b9618fbe35cbb47030d6ae9c22641afcf294926638ad589aa965e88039bc32046c9137e21457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1865.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
215KB

MD5
9bc9d600a63ed30a9d625115ce852e42

SHA1
349b678e42587b9bb4c02587940385e529478220

SHA256
feb2b6aa6a999f9b2db628ba5a7c019ad7f1998d7de8a924e86368f609e52957

SHA512
ccb846d65011197c1065d80a3240f042e26328c1751176d8f28c2eaad27750247335adc8e0b842eb0df73482fd1ec022d83eea92206fdf7fe140d702b2210e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
356KB

MD5
a5fe5ffa8b3a88bd0727cbb5d52c30a6

SHA1
bcdf3bc3b8d6ae86ccfb67b492be88975b3c9333

SHA256
4fb03a47551820dd89abee70c7d636269b57af409f99438f85ed5c899489910e

SHA512
dea743e8f11220623439f694a6cf4de499c0afda20a917c5a766b30b91f81385851b5b1ba07c8fcaef872a2bbb06d49d15e8f0080081cb6a022c09533cc860fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
160KB

MD5
6f9314d0b78f3302dede1ec5bd85cd37

SHA1
6ac5e0fbc578fc6c3fbb06821e4e5234a9ffcbf1

SHA256
6c572c5e111fb43b8be9e65399c78623b9dd55af1c3b15964381d1d054edc2e1

SHA512
db13c1813f1408c504ecb88da444310792f0dae6571628b4798fe32e02930945bd5d4bdcf427d555254c22f663fd4edf885a54df5a89a93c83609fc2a4478e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
261KB

MD5
ebad2f0e6e41fabbfeb4e00ffa4493d4

SHA1
4d781c01fdf8a399ed15bf7ef9a2a6ae645f2c6f

SHA256
d60e01320c6c4ea9c434706c6c0376b76bac1cccbd2fa57a2345bb260e5bdcf8

SHA512
e1250cfcaa43395393414823a5935c76360907b7380da2054c7f1cd25a54b176b8e2c3613e295dbf6a77784e99efd61812c5f52ee2dc2360cd4267ab277989be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
96KB

MD5
470035ea36573d99208f857b2b434189

SHA1
16666e0d6ecb6713b55366d68776356463387859

SHA256
316b9d85feb163d69ae30fc504402fe91d415e29d7c7b905c4d174011dd33b36

SHA512
f74ac264283be4a533700513b20a6413bb169868d494e925408c33c4a0dab1b2d29becf416ed437de1fb9bf6544a557a050ce88f20d32b97ee723f67015f17c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
327KB

MD5
8864f029cf8923bb8eeb20b26f534a9b

SHA1
2efd744d67febbd125c37db4280472fbe8fdb813

SHA256
b28062937f85e05400a15595d9bdf9a73fc7ea7d1e95234debc76bd163ad4419

SHA512
e067eea0b8ee9269c00e5992ea27f96366a733d5e27479721571aa12b30e8241cadd7b3431f22daaca26eb759d2d08073a1d4718d39dc1a1509aa4bd1590db4e

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
268KB

MD5
8fd5c68e9c4034e7b12b81baf8d8e2fd

SHA1
9182ca3d4a073b0d25040ee2bc95cb127c5d86c2

SHA256
4054757cd610b502fad5b3ff61f4f0e64c1f9d7db42141d82e6827ca52c305b1

SHA512
44c22c7ca4406ac8d2fcff921b6b039638472ee57fdef197c82862f017e8869bc25373741d0db73ce07afd5a2e432c7854a57a0571eec892236acf1995bffb28

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
398KB

MD5
0bbefeda6ce2222583f1fbcee4ec441c

SHA1
a0b78c10aa2882660de435519d9709c07ef04c88

SHA256
f6989bdab0954ca2aa7205ed29aa65e88124a1bc2178508dc65ff8b4fb70fae7

SHA512
3fdfb50e455030644e46491c06182972c948450c626b5aa95f329839773351bee2666ab404c60f8ea7d35cc339401990d333b16b00bdb7685cd681f8f6cf5d6f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
111KB

MD5
a216e52451bd477a9724a1b15f06f5ca

SHA1
7b433fa17d6b7feee8cf2fb813c309a5a6d983bd

SHA256
8a64dcbc67914c43a588f75d93b8597b82a4cf923256dc9b4a0eaa829cb6c826

SHA512
d7633c7e52c66fb6fc2201f98a9fe7537c70354911569a1a7c5b4f195ead3f7e8323b7faeadb69025f6681e8dcad47db2348aadfd7d22465d751fb1e8e029d0c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
171KB

MD5
60e2d39f0d879b73440bfd2ba444e023

SHA1
84d080c6a76623dfadb055a6491df35f6d592210

SHA256
99c02785cedff4f6114a08b9576f866a0ff4adc43df956958d52dc4f78981927

SHA512
153c6cd71af37177998abecd5a98b9400afe949ac9ed6efafcb063e1b159ca4b96566c75374913acd61509195b0becea1dd23da5702388be3a56b0939ca2b49e

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
295KB

MD5
fe5f7623030986d976854cf6076f41c7

SHA1
5c6d20a19da2ecb773f327a78c0d67e7be2fdfdb

SHA256
0ac0de6bdb234ad82eb542d4e2b9aef623c8cd32333c107b2298126444a14fbc

SHA512
f2d41cf082af313db412a8c540f89c3179ac7c2fdd1f2da6e0c0816dfb5f405bae5167adb404dcc0529cd0a5fc47e4ebd8455596b062281126a4dd92a25ffb03

Download Submit
memory/532-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/532-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2652-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2652-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2652-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-42-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/2652-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2652-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2652-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2732-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download