020446e1c6ce6b94942ae6cab90695ec400b1cc223b037938712efcc7e999c2a

Analysis

max time kernel
1791s
max time network
1799s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-07-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows-solo.ps1
Size

519B
MD5

29d215baf7332e383d89f15cef598b95
SHA1

f1f15196639aba90ebe454a06cf99395427e247a
SHA256

020446e1c6ce6b94942ae6cab90695ec400b1cc223b037938712efcc7e999c2a
SHA512

18d264fe8830e00a92dfe776f5d61853cffc111f1321f84fb53c1151ee795f4f2597cbf01bcbf20ed4be1cf8b5aea9daf16eb44522f2c27fef7c126885149780

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4268	powershell.exe
4	4268	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4740	cpuminer.exe

Loads dropped DLL 9 IoCs

pid	Process
4740	cpuminer.exe
4740	cpuminer.exe
4740	cpuminer.exe
4740	cpuminer.exe
4740	cpuminer.exe
4740	cpuminer.exe
4740	cpuminer.exe
4740	cpuminer.exe
4740	cpuminer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4268	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4268	powershell.exe
4268	powershell.exe
4268	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4740	4268	powershell.exe	73
PID 4268 wrote to memory of 4740	4268	powershell.exe	73

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows-solo.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\cpuminer.exe
  "C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\cpuminer.exe" -a yespowersugar -o stratum+tcp://yespowerSUGAR.mine.zergpool.com:6535 -u sugar1qnw8fvx7qa67v78qwpwp6yerk67quv7k6vhm9us -p c=SUGAR,mc=SUGAR,m=solo,sd=0.01,ID=Windows
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ox2xxw4y.cdq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\LIBEAY32.dll

Filesize
2.2MB

MD5
93050bd3206a0e6160e6fb65981c77bb

SHA1
bd6c67028ebe18f5699fc361a2ef50fa67ce1e38

SHA256
b2a519a0e3774ed74f364a05ed426ba0504334cf51089cea915ed6aaae8d8d7f

SHA512
b78998e7b6c58bc6a53524701a12a474a0a1a46ca99384645795585941245c1e433be44fb06b202435b53c334e0d3a8edaac5ab14778facba977d2abb0045db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\cpuminer.exe

Filesize
2.5MB

MD5
e7853a869c7cc2d8755f22842aa563a4

SHA1
16172e911be9c2a6455cce0ede00c892454caa47

SHA256
6d82dd1a8c5e217695f544d98d13f022f0a92a0178e659e80721eeea09ab8e5e

SHA512
5504ccde15990826bdce91935b256b4080bbb5d5346c40b85fb3689d9eae9d0359255c901ccf693531bbcfeff242f9760905cf20201060340f5dffb740c358fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\libcurl-4.dll

Filesize
592KB

MD5
9c3fc89ea09f9e70a0e7003c829f434e

SHA1
57d1de8e5817ee055e6e1b0c65dbebd84211f412

SHA256
110418ad0f0e3dd732a1b17212570e66bb7e43772e996ac198191b1ba8047612

SHA512
24d4b51799e0f7fcd05f7466ffc2bc1a9fb6dbf014deb6b8e390559a37ce77f095822710d6060db74fc35213b347cebc9e0f8e27352b1c45f87e3db38ff2f7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\libgcc_s_seh-1.dll

Filesize
555KB

MD5
13bb780ab8f3a5fc096ea0f429452ca2

SHA1
04ab5162aa6d5937b8cf8e2d6b669904a5103dc2

SHA256
3c8e18829b540547a67c5182bfe18504c5845b59d007f414d8489e9d7098715c

SHA512
de845a6caed29691ce999bb4c5a3266da1841f89ab1159a9e02454a3c331520245c054aaa223774bf9b120e51e6eb98e5b7b41c67b4de7de44902e6fd938233d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\libgmp-10.dll

Filesize
433KB

MD5
fbfc9ec247464994e12c29a6b8db8f88

SHA1
06fd22f32b38f3575518411b0ef5dc3387e1aaaf

SHA256
5efc15a25f932af31cadf3c4bd4c8cef1ff2d1df80db7ac91aeb06f1f54dfa28

SHA512
01c62feba02715961c2096ac5cdc1acc2dc12dc0fd5c6c6b4c1657b7369c237667e0913da164747e26b0d28d4664fb0a1137b2323d799e2766d5f358f6271aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\libstdc++-6.dll

Filesize
13.9MB

MD5
974f6a89156b99f33a7103e5222137a5

SHA1
967ad982011a35a98f2754c39001ec3af7749204

SHA256
caaaa50b424fa02079534d9fcf04054ab1bc2b01c55a3dfa001d45a0539c9060

SHA512
9e023d5ae453cffb7f825d6fc34da13fe740bacb910b2f2160b304060c67dd7c454aef4b4266bd0a7ce48f253e799273af0743f0d191fbf4c6d2186013f8f8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\zlib1.dll

Filesize
110KB

MD5
2e08aee6cfaa50e99651b7d2fa293131

SHA1
28475b719d94d59bd2d49f6e255713160d497122

SHA256
0dd643fa607a5a396ac842ee27ad4bf7764a91acac5d78b6020c4146bb2fd3f9

SHA512
5797e4c72936d8b96171e0834d316586397b9df26eeee74e4e97a4608a34a4598656b7a02c273184aa2c6791859b4290855eb6890ebd8cbceeedda192a9ff08c

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\libjansson-4.dll

Filesize
69KB

MD5
de12ee463c12b0af3f07eed326be51fa

SHA1
dc91c04fc82e5e60b7a152b8796374811da20ad9

SHA256
23bd24e06f642fe0cd5408a5981ed65b47217b7afd4af0c6e1ee2508f3a25925

SHA512
927379acc410b028895947cef733ffab86d3f587bc352334a740889d5888bfbadb57607fa4af4ce9328fa68b33abb514de46284f6de3b812d83ec114d648514c

Download Submit
\Users\Admin\AppData\Local\Temp\cpuminer\Cpuminer-opt-cpu-pool-win64\libwinpthread-1.dll

Filesize
290KB

MD5
1aca06d325b44ca427ea37b28a0497b5

SHA1
990fd43449cb09db7a3f27da6143ac29aab1dfa2

SHA256
f59b804babd80131c6f1b83b38bedefe0e3a9dafdd460269a0d7cc5f2317a48f

SHA512
3fbf447884969652ab84e6d75d024d17bcdfe45126737ca5bb137d0156e3778b3abbe2d78b34c3b41d7ad826b4c413a08914f191afeaf5a9b4df8a58c33fa1f5

Download Submit
memory/4268-31-0x00007FFE9F3C0000-0x00007FFE9FDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-52-0x0000015304600000-0x0000015304612000-memory.dmp

Filesize
72KB

Download
memory/4268-65-0x00000153045D0000-0x00000153045DA000-memory.dmp

Filesize
40KB

Download
memory/4268-32-0x00007FFE9F3C0000-0x00007FFE9FDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-3-0x00007FFE9F3C3000-0x00007FFE9F3C4000-memory.dmp

Filesize
4KB

Download
memory/4268-30-0x00007FFE9F3C3000-0x00007FFE9F3C4000-memory.dmp

Filesize
4KB

Download
memory/4268-29-0x00007FFE9F3C0000-0x00007FFE9FDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-25-0x00007FFE9F3C0000-0x00007FFE9FDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-10-0x000001531CBB0000-0x000001531CC26000-memory.dmp

Filesize
472KB

Download
memory/4268-9-0x00007FFE9F3C0000-0x00007FFE9FDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-6-0x00007FFE9F3C0000-0x00007FFE9FDAC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-5-0x0000015304540000-0x0000015304562000-memory.dmp

Filesize
136KB

Download
memory/4740-144-0x0000000061440000-0x00000000614C0000-memory.dmp

Filesize
512KB

Download
memory/4740-137-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/4740-143-0x0000000062E80000-0x0000000062EA5000-memory.dmp

Filesize
148KB

Download
memory/4740-142-0x0000000064940000-0x000000006498A000-memory.dmp

Filesize
296KB

Download
memory/4740-140-0x000000006FC00000-0x000000006FC19000-memory.dmp

Filesize
100KB

Download
memory/4740-139-0x0000000070800000-0x0000000070880000-memory.dmp

Filesize
512KB

Download
memory/4740-138-0x000000006ACC0000-0x000000006AD33000-memory.dmp

Filesize
460KB

Download
memory/4740-141-0x0000000063080000-0x00000000632C8000-memory.dmp

Filesize
2.3MB

Download
memory/4740-145-0x000000006FC40000-0x0000000070800000-memory.dmp

Filesize
11.8MB

Download
memory/4740-146-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/4740-158-0x000000006FC00000-0x000000006FC19000-memory.dmp

Filesize
100KB

Download
memory/4740-155-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/4740-164-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/4740-173-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/4740-182-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download