73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
295s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12-02-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4492	b2e.exe
4168	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/520-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 520 wrote to memory of 4492	520	batexe.exe	74
PID 4492 wrote to memory of 4860	4492	b2e.exe	75
PID 4492 wrote to memory of 4860	4492	b2e.exe	75
PID 4492 wrote to memory of 4860	4492	b2e.exe	75
PID 4860 wrote to memory of 4168	4860	cmd.exe	78
PID 4860 wrote to memory of 4168	4860	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\174C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe

Filesize
2.7MB

MD5
8bf8f5c9d34334938bf32fc15bc9404d

SHA1
fc6b04c193ad23f74ea2a395d67fabfd9ac4aeae

SHA256
176555a7e230054dfb5acb067e8b9306657c5c574f903e67fec1ffe8ecd0a372

SHA512
47658beffb531e00acbd6e1949d549fc8a936f8af46020fb94f6664bac9d153137fdbd2a9b8fb0a5747a06810949cada5de0a014bfcb1928819904c906293dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1170.tmp\b2e.exe

Filesize
3.1MB

MD5
3f8d37887d7aff453d02a72c8d8d3242

SHA1
af82f2a2d0c1ca14f5c4d0a82a88be032a53fe3d

SHA256
f2a689240e307fec8ee8e72b920f9d81d56918387eab55b43b563b85d96303b2

SHA512
ea53880bf451bc300c40592ea693f10597005f3fe1972e1f851afb3e82b54c40557d3e286f8d19e95118f43a5e7ef8a25c12e270010ac206991c9182a62b4ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\174C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
742KB

MD5
3eca65c57d04cd2cfb197e651a587381

SHA1
81ec56dc9f0d011592acb101217c990709e1624c

SHA256
46db1fdb9f3bbb2aecff5977b79c779324c9f55d9eb705b9e5b4b6cfb6297f85

SHA512
046efc4443e7657bb762d2a963edfb1845910795db916bef82763004b9aa62b73a6129827e47473752153a5212331c8966c067d56ba3c66f992167f444fe519d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
651KB

MD5
1d336924d8493f579ab115313a039b13

SHA1
d773141162d34a7d9034c620f56e16a74e708049

SHA256
2812359b9ca6eaf547a8a285207fa3f6fad8f89266f71f198d500cc474af0785

SHA512
9fc7e9b0c6941ffaa03bca39261e43929e6be6a532cb5f927af9bc285bab450e16a4a55d679d5b3ccfb0efcd1bd633aacd75b863d38ba67bc95205bf81a33519

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
9KB

MD5
2282cc4cc64c20967309ff3c09ef9879

SHA1
d2c9a4e5d954c1360a52141e59c13cee7705dd03

SHA256
e957ce01e2a712cfdb045ba87490ed676a541bb73b8978c04eb0080680f8cd7f

SHA512
48dffda12ee08303cb0ef07c7f4773966e3bfaf9c3d0826d4e32886968b166baad728fcaf41a1e69f5382154d9ed6b60dbabef6e3ab38fb2988d779c3bbf7e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
585KB

MD5
899634b9ea9026a16f504f6111141c67

SHA1
960dd9abf1c6d5b8e935fd63453725d62af8ae37

SHA256
1d677aa1551171eba1bf32a502346e7fee476923b404ab86299a0649731fb860

SHA512
ffb84336f1352ea8028990dfe528d31ac9ab6c551b1cadd1e93a9da71ee921a1c10466856705894b019fcee16d747cec99308d1cd120dacbe97fa060acb63358

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
794KB

MD5
45ac35ce6adfbc1723a55b9f71688bbb

SHA1
451821ec880bbcad9b0ceed3a74af203f2b0903c

SHA256
699b63f8fb8d525d4a59fcd595beca7867c2b7dc62e02db4244eeebb38c95a2f

SHA512
3163d6ab67f0aa18744694708f2234384ad8d765d4eadecd1fe395e77ef7af446a77a6137abb1ef1baddb3ff86dc6f6c46e7bd620259c7e73b988d180ee589ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
472KB

MD5
68431823b2e77ac5b874b485e71594b2

SHA1
40d726cb480311f885747758e091aa1443f5c0c7

SHA256
bea5871f21671827ea032b22639108c91892028d583974437a3852b61df0638c

SHA512
fb81b0eec3caa87a9e4536cfded288e8e72b693d56bcaea930b1cfa628c0a63c3a086c5055ea74da55cc7d46b551f8aa08fe36124399078c98e90998bc04d4d4

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
586KB

MD5
9bf3d0fb0167129bb348e9b4ee513ccc

SHA1
e63dbcc03bb7a42e11618df9729b4584d6197fa6

SHA256
9fc20b62cd93728b9095746357109bbff0af3d98ff1f5043ad9d9d7bbb0328e6

SHA512
52dcb433f02c443ae40c4e0a5d3c774be8ca000b3ea8b8d6035bbe06b14ff94d2a9d827317976010f50c43230979fea09bfcf866192a58876d6f246fcb3abf4e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
688KB

MD5
b5a17e0fe9975980d3bce4cd3a16185f

SHA1
61516ad44fa7aa533f792d28b64799b8cc8be788

SHA256
5587c80be76a0c402b1505459d7fa9332fe38dc9a3250ed8bcaeda3534a62357

SHA512
b6f141b9edfd91519b3252ce83767f2cb661bdff20b3a625a0a316c775ff4b1fbb3cfab46b2b5356d902a32d6c877e2b515e6ac51e91fcf0247b52a02dea4eb4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
503KB

MD5
a426a4a2d6a237581b17fcdfb6a8ac6a

SHA1
ee64bc7ba5b51ebfa5247d21fae25a10c1983702

SHA256
def4e5ae1bf68937a93460f91378c841779fc3cf5c05c612ede3eb3bb04c9ca9

SHA512
aad6d88f316a4b529587e124a7056339005797b206b87da4bdd0d11e6c3610b8814042a2395334f4fcce3cfcd0e86ad2f87e19fef0e253d4c78a139f8c710653

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
469KB

MD5
3167edc3602d1d0dcb192e08c9d82c3c

SHA1
c4ead865a5ae110cba24708f8888370094567171

SHA256
9e7b85f89d6594f9f6e2ef7f5d26a9f3790e28e3797520e1e81150e4a74b337d

SHA512
44695ec4e4626cdf8a1f664fc3cf56f9aae8a6de227c69ebfdc7a7ced0bd2246d62855e27d07d656e36abea6a2e59c5c63427df4f3602bd6d9006a17a2e95712

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
476KB

MD5
b66176beab5d8d87de1b1a12e3dc5e74

SHA1
2d939a95b2ceaad68901513916235b60c96aa870

SHA256
354d4a5e8d7ddba77172b6e322f5c9e77d2882f6b02aea0f86dd1c495347b44d

SHA512
1955d22011f899bf7ad348f88c27f81884a85edcb51c0721e45493636d0437575c84ed4698f8e7ac479863c450a288d3490d25361a5c3ea6dc491861e9181a67

Download Submit
memory/520-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4168-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4168-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4168-43-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/4168-44-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/4168-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4492-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4492-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download