73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
316s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12-02-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3216	b2e.exe
2532	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4988-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3216	4988	batexe.exe	73
PID 4988 wrote to memory of 3216	4988	batexe.exe	73
PID 4988 wrote to memory of 3216	4988	batexe.exe	73
PID 3216 wrote to memory of 3024	3216	b2e.exe	74
PID 3216 wrote to memory of 3024	3216	b2e.exe	74
PID 3216 wrote to memory of 3024	3216	b2e.exe	74
PID 3024 wrote to memory of 2532	3024	cmd.exe	77
PID 3024 wrote to memory of 2532	3024	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\D0BD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D0BD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D0BD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D5FD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D0BD.tmp\b2e.exe

Filesize
168KB

MD5
91fa2a5c1d9ceeaa163a449e64fc8901

SHA1
b015fd1d13ed7c95e7529d230ae3d23dbedf8abd

SHA256
4787e3dd99c5f587f7586ac94058593094ff3cad7014d596a5a578a439863b71

SHA512
0f5a074a607c340869ad82beebdc9879ef3648fdf96fafe712d5d29282c79655d76bb5c6abeb1974fc07a77eb78d58f0645c40f75f10eb985272c6e790a7f874

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0BD.tmp\b2e.exe

Filesize
43KB

MD5
7e52b4bc9b679e5dbfb43124783a7c23

SHA1
7894ad63a07e165fd75af77f3b99f0c20dc9c359

SHA256
801b67170d8c4e68acec458b69e564efa82d7515cdbf4b3250a18e2ecc31744d

SHA512
735ed27a95a61220e33484749b5584625055c307e1cb48c0415b83a0eeefc8e5cf847de38f25d8556665897dd98a38aa7570dfa47b1277e4dd355b0d7b0fc0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5FD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
166KB

MD5
62df5e2af394e10694d575cefd308a0d

SHA1
5d7e0d3d894b6413ebd1b174c591f0b6a74fceae

SHA256
205b5a3bae018c8c94eb5322f4f4f75a2d16b7a6f6e273da8a26110b47fe19e9

SHA512
f3f26095962bd92d383973066c61895ed364ff2a05fbebc2e9d898772b1a660fe0a18586d5f266d0b7e6b1698c546733ab5ca6b92387003b60ef44aec8b4aa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
118KB

MD5
b565b9102ed29b8e848a9253d9099d60

SHA1
bb8d767a3f37d1155f10faa81d2a500e2df30faa

SHA256
ea17ccc14b0d67787689fcc560afb8614a52ad9db54f4fa27a67c66917f36e61

SHA512
b2e79f9fa6a20fbf68b70f62114378e3ceba5a8f3ad2fb51993eb21ed68e75ab48e5066066c999673f469f9fc8878cff2b95270179a3d12706888f56f84470ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
347KB

MD5
b9f354142b07190f407e8d4a6580f335

SHA1
74e1e3a14e018563f2e28ee7f6f342a6b6ce08a2

SHA256
c423537c9aaa3d6fb7176dd74e32728a7adb36746f33c50852aa1de1fedb4c62

SHA512
6be032384c8f17b554da3b340ce2503bca5a20fd72e97b865571fb0781e83105fca533ccf6eaa49a34b03248b84dc181c45f51e54bac094ce5c09d2d089c0060

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
154KB

MD5
820a078ecc5dd8d673b389b7b4e19741

SHA1
8ea321ee7aa58768c154d75b894fe7abbc2689d9

SHA256
47c276225641668a2aa084a93fb4dacc138324602693d7c93130083b74054fa9

SHA512
7107d2acaddd4ef66b6e298cccca87f82f75f04ba72b2f1e9ac7bddc9f8e6bfb27ae140d378c213ceffd36f1cbec777d5c893bd7c69daaa9845435ca1285a323

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
227KB

MD5
ad4833d34bb31c3b49f1bb4b708f1331

SHA1
d00e95d76f29d9bb958f640efdf2d2c3770dfec1

SHA256
7148ed33b2f506008390ad43c123b8a5599e0ce19822f4e9172710555e858050

SHA512
291b4c4e0bf5fb176800f6d838a5df532d11c6034884d0e22a2ef9f9f1cc4ef16b9cf5906ea5dde59e48756d992f6693e8325c29690e5f336bab67bff71e2cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
1KB

MD5
d7c75b973084fc64536bef84775773ef

SHA1
4ba97a231c651cf0bb9f21c833d0e15d2c1057d3

SHA256
de7e877c905b61a5c6c6d5a60040ee125a9222cc4dabc1398393785bcdb82983

SHA512
e8c5afaa40f10c983ec4470ca3ebfcddd9d5ef4dcc61a4dee165ddfb63d878f9a9e56f74a447feb9337fa332fd94f057ec6de16622b030764aa78137e8a5a808

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
163KB

MD5
d68703a3933d967d5013186861e40316

SHA1
2875382ccb8a035052cc44ea4c62e82f3e961bda

SHA256
aee71e4f57be7082a1bd53d20697c7acc91838586ce50df3b3b9410abf7b7f55

SHA512
fc62be7b65aa89313c9ce080807f1841ec06cd740f003b5cb4bfb0dce0b63e02d7d226cb54053c6cb8cb7a228a578fdf1df1835735ea9e22a29e70b14a14451c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
146KB

MD5
4d869c991c5be915983af4a6a3e010dc

SHA1
f8f1ee49d0166f185b38c1111061b26c5510b2d3

SHA256
17e3c36f3230bf62824010dad075182e0a1e2c467c9da14cf3f5b7798efa2424

SHA512
30873e18293e62f74a3ab076b7ea35bc6505ebc59ecb17699c551299e60b611a2bc0d1dfdef6c4f0fcef6f0c4f66e2805ee661c3b78a9501642caa65b41619dc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
75KB

MD5
35727d6c0029c830a5712b7178cd5102

SHA1
9a1c25803209db15a326780d5a1918d4d7de6478

SHA256
fb495db597e25179a4ba110c2950a6258bd613daf30117cca9582d468fa64c55

SHA512
f7a8ec83fe9c3da540b5ee066b741bbfe30f199b24feb46c1615351756861872df8262ef9c3b8af5ae395cacfec9bfb69b903afee5677596202a2c481c1adfc9

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
247KB

MD5
fc9130652ba9cf6c06d995ad89bb398d

SHA1
b4585ccc398fe41751e55db4e96f8ea675a91c45

SHA256
dc53619b81bdcb88c42fa8af9c4b4c6ba69c218cae788893e95656d1fc05013e

SHA512
b278ccaa9ac9718a38411f8f0cb8a8e623c5d50eabe27e372a86cd2b283c956ddf9079c7cc76aac4e6d420c8bd0858f0cd1653e176830c7287f9c7a98e98a569

Download Submit
memory/2532-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2532-43-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/2532-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-44-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/2532-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2532-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3216-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3216-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4988-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download