73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12-02-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2280	b2e.exe
4692	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe
4692	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2172-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2280	2172	batexe.exe	74
PID 2172 wrote to memory of 2280	2172	batexe.exe	74
PID 2172 wrote to memory of 2280	2172	batexe.exe	74
PID 2280 wrote to memory of 4896	2280	b2e.exe	77
PID 2280 wrote to memory of 4896	2280	b2e.exe	77
PID 2280 wrote to memory of 4896	2280	b2e.exe	77
PID 4896 wrote to memory of 4692	4896	cmd.exe	78
PID 4896 wrote to memory of 4692	4896	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\93E3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe

Filesize
4.3MB

MD5
6c22cd4b9d11c634118753e15c29aa5e

SHA1
8f78bae07ff37ac9e444a5494493d4818f519b39

SHA256
8004bbfa565a4bebcc1887aaab655e0e5e762cffe1a9b354437061691c625366

SHA512
a3579f049f06556900139b07bf77cfcdcf1a68df5def003b32303e1593a353edb2b18c394348edb2a67763dd67cb12144f189f5b3318b44a77611eb5f536b8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\921E.tmp\b2e.exe

Filesize
5.0MB

MD5
d770580af3f62d6b67abda05e2a85d05

SHA1
c23e5ac3ddbc7a9b67eadac64f0d5b2d3e744d2d

SHA256
f0f766d7152926a0023754987205511287f4ff8a69ee1639b764856f933b5fb2

SHA512
ff20aa3d4f3b9692951b6337132ed89fb180ec85808c0baef55288e8efa9d5d05f456641bfd88acc8062d91257a15aa4be04bdff698b06b21c370dae3939d1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\93E3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
5d66efce074fea14a509284937fe6df0

SHA1
b865c623613f58aabadcdd196a3f5788405c7068

SHA256
b334457576201b30596fbe6abb444809c4dcbec83e0a70c24868c276a9860a8b

SHA512
443ef97af0b07d8a57de1faea061bdb889f37cc1a77c4953b745f5de1b7f0b69714e4781030b013f738c20ebd706c4b6c0b0f6769bc95ecc63cffd96b3e2eb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
f741570a30e811103be922e734f75038

SHA1
41757a832031802e63ea3563126b389d18b004d6

SHA256
3bfc2a1bdef2af111686c3294bb1cb440389ae099286678b5e495da714bd1244

SHA512
3b7c194d06d222224b2c74ef978ec9d0cff8e2d424ba0d81d4256b7bdd71a1312c8372db1d84ffad35db9be0d0be20d01b813684a69d201193fdffd4101dedd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
a2fb400572811c60ac2ff0a11a45b9d2

SHA1
e4c47cc44acd9592720c0a1943903fea11135f22

SHA256
676f03a91713e9e7c49da48638241ee45ed71dc00c265b000112038b9f4f3466

SHA512
116f05f7f6285cda1678a0d3a721ffe6900ebeaaa0d1f34dcfdf4b79194618f5815cdd020e23f855f91db8b2c0c55e8a123aa1cf937ecf0d9331e3ad9d495493

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
593cc54b6773b2856e7fafbdbccda566

SHA1
0c1310337ac0f55d5ead6a545216ff98a3c1cbdd

SHA256
aed74292b6eeb4c67d6006499d26826753dcecd7a957078e47e4789e822356d4

SHA512
80af505efef296a6897fbf4f6fbdeb6ce0ee7bfe778cc80274db2c55017b558801dc9e10acf5c5811fc35ae1ed1f7160c8fb9223822bea9ac913e6ed847667e8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
11e913a27012a21c1684755918ab3bf9

SHA1
0c9ccf8e9bbdce862efef72e28c60e82114523b4

SHA256
9adca05bb8ebc437d90c8993ceb06f6ee049dfaea534d97bbf942e23dc299c1c

SHA512
95cc373d83970c3be169febad9961068b89ce5eed04fea79b203192c388dbe8e926fc82eb3c8647257a513ed42d86463292dfea6fdd71a879fec322033ac0f7b

Download Submit
memory/2172-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2280-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2280-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4692-43-0x000000005A600000-0x000000005A698000-memory.dmp

Filesize
608KB

Download
memory/4692-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4692-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4692-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4692-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4692-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download