73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
852	b2e.exe
1412	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/380-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 852 wrote to memory of 4576	852	b2e.exe	74
PID 852 wrote to memory of 4576	852	b2e.exe	74
PID 852 wrote to memory of 4576	852	b2e.exe	74
PID 4576 wrote to memory of 1412	4576	cmd.exe	77
PID 4576 wrote to memory of 1412	4576	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\1B53.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1B53.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1B53.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\20B2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B53.tmp\b2e.exe

Filesize
5.5MB

MD5
8ffa4db4407ae4836f560dc9f45df5cf

SHA1
d13381a7204d5e11e3f71126c2185131a42df062

SHA256
526ec3b7b519a1abb1cadad75b0984be7e5e1ed8ec7124c5d268ce554d2a59a4

SHA512
ea2cf7423478db9333e5c89f719bea2ea5557fd06971756bf12b350a8102053f0a8ad6391795cbbb769cb341ec34f6570328e5bd5ddb4e50922b8cae026dcc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B53.tmp\b2e.exe

Filesize
6.6MB

MD5
2f7662992745819af0f9d1dd7d513f79

SHA1
51f17f87a329f90f2701cf9a96b79826c8c20eba

SHA256
cb08ece13127fd55a42566d26182fe2477310749c6a23524e44cdae22c21aa02

SHA512
32b5801336e31d419eb2644367124792aded96ad8ee6cff2aefa8d10631224b8c2eeb5a31b4be9fd1d9d7a015ce33868d952a18ecc7dae546964d24d5888059f

Download Submit
C:\Users\Admin\AppData\Local\Temp\20B2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
268KB

MD5
dc97426bc78738a61bd36ed4b5cb9476

SHA1
1afa0c4c6c68956c965b275f9d2a6befed676387

SHA256
ab9659b52fa11812e178bf9873c45e1e46cc43f03484181bd239c6703304e831

SHA512
2954e65635ae00d389fedb78b2722446c013f018da9c75faff1d7df3b233a43ae0ecdc93da100ae2a795945f3346ecf9512fa8bf6a67823713821b3e235af492

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
259KB

MD5
081b624ff83cdb6ba99dc51e0e87c647

SHA1
e1321e7ee20cd71382b632bb7d610887dd40a7a1

SHA256
82cec70cf05480a92bc0551c4d28fed0356159fa84f416dd40751646b512d6da

SHA512
e40f62473f6d3b84ca8e567cc017f9f66c67cad791f2e4461a32e3ebaa173c95530c033b6fe993a0b86f3c2351e872e7e9b669d60bf69bdc3c481686fcd18b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
365KB

MD5
17cdd082355cd94d1f8155c871a2ccdc

SHA1
306a1ec74060fcab7edfb07f5c5fffb71a0866de

SHA256
18860cb783d9fe8538e4d0c048a728b3ba920749c5c73449badc150317fa611f

SHA512
dcbe02badcff46c9854a9742be6c40dc058701b62145e925ceaf6bcca101ed51843d7ef2e25ab556dd69472cf6b21fe546fe3ed8b0dce2ee9181be7913767a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
268KB

MD5
6cc393164d1af6a7f860f6141ef93c5e

SHA1
3e6eba4a51195468071fe961376b5f47b80605c7

SHA256
aa30aaec02ef9ab76adc9584bfd85c8116733945d63dc143f2c5a2106dd7496f

SHA512
cfb795b55f520720c77bde26a1398ebaa63114d9185ade0a80343d80682dae122683ebce4cfe122bed096611bca0fd762f10a7f55d8cc73b1fba005acce112fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
211KB

MD5
0fb686093fb0549e687aeffe117241be

SHA1
6a08a68acd63576807b5c2f697f23e66f3c0fbcd

SHA256
db802c8120ae2258ee115a47058fe4ae4cddaa8f90a516bfe6d5ed3c62168ab3

SHA512
45a9f0f287f505080bb3d594d284b63b3981171f7e2b2d9528685ffeed1406d3573360a2543c405d00ac4107485141de11041f8587623f253aca7e55bfee36a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
303KB

MD5
54171848a3d860772d5042f874582b2b

SHA1
102ddf6dda8a45570814d99ce77c0986565df943

SHA256
cf50b1c6730f6dfff8c0aa506a555c98262d8e397e6e3e7287482e81b31367b9

SHA512
fc9e8d44364e44fa7aeacf92bd57d1288e9887bd40904183534bae34b7b214b50781f55751cc6003996bb98ca69d78c6d02d024e8e5279b1d691b5bca4f906ea

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
176KB

MD5
76446ac1888b390d61ff50b16231b76c

SHA1
89e29c156df81839925ba17b6f7706ceac131633

SHA256
cfcbf951625a4c90581423b50f10cdc23cfe21985cfbd857f6a076fc93c063f6

SHA512
d35475d5582ea1cd7b8a8c12acafd6d4ca8483029076f65cf205a4a861d2d5b4b3ea06a10e14132a99a0562a22211a6c3be39aab2bddf666381105b6740433ae

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
81KB

MD5
044639fc48ea9165872c57479a612462

SHA1
04725e67aa848fd121003739f09096e3ca7496da

SHA256
8921ff52fff54ab2c72472759a46cfe1706979f7de90a78b963de5de4d90885b

SHA512
7b5f1e6883de63e14aa99fcd9bfee8670491b95645c9b947d978b32e61446ff1fe25549da880719aae68057ab28bded4b81d57249bff17114c6148e260072b97

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
56KB

MD5
68f03ebebde4a8895b81d6b5d8066b64

SHA1
aebd95ac59c981010cb2f4f9f1a6e760729db12f

SHA256
4b3ae8ba29ce3a7a6f60e2e85dde5ecfee2b287f7354cd155ca430dd4f7900a5

SHA512
a28a03c5f86f03d5edf8bbd37debeeac386fdea63a90e12b0659ec2a44224183f94df183a8709eaa51f956642fb1a199dcbb6696868b0c32b9ab8ed1cbd91963

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
146KB

MD5
c5204b79cf83f2a709baa427a126871e

SHA1
fdf4667b1ba5f276df2fa5758b2c0902b1cfde54

SHA256
4ea1a55a3d7d2302b9d3f8e225497454ec4938e5e046d292603aa5297bb61585

SHA512
491ff08be93648db08f10c058c55583f9d73e038f4b4bbd5e9f113d139c6592d88719b5a756ff6f571cec20353645d85a1b8cdb68e34b5d1fc4b3ea0ce7ef35b

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
232KB

MD5
d79856ad62ff7df97cecc5dc676b1fce

SHA1
9c71b2c79601293cc935c3deb3a357f7d45b7ff5

SHA256
60d63f0326c3735042bff175424c7cfca3abfb4c40a6508851f43ae7579cbae6

SHA512
a7f0c6ac004db2389b9cbb6b8da5b49e66e4b4d954b46adc8b2e520299ee8946822213aebbbf5da6ad061194d095e30278aa4dc4a575d2a7cea041b483b0e2bd

Download Submit
memory/380-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/852-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/852-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1412-42-0x00000000505A0000-0x0000000050638000-memory.dmp

Filesize
608KB

Download
memory/1412-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1412-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1412-44-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/1412-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download