73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 11:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2348	b2e.exe
4816	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4816	cpuminer-sse2.exe
4816	cpuminer-sse2.exe
4816	cpuminer-sse2.exe
4816	cpuminer-sse2.exe
4816	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2348	2336	batexe.exe	75
PID 2336 wrote to memory of 2348	2336	batexe.exe	75
PID 2336 wrote to memory of 2348	2336	batexe.exe	75
PID 2348 wrote to memory of 1176	2348	b2e.exe	76
PID 2348 wrote to memory of 1176	2348	b2e.exe	76
PID 2348 wrote to memory of 1176	2348	b2e.exe	76
PID 1176 wrote to memory of 4816	1176	cmd.exe	79
PID 1176 wrote to memory of 4816	1176	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\9B94.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9B94.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9B94.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9E63.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9B94.tmp\b2e.exe

Filesize
5.3MB

MD5
bec6334cacd221058057b1e0985b2b80

SHA1
5fb15056cfb8ea40cf5d90678c5fcc529ffda118

SHA256
11077d6be52633770cb968940087149c4d6ccf0668be5373e81ef6efda2f7cb4

SHA512
d455c6188ad16c2c13af9f7294f86d0929c66da2cc2457151f8d40241ff2d10f3f15d8546afbf11f88e968c8793e9d3c0ca979d63b483b4e31e4721a7d453491

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B94.tmp\b2e.exe

Filesize
4.5MB

MD5
1be9894bb97220cd4b6bc3c09549e5d2

SHA1
7bcf47965026d4a02f2fc0f053fd02d48c8e899a

SHA256
955a4f1c8d8c56382e79b591af0b473e1282ca4d9bab0994d1009d8a8a78da1f

SHA512
209ae275d1f694e256306f196bce94d50c852cdd532d6bd2ad2b703afcd1e9297ee7ce010d375a556468468c536723430e1478adca59c01e332e77637c80e6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E63.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
2c249db2a0451b7ae6423c838cb9ffee

SHA1
b8825555bf5f1620f0c6ed344cf32c1eccefa28e

SHA256
893437663aeb69ed5a78257b0261b2bbfa18e10332a01cc60879a229bf5aea7c

SHA512
121da217758f2fc28ffd92ba251b92e0848768d916e90764c02a62ef19041e7d975542dae4d02b1d93054c9f6a66e6d7f15bfa967605742b5496f6a0100cdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
52c8ef7868545118a76ab44525c70636

SHA1
82299a23052ab264338feddab0e04f6bb71af694

SHA256
2c6e2a70cac4af9e93dd1444215ae977ec2c8480cfa7773938ccbf2fa668cfd8

SHA512
34e952ced8734e53a2966a4b99f7b94813ce61d491f95f877c8568ea727b57673c668d83c292db1037bbea8fe2ca15d35b2d51445c7f9277bd675d20b6d64364

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
e5ad741b50e51cfb77f8bc80e669acf4

SHA1
19a1ecff5b7aa7008d0b1d70dc2aa4b1b2ed9e86

SHA256
c9edf0f5691a3cab0fbf0d94c28b2dccb6e155e541a871b29873aeeb1a7f1c1d

SHA512
1342b8d883586a5946bf83d6e31a4a078dcce1651a0ed2eabe3d539adb1a3b0c14f821161f82b228a3d3814bf39bbc401ffd5128c80805afd8cd4b37bbf04e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
519KB

MD5
ff33351f42dc796857cc80f6dd6999d5

SHA1
8eb695f1e889f52473aa7e243882e9352bf9d89d

SHA256
0c3cf70c4fd6139a169ca599ed81db1e8307df2a536a270370e020110a8897bc

SHA512
acb8439882735265003a17da77981b5fb62b0db592eb576135eb5549e6c890257e83f5a11cbaa3353f6144d65ddabdbc10c133e75485af5eb2e1b625f324dd67

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
262KB

MD5
e9ec8ae4c82adb5dcb810c06b31747a8

SHA1
3981b3193a8f92484422a61a6ab672b7d35bfcd9

SHA256
ce1e85884cb2235f97c0f00019587408dda7b55b70bd727570b5b93b0dd7adc1

SHA512
99e46b2b39e1e81e2f2dba218c34400f1e3f72eba2340734e0f6256dbe68df6094d0bf0b3c9b8aece82e0e0458d27e0dafe87444bee86d88a5afeee66fc836fc

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1015KB

MD5
643fc45d98c6ca1e8dcb4c96745de872

SHA1
b6cb8048b87fe0527576aae0443eb65cb2d7dc0c

SHA256
2acb8243f7f896973eb79185b6dfeeb4660a0ce95ccf59958b00237cefcd6640

SHA512
db585d4e92b8de9552ec14e39ab106fdd6b31797c2ea1606983f79f9bfebfeae1d815a0d6f75d855c573ca5116bc7639020600c57aa8221eee03522a28e85bc8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
825KB

MD5
274b6ca2e7f0c9d7ab8d59a86c05dbbe

SHA1
768146cabef10f9716a22befc2086463e43afcdf

SHA256
c924154b48ac8957ddef12acf6774a28892b42d650e33f0edd1db320443c6507

SHA512
58a32b5ce99a8649ed15a175dacb5e838fe5a89145193f01427b33b97252afb83e69a9184ec1eead5666912c555c0f1a3fd6d534ba90c6cbffc332592009ed69

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
563KB

MD5
666fa987815e49c5e27cb892fbe0a9fe

SHA1
05f8507c5c3fd1541b2b1bd46cd872a4e3dcfe3f

SHA256
b1624cc900314416122bc5ac4effdf8e997885cfbca7cb33446d74207efd6fd4

SHA512
d5982ba623fa360888d63e5e1f5de178559d7e87ff98af895a92d00caf60681f3a5e6deefc166a9d5412c359c710bbd951f77c92fa84ef945ae3b3f1178a2254

Download Submit
memory/2336-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2348-51-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2348-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4816-45-0x000000006D380000-0x000000006D418000-memory.dmp

Filesize
608KB

Download
memory/4816-57-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-43-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4816-44-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4816-41-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-38-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4816-52-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4816-62-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4816-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download