73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 13:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4188	b2e.exe
2252	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2252	cpuminer-sse2.exe
2252	cpuminer-sse2.exe
2252	cpuminer-sse2.exe
2252	cpuminer-sse2.exe
2252	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5040-4-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4188	5040	batexe.exe	75
PID 5040 wrote to memory of 4188	5040	batexe.exe	75
PID 5040 wrote to memory of 4188	5040	batexe.exe	75
PID 4188 wrote to memory of 2660	4188	b2e.exe	76
PID 4188 wrote to memory of 2660	4188	b2e.exe	76
PID 4188 wrote to memory of 2660	4188	b2e.exe	76
PID 2660 wrote to memory of 2252	2660	cmd.exe	79
PID 2660 wrote to memory of 2252	2660	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98A6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe

Filesize
1.5MB

MD5
130d3e3b7360dd58cc969f1101b910c4

SHA1
fa2f071b4044b799b39599fa151011c7e7e66ba8

SHA256
10d560acd9f7aede26f646eb8767a05416acef7a4a292599ceb04014e2cd1908

SHA512
51235d8060f9f2aa971279050410eef7d9125cf7e25c6b3c80d8ac799d1466286a6635f790da30e5080a5213f9996ec0794a2ed1b8fcbd212a695db4d1ba94bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\96C2.tmp\b2e.exe

Filesize
824KB

MD5
2aed6f9612b4f28cbfe0447f7b6983fb

SHA1
d7e11d5d2f494b2bf857920ece198ef94b017133

SHA256
aa87f8e10766c762754597db75ef0625e0352a4e5535a46ea8c1609200ba78d3

SHA512
92b949d354aa41fa2c14f227263c695432946fe6fa9586ed368eda093d560d29161e2dd3a865f05050ba877507da6f64bdb9189b45981cdaf004f695f3e11d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
331KB

MD5
f6d142baea22dfb47b1c84125f3338b7

SHA1
c07f7a076cfea01bbcbe92e6bfce078d2a9d4942

SHA256
ce0a20522f8172c07af3aefeff4199264685912f58dc0c383fa60e7a1a5c40b6

SHA512
7d70a9d78454a543343095983d972665f33f2406b81ef817fa90917f4f9734ba30c792a27d2816ef550b7b7a2bf44eeeb48b2efc2a7d04a1cf6b045f59649753

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
313KB

MD5
d27553829ebe56ed33f55745bf5900f8

SHA1
c67cc4b43907bf61ec883b81e298f3c3eff76ec1

SHA256
89fd3f91fa112b712cd34acefb888fa6eed789af64a6be0410ca890699b1431b

SHA512
bce5cd396328a7537feb03f7761c5db3270d21a78f568079396392623eb157a1b86dc056e436f03539da3c2b81ef7a37c07a027311722d314a6968788fa96e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
332KB

MD5
5653f71800b135a2f7b92c3b1183baf5

SHA1
9c57280c7fc437c15451e294bbaadbcd69321c43

SHA256
be8065ddd7a07755f067090b5615aac051cf789f57f78603c7bd8db723aa71d2

SHA512
861786b3eb7631c2e9eb6764a878f63e0c8ab3a464fff532316a660203f6e1256da91249fc043408037f45821b17aa88425fde7e68e1c13dc27e6211c432f4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
384KB

MD5
44129e5be9d6a0c3c6c34a38e84993e6

SHA1
df31c0de5f72a46bda95b345cc00eb925004d5bc

SHA256
7c95a2d7e387facf48eef0ea4703a4edffa240f8dd8e95a0024e151706835995

SHA512
76ea41bdc10e61185f7edeb395b9462f9dcd82d186c5b7bb101752d42d2398547834c858c142c0013fbb77888d29433aca7ad3ef8a41b18ecd55a06ef1eb6958

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
250KB

MD5
2906baf66859ed7ae7276f049706333c

SHA1
d594bb0796cb2947d30c3a9c771b7396f4b43c40

SHA256
62bb9ec1b861205eb05aa0e4f83b1198e3d4d9ed917b5c8dd190ae9e4b16722b

SHA512
f025b2b915f0393069466d410a9d15d7719b5ae0ed0ad617a3812f90ac3d9d6f9ae7d3854797a6cc2818544e9381faf954769fee22e3573689f17d8718783711

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
309KB

MD5
83cea9442c0c0123f802d255bb15d764

SHA1
5ef460a71c0cf83e01658685042563d07576c2f5

SHA256
72b3906652f32e913b0471e3c44b264de44a69bf5b3fbac1a49df97cf0ef73ad

SHA512
925d3aed26bf961cecaacf9602865543bc70cff715d9dac9bebf3146812bc3797214d9a0430da8b67e5b23cc085a66e65ccaa32b2bbd1cb2de307a24e97d2280

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
179KB

MD5
2404fec2950c34815a44b16a1312b953

SHA1
8c52c03f209187c91e426d88afc7f6af1a60768b

SHA256
429617d58227cebb70419e09bb4c8fc26207aa2e7a44c84f7926229e7e7d0460

SHA512
f9ff753595972eee10d8da272ce8a7e6b3735f3857692b308efcef7070d773492aa4e17b906f5600604abfd9b26905f0a6e86860386b8d1d107ac253c42d594c

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
331KB

MD5
13b22654af49d476cfce5b3534aad891

SHA1
74c0d5868ba9404682c1ad7b74f0acd9c452e12a

SHA256
cb992a59f2e68bf24c3b6db41e86185115331bd238aa01c6d5a4ca8db10cf54e

SHA512
9527f447207a8c7fbaea6b5e90d755022f9c84edd59e3147c9cb24af6976991cacdc2cb88498634ec086fae774a9819ec229e46b6685e698c9a1c46f600dc8da

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
322KB

MD5
a0f8f9d04e80cc488a97527fb06a434e

SHA1
6e1d4ce8a5d8430b25fe5134d899000aeb07e1fd

SHA256
ce27cd50eb5917710d07c80362ae9b2470bb9cd6033c2e95cc56927bf32589fc

SHA512
77591b938977f28aafb704d2516ca1d4aa185f913c157a2901848650a92e6738a7a4f50385a0351b529888472d9988adeea2b6fd0610f376de3fa18a145bd29b

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
334KB

MD5
3e76031895c8b80189fef485f23c5bc7

SHA1
cc7b8350d8b14f7ee199bad58d2a2741fa5d7815

SHA256
2364648f2a59dba085f1bf4abc81e312045fcf8f60e31a31044f1cae1831c701

SHA512
b9063edb3f1e46eb840651f52065ff070a976b87b0e0153541564d0e98c277d15a5477a83c86368c85d18e30e13efb7183def315dd97497747528241bd6df7d4

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
396KB

MD5
0aaecb28f59808a741f533e9689a66da

SHA1
75610d3a9c098955afd70b331164a9e77e18f379

SHA256
b55e2602defc4a5f27bf035558d97eb6e7ac2bb48dd8f69b589bb31d0372abd6

SHA512
ab886536ba3b73983e0aba99e7ef7dc59e54e9ad7a7390167bd77e3eb96a637565268012e35ca0b902f655eacd92447ad89ebbd1f47197040a524bae92bedf75

Download Submit
memory/2252-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2252-64-0x000000006D380000-0x000000006D418000-memory.dmp

Filesize
608KB

Download
memory/2252-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2252-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2252-43-0x000000006D380000-0x000000006D418000-memory.dmp

Filesize
608KB

Download
memory/2252-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2252-44-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/2252-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2252-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2252-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2252-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2252-84-0x000000006D380000-0x000000006D418000-memory.dmp

Filesize
608KB

Download
memory/2252-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4188-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4188-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5040-4-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download