73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 00:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
600	b2e.exe
2636	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2636	cpuminer-sse2.exe
2636	cpuminer-sse2.exe
2636	cpuminer-sse2.exe
2636	cpuminer-sse2.exe
2636	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4496-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 600	4496	batexe.exe	75
PID 4496 wrote to memory of 600	4496	batexe.exe	75
PID 4496 wrote to memory of 600	4496	batexe.exe	75
PID 600 wrote to memory of 3080	600	b2e.exe	76
PID 600 wrote to memory of 3080	600	b2e.exe	76
PID 600 wrote to memory of 3080	600	b2e.exe	76
PID 3080 wrote to memory of 2636	3080	cmd.exe	79
PID 3080 wrote to memory of 2636	3080	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\9105.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9105.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9105.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92DA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9105.tmp\b2e.exe

Filesize
2.9MB

MD5
006e89d943e1efd085ebfab1d53acaa7

SHA1
c4bd8cbba413f61b5e77ce182897aada33591a0c

SHA256
de042f460aa86d7545d5929eb1a93267c7c6125b61bfb968d5bbf94e2e936315

SHA512
a899acda7573b0c224b359d3a9b66bf6225997853928622aabc582c1d0263e52a170bef315e4c95477be659dc37cda2cdd8ed33fec926b0c2438dbe6ce99d64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9105.tmp\b2e.exe

Filesize
2.9MB

MD5
391c7147bcf6b97621ef8feb7f3697ec

SHA1
24d2810f6f3bb56cfa33be91d92bfe4226e69a96

SHA256
f659b55b1abe6bf733311b8b6a8d3ca239004750ede606938cc83c23e870d2cb

SHA512
7777b7bf11c4a723e4946fcd62680e08263a6d995a3ffd1255caa9363b95f6459f58c9ae21a39b54e88db464bd976d42ce216b5cade43d3dcc52d0605f79a12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\92DA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
622KB

MD5
ae56fe8bee56c3ae85765f69fea5a50e

SHA1
93b554d02925208e81e332f85790e0db854b0a8f

SHA256
fe687b5584200d444f6ae770a49165bd453d5e8d4a0402ae47fe78df4588ddd8

SHA512
91b1bc9b33436da7a2578e85ef10d1284be655d5ccc633cfad6d583e3c99da8db3a6dad80d0fcdc6e6b50112cd8faefa2b19abf80256641e4ce4efaede3c2118

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
497KB

MD5
e419356edaca2b45a475b9f3205fbd7f

SHA1
eadd6e7c71e03bd012282c5c9d567d7579b19fd9

SHA256
35eaa1399bbd5bf6eb176f121f8397ffee792d0917f86d4964cffdf189c95003

SHA512
65bd46e1e51ef961fe9e08167c0fb5949619705d1023f984389edf5599f5f235eaec5816bf29fc03fa55551e5f3a91deb85db2a7befc6bcc9736bb7df5387f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
419KB

MD5
b79138b843944f9a0fc1b56feec75b96

SHA1
4ab2989e80b0753d333c9c7d2b184e978036ce33

SHA256
7b85a32cdbebd1ccc6f86b1851960b9813624fd3dd4edb11e299a13d94712475

SHA512
7e9d1bb178f55431831e59810dd6b8157eccf6ac615ea1d255ad52e702ceb0c02b5fe8e4e99e0770ab12c7a5d4912cdac0008513c137d189a013c8f529175a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
902KB

MD5
a562fc462d32282bd5a2500908ec7102

SHA1
3ecf086e12c7846ad093c660220215aff7f8aaa1

SHA256
e0625997c1021a0c56cd544905bf0fa6858df9ba524c6d4128df0f0d04891907

SHA512
13ae09f383cd6f32a59f1445edf0e6d43906551fd690f1e8be429cc074c56bfc350c6a54a3c923cb38008ea2447753aad58234c2b46e51e8bd6cd329056d3389

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
932KB

MD5
8a944a6fd79468d8d045495f24e5fe25

SHA1
39269bad1cd1adb2c0d105e27832a45d350aaf5b

SHA256
b2cf89578d7aa050ccbcbcc2ceac84089bd746e22a729637056f73cd56ee138c

SHA512
48fff40f24b06828ed44c304446730d83f1efda13c845fef8f31be663feea18f5d7512c06820e9788574e29545cbbfa13d54ebc58ab1bf00e579387f2dab9242

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
599KB

MD5
d940a29c293278fa81b7af7567671c52

SHA1
c7bb6fde947939826f6db82db184b8b5fc274afd

SHA256
ccfe69d3f96f732acde17dce042d7a67047d5f84ad59fae6ab4d4ea779081b52

SHA512
d3fd012c4bc43cc4282f331063094eabf9ca64b78ae86a24851a472cea03b5a7b95dff320092421dba33aeb7e12057197221b9356cf2c2fd815948c7192eaf57

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
594KB

MD5
2419a28d784c796aa57e65282f0fd365

SHA1
ff77ee7545e7cc3f7986ad9d692a6f1b87f50911

SHA256
42b5e50def9112d41c812ec6536b8f09c2c3a8cbc77ff7e92f0c6e39babc2a14

SHA512
81a1622db8012e749beb4a1013a2104c977059bee9f99c5cbcb6db562e82445d951677f6eee6dad5e7c736a965ebe0962f0c013e98c1a15574d8f10cdc97ffa9

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
710KB

MD5
09661dbdf2188d031366aba7ef5267f1

SHA1
bd67465f976e4d0208b23c43ba8cbd72fe210220

SHA256
086df9abc0e6eeeaad1471d61890fba4c8529a2b07560d576349d9ad3c956568

SHA512
884a24589a53ab7d87637bcd4e45330dd049377417834f26d752315758ce6203d0275f5c85d894c51b9de36384f154bf3d44398b3bf91d50c9caeaef049940ea

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
601KB

MD5
fb8a92d5a9949123d897d048af5998b1

SHA1
5d60d2b059cd12545879be60345eb0b937fe686b

SHA256
c272c16d5cbb0e4d39626eb83f3509dd69f9130cfcc9ec182f0dd5d188585f30

SHA512
bff4173bef4c199604bb0126201bda25c08aadea1a0addf06f4b3c900cb662400d213d7683afb5ee8884b3a98199da47bceb8a9e47ddccaffdc32fb928140068

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
483KB

MD5
20ef33142b29254c5595d62f4f551db8

SHA1
6bdb44a53559a932494f58aa5013ef7d40123a42

SHA256
b708640f41381fe535a3e151bce6612474048cab38be0b8645fe176447be691b

SHA512
f1cf23be9bc1b97aff34a075f76cc5dc56f11f11c7281d80edbf42fb8603151edf34ee9c43f34699bbe0cfba46c084ff1cd8286ee83ca7b806bbffa8ce2f8fdc

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/600-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/600-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2636-44-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/2636-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2636-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2636-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-43-0x000000006F0E0000-0x000000006F178000-memory.dmp

Filesize
608KB

Download
memory/2636-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2636-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4496-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download