73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
852	b2e.exe
1412	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe
1412	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/380-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 380 wrote to memory of 852	380	batexe.exe	73
PID 852 wrote to memory of 5116	852	b2e.exe	74
PID 852 wrote to memory of 5116	852	b2e.exe	74
PID 852 wrote to memory of 5116	852	b2e.exe	74
PID 5116 wrote to memory of 1412	5116	cmd.exe	77
PID 5116 wrote to memory of 1412	5116	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\1A59.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1A59.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1A59.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1EFD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A59.tmp\b2e.exe

Filesize
4.4MB

MD5
9f5e3f575dd08ad83b40bb6f9d9feb2e

SHA1
9cfa5c471d69857d0234fa0a87a46ee0290e5b4e

SHA256
d4758118b25d271f4d2cdbc6cf872d5c64b0f02beda523ba4a4b3b1cb72bece2

SHA512
071f258beb89ba2207676481fdb4545dadd35ffe50305ac31d7acbb1c12dbb045cbec9de93f2e67fe6fb17b3b978024de54a349d9724555bcca4cb244e6884bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A59.tmp\b2e.exe

Filesize
5.8MB

MD5
788a7ec9846677c47e66278f24fc461f

SHA1
2f1377a1d2d8a80bae3f50996a6d90fdc9f6ad46

SHA256
25ac07526644bb22bea5da152452e48a93a99d077ce0cc0a8de2f4731474745b

SHA512
42af5395aacf7cbe05340e0c5d174b1ff44e076fca778b38e3e6908a4f0b749368cdffb459d1a1be3efc608be930a8342b90c939378da16db25bb3ee65f45884

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EFD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
fa48c51456c35d69c6adc3d95fa6b6c5

SHA1
7b77651194c698986e3479b729ba3689c194fef5

SHA256
acd2ee5a4391cff78dc49e1632cbaf2529a89cec85792fdc4824aa5410ec391f

SHA512
74ba75d75e910adb55d18945fed1e1fb09029b3762d2959b664d9458f8f0368431dc8b3252b869f1900dee4fde741d6a3a75b3d7efa46cd706df3bb1afa1f7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
75977e93e0e84cafa239cc014ffeda75

SHA1
53448bc66884dd8879a4d5f3eac43c38237173e9

SHA256
b8298b60e108467b50a279f69bf62bca51c8c3867af836093cd11bf59ef269d6

SHA512
9c2ce337d914ed8b651e0956993cd437b571a3743cc52e3bc3d499f573243aebb746220b2fe1e6cf23bc2f75a33ba6970b6997b2cdffcd53a7122a155caff715

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.5MB

MD5
8e3c56885d37a85fe16bfab6202a0aec

SHA1
642b25acda8dba2137e9a764caed373c1cda89ae

SHA256
ef862e3c00db78f79a3f2f96d461635f947cc848db932deadc5d761c59f7ba38

SHA512
f50b06ad1a657259e009b7e1e3f96d8dbeb547c7d287bc42aa69fe0ff2979e9b41e5edc5d347ae807b59a9ed005a9a4fe0f7719d9b804c65653105cd630046da

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
e4b74fa61d5f9109ab0a74cf0ac52eff

SHA1
1dadcc8556948965be8ea4a9e60ec4d2f3cdeda5

SHA256
394ac12c50350c64c0bd8cafe82b6b825a92c23524395c87367fee95d3a15272

SHA512
3487d953759251fe92ca1c02f89cf20750374d0c2a8a490ed35a5a52a30af37cac6e21f64c22037a562f30d781b103a6f2a1cbb4c414dc7ca61fdf5a7a3229cc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
d95468a4b89b6dbd40e2fac5c10f2d6d

SHA1
a3dc976a13fd6684ee6e7f62a66b74df2d4e86fb

SHA256
8049094a38c7cbbaaa22d7b952a646931ee4e1b3f4ff3e8e6775d0e641023051

SHA512
b0d5e22e364e6689c7666a95f09874009a5c28b004dacdea0a2e581afdc7a4feeb9bf9b6c4d2556f1a88bdc187c0bdd306594a4e9643e6bd79b7377a010f041f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
e34bc68f30a2c8ebd23a123a2d32b791

SHA1
8f846249dcb8ff5138145856711dfff5cb2a272a

SHA256
fbbbf9054a6920c18d0a9209f83cc83fdf58748c7fc06ec13c7b0e5ff30de143

SHA512
bf2f5ac5132699bf52df02932e72a648550bfae855ca91486342abc2f3a611f0bcbba36719c23ba03146ff26b0ea4904b634722d527e239437eef17919ce7e10

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/380-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/852-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/852-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1412-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1412-43-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1412-42-0x00000000505A0000-0x0000000050638000-memory.dmp

Filesize
608KB

Download
memory/1412-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/1412-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1412-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download