73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12/02/2024, 15:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3228	b2e.exe
4684	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe
4684	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4724-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 4724 wrote to memory of 3228	4724	batexe.exe	74
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 3228 wrote to memory of 372	3228	b2e.exe	75
PID 372 wrote to memory of 4684	372	cmd.exe	78
PID 372 wrote to memory of 4684	372	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AB7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe

Filesize
2.8MB

MD5
23d8341609789d71aafc44320ab8eb44

SHA1
7c845e3f499bc27016dc48c8cba7778e6c38105b

SHA256
0f217b8991b89c0398ea7c32f1f3c6308397d6ef6b8f62524b3d3618f3d6555f

SHA512
0dac3e0b4ee43860d117db1d945be40ef8b883dc164b8323bcda0141f596971036cb589369534c898a55af4dca812bc9b8963f1e76782538ef8aaf4c8daa499f

Download Submit
C:\Users\Admin\AppData\Local\Temp\14BC.tmp\b2e.exe

Filesize
2.4MB

MD5
45462f503ce9cc61f04d8d9c19911e23

SHA1
4bf0dee20630c21dc5693d0a36797a14a92bafb7

SHA256
deddcbff187c4d7036a914e24abbec0ee855bab555032e18d1d0d6e039510a70

SHA512
c12b7adf81e4c90385976430674da4c9b97ff6985582c2f4bb1dbdbeb64a30c43dd84b54fb1e5d254f530293aca16b22e0964d35861df9879d5f8032c5d3ca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AB7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
672KB

MD5
0515d277c3823932be99f20c21d5624e

SHA1
fcf5f2c340dfbf06c4fea3992311b5794d6adfda

SHA256
37b93dffd7f8b4667b1214995f6479520023de9d0a635bb97381bc8d734bbebf

SHA512
9d22cadb86ecf726b627bebe42f63e2731baa48956371ea25650856d4b8c3e2fcc9742ce34b6a0dfa94eb8e43c9ff9f4b9afb44165f4053bf581c09da549e912

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
880KB

MD5
e2fca06922a8d875abf9ba09560ade88

SHA1
481412bf9c24712b79b61253e566050abccbfceb

SHA256
85d885c33ce6bb7c4d616767bada30f918071f0f6b511eb32bc060b4532c6879

SHA512
b8cdbaa31b73019adffd596cc543c698b809bf6249709abf6f83fea8837a049e7d37f8075907ec2aaecdfecffa0037c282eb88b30093afb6f3be00eb0d5ef400

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
701KB

MD5
8bd3b6409bfe5d5091da584caafb0220

SHA1
3d556234b15c815c801dbc4e4c68daacec2d7d84

SHA256
cbb6f5c2c2207462fa78bbd242047a2145d39ea151b82a7d569575dd5785bb1e

SHA512
1bde138b547e4991d1400d2f7f518bd428638d965137d7f70ec11386cc68dd3f67e8bd231329ef7270660e6ac033efe1f4b93b713c983309d3708b3c43548932

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
632KB

MD5
7ff62e1654eceee04c7d31c67e713da9

SHA1
bdb23535c16968bcb1e00899dbad7b391788f524

SHA256
085c6f73d2c477280ad2d8f5516fbcf25a49f767c70ee7a1a35986b74437e147

SHA512
8ef1f3d18a7ef751bb48dec7ade3e94381271989e79f365ad653e4ad5be8175b4a68b0a3c70514c5189b0ad110f689eb20fff431a3d5aa1c4e7e2ba0bcc42525

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
512KB

MD5
5fd46a66845c804b88dcd97ffcd66652

SHA1
9556ce5607bdd245c8e4d6a24b8217def653f57b

SHA256
b7fd85a2268a4d62fa15fde3d9e51d6fa3bc865cb4d8e5fdca309be7b027f193

SHA512
0896697d588401a6d29c30e77574ece4f0ba699b082b1bad93964748313a5903eb4994ec81c61bfcbd75f2be3f5200dadda3fd1454381cc5874a9c8952ebeedc

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
519KB

MD5
b8702d52c9f99d2f34a757399eeabf9a

SHA1
1b4b60aa9820cc684d6c0dc626aaaf4e9cb2b3a2

SHA256
a50f87ebedc345279d928403e3d772903ea3e02086372ed53afab4efbe222c2c

SHA512
5a817e8273bad9416f91617c554c2d4afec44cfec360bee00d9b074368ac389e3e27cfe12f5fac7768f3b1a904b6eb92e49d3b7ffe0ee2658aafc75c2db59975

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
721KB

MD5
5fcc441001049e3d856b11c4774e818f

SHA1
9271eefc151539529a6f55b903609b9bdb6dd0c0

SHA256
f17f8866836cce3f0ca833f959d58fe63b615fde6a294818251f62de783faa49

SHA512
0ea7e17b9958ee206434997929cba1324a777f8f8c17bdda705a277297e529592bf2f5f2724e5eb557639241489c5dcd8487d3578932b7e956376a6c6435ba9f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
526KB

MD5
2f8362a4ccd6f99e12ad6dd4539ceef7

SHA1
2e564bc1af1def3cc04b8dc5812c9dae515a19c0

SHA256
a427e914cd88b68c09002cae8604ef0f928e4a789520a0d39a6190931858386d

SHA512
414ee9e654b592735d0058a42f73ab53d8e9f2d0a77ca3307b23d6cd6206170e426c1fbeed94d315bf298ef5237c392f56f47ca4fb90d08ec5b3ac7f42b21190

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
598KB

MD5
9efec9372655ffe52920469863d007fb

SHA1
b4840ac46f3793654381b4ef53ba9573b92cdcc1

SHA256
f3ff487eac6cda2807cc279f84f2629829ffbe34ea965ed801e910e588fd7626

SHA512
634df6e3f6d747b66d4d147790516a4b1999ea57ec9a64515c29ff30c8b02778a43c05b3a58d00141e60c27657cd3b165e7ce39ccfecee65cce9a82b4abd76c2

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
534KB

MD5
f02dabb8b3f201ed0722237dd690943d

SHA1
e7e344fb16c8fd06cb12aab4c53688fa51f1a45c

SHA256
b5172f6ea81f0f064c19f42845518762e2d0a034f78002d5db66eda8d74d1643

SHA512
ec8c46dc1e7ecdadc0e0cd3e71b964bba6e9b24a6cbde754520fb539dfe1cacae40388262ab3ce2131746a15a1847340ad93af6df7236fe7b319cf0413146bf7

Download Submit
memory/3228-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3228-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4684-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4684-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-43-0x00000000580D0000-0x0000000058168000-memory.dmp

Filesize
608KB

Download
memory/4684-44-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/4684-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4684-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4684-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4724-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download