73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3228	b2e.exe
4684	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4724-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 372 wrote to memory of 4684	372	cmd.exe	78
PID 372 wrote to memory of 4684	372	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1B43.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe

Filesize
3.8MB

MD5
8782954c8b6aac082ecc8b96cb0fa380

SHA1
2fe2dfb712df083d04ef662151f7a323078cdbaf

SHA256
472a521487323090d233b2931089d485be932bb7b1df7cc096c8b498ff04a73b

SHA512
d8a809cff6a7fa2b0762724eabda592db73e20311c184937574671be8cdff033ed4b9886992aa225aa923449c5a5a7949bcd5194ac26972001b95349506beb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\13A2.tmp\b2e.exe

Filesize
4.7MB

MD5
df95dbdd105fccacffd5f77f51d9406f

SHA1
971433744c169b8da44c1d873a956bfbca86663c

SHA256
87bf4a1648a11901a777e64a7567982c180e24009442c6b0300371989db370ec

SHA512
2bfe814240614a2cd52d723b2de043c7df657c7c72c21c6ed74e1e05d1beb0926a5618525eafe4a03a3f6694983996c562782ef05607b923bf7b84a64296a8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B43.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
550KB

MD5
b36e6dcfd4a46eb64418bc2ab36f57a6

SHA1
8d3611c927d369d9e68ac807b7e8a3c2d3032366

SHA256
5deffe6e6d28e18fa93d27d2b9d6359a1c142d617dab70925665c25143fbde07

SHA512
87c1e88dff81438df623697da25dc9da0a3a180bd25246f0764b36306412f396a2a3a29292cc6d5c35b8447b91691ece2736a253f2cbc08c36276625f34f4ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
444KB

MD5
d9378359edc38d7ddbce5324e81bf4af

SHA1
e840c5e5cf4404716b31ae68aa3dc9913ce262d3

SHA256
66e05bd29c4e132f7e10b65c279ade9044e777401acf6af88485b0c3bec6c972

SHA512
2dfc50a0cebfbd4085776afd472ba38b6bc4e1261b54bae1a026e27e811f784d3d3c2c506cf3ae18cba843f7b47535cb3ea6690f8ab68a01d36351c273048501

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
265KB

MD5
7c884fde1ebdf4a4cc946dd453c1e046

SHA1
e74fed587e8c34167cfb603ab7e4951c39b643b6

SHA256
90141cf2d27a3261702b502d279b6c0c976ee2ea7883580f7a38ccc47a3ffc8e

SHA512
800907aaf64f6914d5f5fa56eb1f07a5cdeaca53be7997d705717615bd7f06abdc6629c42b9c80db13bc9c8f2f5acbdfd31ac31358b9bc589ba069857698d05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
275KB

MD5
00849a3c1a1ce1c52c5255a823314991

SHA1
f80c4a7eed33524c9d2faa6f5edfb8a349b3d8ce

SHA256
e50183a440d30bfedd32d668ad44e00d0fac3c697e50ddea824cfa4e0819cc94

SHA512
83b9f3f2ead3c6b28d349227c79bebf6f0012077a8e2463a21d5e62a2920289655a571e1a155d12c7e46d334ac2435bf4a5613e4361207fe65a1c8130359bc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
468KB

MD5
f30afe290a338f4ee11e768c4fd12eeb

SHA1
08c0a575119c73a19df4c7cd25e0f7a8a63651fc

SHA256
ca872163a6d6c2c962b3cb53cd241c3975d9460c2a6d5dc4fa07d3f3817fab28

SHA512
0bd190b19827ce817e755073674d72d18761e4b097c6a0177042bf8997351874cd3c4cd2c7c4d0ab2237d161d7962ae993ad80719bfbae3148d3dfcf3bb161e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
293KB

MD5
4b12494de424e6729470280cec6b020a

SHA1
0542aeb38c403af51a4ebcaa381e789ccf707ff3

SHA256
cbd9c4f7a61ecb6b0401c7da9689eefda7799e0eb11b139294e5e1d7e26eba1e

SHA512
f172ead62a0a23eb50e59c70306e2c3f075f35dd18242885b39cd33403abaeebcfefff896f5a5c332ac910cf4fda7cd12c987eaffdff9dc02491f36eb9611c8c

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
339KB

MD5
553f148957f10a414e880dcc180b4495

SHA1
e0438f751f63c9e501ea504b18df1bcfc27e9823

SHA256
c95ac3b94dc73a3b692e2e88ab4ea4455d528350d92d465ef9a3e69bc95f17ec

SHA512
83456549a6a06bd9ce3a13dc360672a0f4f20fc3d6b8cdd8a6e21198dba8d602b724f2ef61b7899462fd44ef89bf86e237d7fff8be7ca792f6bfe139f92baaa5

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
6cc35b735a1a538fcbc4fdd3715b571f

SHA1
b63acb86a9e111b24c9d5f11624bc053d92d6ea7

SHA256
f0e77f45344ce40629ae10e3340877ba87d8184bba6cb529a3dd2a8bbd9a009c

SHA512
2f908af1f6fc345caacce1989022afe38f67666560b939d235a112ffcc638c045c751d6b58ff659ab33351eaf6829cbb39c15d13b012159deb5e54983ca7ff61

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
245KB

MD5
6763a3471ca3f09fada10cedbe6cb5aa

SHA1
0b2ad577fb21fe3d4bf4f7d208466309382e3895

SHA256
70b66fdf54e494eeae4533f09a514d33ef003ddaed6ef04166d9efcdef2add8d

SHA512
e672ec314b334b3c10cedd5a1d744e12069f23aeffb7cba6e1ea00b267b4737c502d3e775ab4d70027bcae188896ac55fdc1a54c5f8f22fe37ec9e7f80e1f0ad

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
ec20bbc02c6e06c625b4d42726983e14

SHA1
11701895678814f4b1ecd67439935c11d33559c1

SHA256
b0ca7065f010fc64372830186dc512f4275e0675d0a8c21d31b1a6c5987b8e62

SHA512
96dd428959a9c480c295bf62118c12e34c6d11c3fabe3272523b97595834d3987ff9c5c0677e594ed6626a916a16ddc75f34c557a624c4778a7a30ce3f792259

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
451KB

MD5
aa880c25cc7abaeb48f73c403036bd00

SHA1
7d1267b5221f4735e998d462a4b331a687dad2ba

SHA256
8f29257e8409d64fdfba1b2203289f3c1eff330aabdd3222534454547e017ca3

SHA512
1679e0629ce03343f77b982c70935ff9bbaef670d315c69eb24870db63ef36a4062666174182918ee225b008735311bb7d92f856233f3d04dbc3befe41dba926

Download Submit
memory/3228-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3228-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4684-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4684-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4684-42-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/4684-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-44-0x0000000000EC0000-0x0000000002775000-memory.dmp

Filesize
24.7MB

Download
memory/4684-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4724-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download