73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1300	b2e.exe
4620	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3936-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1300	3936	batexe.exe	75
PID 3936 wrote to memory of 1300	3936	batexe.exe	75
PID 3936 wrote to memory of 1300	3936	batexe.exe	75
PID 1300 wrote to memory of 4692	1300	b2e.exe	76
PID 1300 wrote to memory of 4692	1300	b2e.exe	76
PID 1300 wrote to memory of 4692	1300	b2e.exe	76
PID 4692 wrote to memory of 4620	4692	cmd.exe	79
PID 4692 wrote to memory of 4620	4692	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A43F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe

Filesize
2.8MB

MD5
6f0130d6f882d655485782204bb2bb37

SHA1
bb953ba4137be0593fe47fa1f3fb09c700046cf5

SHA256
f48de8340542a37c99df2f4176d665a9a8223d537d145962bbfe7848bc94db34

SHA512
ef1e7b514b55e1ba9577c6348f2e65adb3d3758070fd0262e8834d9c7d52fa9e30eb35b802ae1b55141fda0a18c019051d0ed4f8faf820599c05c984b84bdb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe

Filesize
3.7MB

MD5
0e69653074b4891ed440fbfaa013f2ef

SHA1
0656cbe82b16b6fdcfc73118861de0283b3c785b

SHA256
9a50bb223dca802a60be9526ee963d89593e4402fcd0cbf390ce68dd993f67e4

SHA512
f16fb68c79c6a3836b3761e73c5a57b3e84b163e8ded66b14f89309d65d70157a3ef24231dfdeaae07d7bfa0b2f751f1ea50ddae44914cecce6f05d7629863aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\A43F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
498KB

MD5
75cce22c72fd6ef827ef710f3f9d97c7

SHA1
daf12cf7bf479567f38778c173f49914ce03b4ce

SHA256
bcada82ff0ef20ae38b8f7fbaf296b9e7f7cbf1433ba737961990519b1bee9ac

SHA512
c005236226b3802bf69dc757ce94aa629707360b5e1ec0aeffbf7097962a26ae705a595e19e84fe3a2afc3456961462ead734adaca6aaebe89167f8f7d93a96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
977KB

MD5
40e88413860da5063e21a79bbd11b819

SHA1
55329cf4447975ae71db361e114ac4b13981b23a

SHA256
95169b96756d384d82164b9fe4024137e3ec485139980e546d037ee080e4786f

SHA512
ea0720626d875ee0150e2992f32640d6c67a12f844e03ac355c44c1ecf9dcfcb6ab284fe8d6f35f129a08df2cc3dc0b3f99850d220c83dfc58d1117df0907d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
771KB

MD5
e256faa5982dd7bbc2eff28ffd315673

SHA1
e681fc01c637077473d42645372aab8ed43ec6fc

SHA256
c0011bc9bce466f3169cfb82885cce5cc768321c3ef4703ee66c8cab28c2ab1a

SHA512
55709cca41e5900624b04b8f0ecabb23cf2a8783bd65d49b7deacc8403aa2b6fda7fe443807a51b874a2df4a34845a701806b33ab5b7e159381656150c065d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
669KB

MD5
dc02fc7dccb6f44330e1ce6ba5b2300c

SHA1
7e270092e8ae60b4dd06f8866865f814780ddac4

SHA256
a27a81dfb701de1c58bdb0e0e7689cd2e427dd3d928b12416cf6f71d9652b1a6

SHA512
859e092a54deb5ba384cd2a8f34234dde4a2984501e484b8804a18c2519d64da76b4f9c859d6a220fec6057ae0de241394eb3469f822cc965e4a75acdb66a6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
908KB

MD5
96208a0aeeb8db2c4e41c071d2af8d68

SHA1
6d2091b53c820f67849a66a65d15a7d42cd06883

SHA256
d99e7cd5a8d02b463587ad834cfe9bd46ebb87ebae9748e498aa07600b15cdbc

SHA512
22323da87594323a4c8946d58ec7ffba3674a11325787eb654d8652bf836063cd8a53f3b0d7b0e3071339dfa1a78795669b99d152c47eba1013d45c36867fd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
426KB

MD5
fd13422bbd2bd6d2aafa016e4b7e3780

SHA1
39db679ac7b695e501bc012256750751c548c289

SHA256
d6ac974fa08664e31679400d4666fc690e7b69d4e29570ce7d0fa68dc6dd9e67

SHA512
615f3583a97b5956c4cadab2e96d73d735e65a9f85140647220b65243dd25b32a9e0f60273764808734b7d0754c2dfe431927a2657e8bc001e0f5608713bb03b

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
740KB

MD5
37164e09d2c8d6815aafe110ca4c2a6a

SHA1
8c8f6154accf1349dddb304f27f3a231cee0ad22

SHA256
f3e98da10955003d8396ef6fc9d1e6802c9538a8aa37c6cf6c97630c8ee8d90c

SHA512
a6302566082063524591e6dcfac3d0a8975786e46dee79965e2da42bb844a0101ff2caef7ff7df1137f8c02385a7e4a3090ce53c5c08efe71f5aa54694f9f53a

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
616KB

MD5
b04ce2d440010bd0d14f120f54ddb2d4

SHA1
429d085a6df7c4377dbdfc64bbe90ae4b676a3e5

SHA256
b5658a1cc1d8e5ed6ac81291ea50ba3732121cfe42621187254705edec73f6c4

SHA512
f3a2207a93afbdb75863648be8d3b1b5cb6886028317704dfa7ee3807a37662d0d76357e5f55d3277c2978ce5ca57763c54a3842fec86a95e2f139847a4746f8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
a3dea3777f14f1235327b648410a9406

SHA1
9ab139a0c947962b3c471c36e8b9cca4d750c889

SHA256
ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1

SHA512
b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1300-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1300-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3936-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4620-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4620-43-0x000000005FC70000-0x000000005FD08000-memory.dmp

Filesize
608KB

Download
memory/4620-44-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/4620-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4620-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download