73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
316	b2e.exe
4168	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe
4168	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 316	2732	batexe.exe	74
PID 2732 wrote to memory of 316	2732	batexe.exe	74
PID 2732 wrote to memory of 316	2732	batexe.exe	74
PID 316 wrote to memory of 3504	316	b2e.exe	75
PID 316 wrote to memory of 3504	316	b2e.exe	75
PID 316 wrote to memory of 3504	316	b2e.exe	75
PID 3504 wrote to memory of 4168	3504	cmd.exe	78
PID 3504 wrote to memory of 4168	3504	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16CF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe

Filesize
4.0MB

MD5
1fa4bfa474f67b54cbe63e19fe8c59d0

SHA1
a59e75cbd073d202c86ed63f44a115c20f4360cf

SHA256
06cc83cdbecea1dd55172a800b74a0ba7e345a575433cc08fe42439b648f9a06

SHA512
511fe544b35c0e68cdca6def6f388ea672875250aa99834d3ce089fecb459ca27c476755a9e7427603e7fe974bda4a09a3075b2c0af60ec69682494a418ff478

Download Submit
C:\Users\Admin\AppData\Local\Temp\10E3.tmp\b2e.exe

Filesize
4.2MB

MD5
93fe34b4ea0bf49afb7f4b5d687bd93b

SHA1
aa0daac42de6405b66c3c7ba6290e8482c62d223

SHA256
13a31de9cc91e332a550b597ad73b7b1c84382073a0391e8dc4724e03a2b1e1d

SHA512
f1e289d0230c5a01910edc253352a4350fe230be9c259d4be76c378e7c82afff08ae5c76182c8d0b01baad12ab0b4931b2552183aeef793647d5680b1005ae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\16CF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
282872d98f11d03be8ec973b05e07e4f

SHA1
263364df1e98d2695f79528f818b32f3f345d33b

SHA256
75053d2b11afe0be0564ddb1b980ea8166789f0a4b08333655775941387749dd

SHA512
35c5008d5a319c916851955defeb87c9e02d955fb3188407f11840493cb12d6d5c37ef03a34c6d85e88cd634068c6c8a0735625599b7077534342b78656f977d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.2MB

MD5
75ca4e95d679b88b10c0775125d21629

SHA1
4cf313a8869b6aa867eb4f44d1de8cb7a3f6ae53

SHA256
31aed0ad1bfbc91d1889ef0dbc0a980c4420ec81629f7ea481dea8d25e19e645

SHA512
328b653bca0a53c9ede5c64fb63af67a9a6bab237ac55e7b2b14553d25ec7e406e748e92354df1691b2d6a39d990a8edfa598b4973e7449d125eb31afe035466

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.8MB

MD5
fb76f77e70c7f4b5db4b775dc0aa98ab

SHA1
624ed3f024e9bf7eb5a3aa30bb8c4b818cf25cc3

SHA256
7c5cce8cb748f7d9128a267ace6ca3ae485626625f3312968ee139038d9f6ee4

SHA512
431583e11398bdde02aa357188a9d3f48254243195901c542e1f9e2a736cd84eeefe3526006932b90b3c6a0110d724f2cd4bbd3e68d57cca1fde3a8339217acc

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.2MB

MD5
ade8e19247382bc85f365d9d695a3c56

SHA1
22bc0854ac25f65d94dc5de80ccb15727e10033e

SHA256
41c3c604fe66b4058ab60112efa244411fe8fcd733e73c6ac44fd1b1322bb952

SHA512
99e61d1267f7ec7606c688b3836549434b678bbfe30afd8b4b3a3d366d4cf17608539e353070e8566b980f458011b2feecf2cbf4b4e09d19068db31462dd8e77

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.1MB

MD5
772bc19312a39556fbe3c70f5be819fe

SHA1
9f3b4a1652173d874431549139593f7a2c4065bf

SHA256
a646bdbc63b47238fd27840758b8de46d9b4d0dccb0436880e17f73b492bdd9b

SHA512
8db36e7f2310e42c63fc5ebd93ebc86fd7864bf1d87e20c1751827cc57484a4832f977f81011941e40858b0dbe8e27cc2c1aed46aed4a36319cca066ebd8ccc8

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/316-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/316-5-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2732-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4168-41-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4168-42-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4168-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-44-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/4168-43-0x0000000068830000-0x00000000688C8000-memory.dmp

Filesize
608KB

Download
memory/4168-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4168-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download