73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4448	b2e.exe
4524	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe
4524	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4448	2348	batexe.exe	44
PID 2348 wrote to memory of 4448	2348	batexe.exe	44
PID 2348 wrote to memory of 4448	2348	batexe.exe	44
PID 4448 wrote to memory of 3188	4448	b2e.exe	63
PID 4448 wrote to memory of 3188	4448	b2e.exe	63
PID 4448 wrote to memory of 3188	4448	b2e.exe	63
PID 3188 wrote to memory of 4524	3188	cmd.exe	61
PID 3188 wrote to memory of 4524	3188	cmd.exe	61

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\92AB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\92AB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\92AB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9470.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188

C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\92AB.tmp\b2e.exe

Filesize
540KB

MD5
c1ca18679f469f019a1bae9b702b4741

SHA1
b61c51a21fbd7c9d8d82930f786847ef834576c1

SHA256
b6a06cfe06e9df6e81c9cb9deefe1ac43e9cb9a011fb0b3f6f10bb462219d267

SHA512
f3671392401d9b49a93d5d038df635df93d0cb24fd2d6f7ca99be81ac229a2075ef8e1d07170cb1602e70f170ae3dbee9de65080679bb4478540c7a95a1e9cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\92AB.tmp\b2e.exe

Filesize
528KB

MD5
601b2378f6868ea6d5d15ff4f5993627

SHA1
2f1e0cabd3af53a16f3c6dd94e5f3c14c3a627a2

SHA256
de50ec7bbbb7b2b0a0e3c1969847eb1baa67c2ef4f94972c8e5fd33e7aaa5927

SHA512
c69270e91f515d9fa08d8f6160f1cdaf133ee90ac68a399a3d8381ac90ad827078b7845eb9de7e009744bdb8c95f4bfae96f03b62528e22df1834b53f7aef08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9470.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
591KB

MD5
f9cb3085e1414ac6f25f9349065b9623

SHA1
a351b6eff6a0479688cf96c7021be9a226145639

SHA256
549f5fb1c6675559eb266819a567ac22c6774580a1eda1c58d4b877cd382c486

SHA512
b9c141bbad73e0b774d29074768145a136460812257182a35fcbfebc4a202f578c0a7e178049f64d9d17c26d48bcdf5679748513b14b3b4c380043ae6c5c4f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
566KB

MD5
96b93b8bb7057c80c5e2f6b69ab279c9

SHA1
fffb24acfc8ea631ce0845e8680dfa254653f8b7

SHA256
e00fb10cd124313b631b0d29b5a79d273cf977430702da68c2f76262ca847196

SHA512
4efca95d518ea0281b6017c011ea90a69d875f304a0b2360176e97fe30ff8db75bcf34fbec92e4d247b4d2e3ed17121e9e77c6629c8a4698b4ee32f85e9b6194

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
393KB

MD5
04f186d5462ffa4f09fe5fffdaffbc93

SHA1
7fa5b1c566710eae8563a3c7006a10ba7848dec0

SHA256
9641fd208ca96863b4438d6afd438cb7b2e34192379976c8c8a2ab48189512b1

SHA512
1d3cdeaceb5d06127e1cd8e2bdb09818636229fbde7a0bf8f40210e52def6733197fdd985d05429d39fa2ef80c112022cead6a40f585ae76285c615fb3a51e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
527KB

MD5
39ad8c38025d4f84bfb229fa8a64efb6

SHA1
7e79d081f07a4a447c3bd8a98691b0ece628f233

SHA256
638136210971639d654ae97c5a432299ed6a4399c56464c68698edeccc9704b7

SHA512
f20fd0543c45aaa73bd62bb51d9fb5973daf36ab121e8b7629e320e034323964a8c5cc7052f038addabbe2f7f9c3251b27de26ebd3d4b88b31ccbf33a4de4c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
840KB

MD5
e058e57033f1e55f489cae1840d0b6c0

SHA1
634ab7b63447955df894f70d5e055097cae6075a

SHA256
ce502cf9efd26a61d3475745c2f6ad45aeaee9724b0907e73810fd08c243dbbf

SHA512
9212eaddbbfa869c5b7e519a47b8eb86ae96815d332b25eef957bb587eec76315557a8fae4d0a698d5718207068fa1df43a6feb4723dfa63168550a04f856fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
459KB

MD5
2884c48dd5263fe660df583b03b42d36

SHA1
43bdafb2107bfc69e92d48d24c25ea27c93a96bd

SHA256
ed967602b65cc67448aa4e0a2ee41577123aa38102845bf509cc6f7e36c906f7

SHA512
1f37b58e04c37399f344cde1245aa268feee339224d92562bd950d3f27dce0c7a5c5da245a87f5f449e179969b67023a989535dc6cea279c5f06f7ccfe750c7c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
221KB

MD5
2e3da3ae37da815bd0f13a0d0ee14941

SHA1
5c51fa66839b3c9335563a85f18bbe63aa36d93b

SHA256
8d23beb156e6069a03148febd758e310e7770777b84b616ba6b6a6764dfb20b7

SHA512
cec7d6fd82a65824d7b5936943b9c96c17b4a431cdd747edf21a70e547e053cf905fafb0886284b34c2fe65e7a97faaae3106c1506051299583b878c8e932bae

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
294KB

MD5
bdc1d0fba902bb80ad67b8f216491cce

SHA1
d713a7f1580c4345d805133d49c4282c0cce5d7f

SHA256
83889ae11e59191b15b24077bfa8ec648ae57d93ca899e34aed83ef14ee6f9fb

SHA512
0a425b6530093560e36de6664f86a7a3e9dd8e00ac645200799d66a3548d8696611a335e328102c5d88ea9fb8b0ba15001bb673967688367c38df91b325ad5e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
268KB

MD5
d49adf45bbfd5bfc5479f8df6f6bf98a

SHA1
c3398db36f640d4eb063427aeb7cc145d398c7c4

SHA256
dfa055021215d203e6bd5558c0dede79bea6b8e5ca7f9f850c455aa97699d7eb

SHA512
f4be526d78abcb263049ffacbc07c59f610d5f0a80a8fb41ab0bdc7df1271e10cf4c5d5eab22ebfc4f6cc36f5808d06bff9a6518d972c5846404351b0728a561

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
288KB

MD5
9b7a7199b5e93f81d919ddc297ba7093

SHA1
8d2b4a2632023d572d5738ce80bae0e15bfdf47e

SHA256
bf4de1dfeb3b23120ba836f145952806b9fc2024c5f39cef5c8c502428c934d8

SHA512
52f011fc56776dd0bd773af869354a9e715118d0595ee28d8eeee55c0e3909634b8cf0ffa2525ea39c1288715b30cee8961b0119dbb47a62c5e5abdfe3cb2780

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2348-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4448-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4448-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4524-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-43-0x0000000060D70000-0x0000000060E08000-memory.dmp

Filesize
608KB

Download
memory/4524-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4524-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4524-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4524-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4524-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download