Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
12/02/2024, 04:25
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231222-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 2152 b2e.exe 4656 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4656 cpuminer-sse2.exe 4656 cpuminer-sse2.exe 4656 cpuminer-sse2.exe 4656 cpuminer-sse2.exe 4656 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/5056-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5056 wrote to memory of 2152 5056 batexe.exe 84 PID 5056 wrote to memory of 2152 5056 batexe.exe 84 PID 5056 wrote to memory of 2152 5056 batexe.exe 84 PID 2152 wrote to memory of 1816 2152 b2e.exe 85 PID 2152 wrote to memory of 1816 2152 b2e.exe 85 PID 2152 wrote to memory of 1816 2152 b2e.exe 85 PID 1816 wrote to memory of 4656 1816 cmd.exe 88 PID 1816 wrote to memory of 4656 1816 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9D59.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4656
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.5MB
MD59e44598d812a977d8916a83d8dd46911
SHA179af16557341a327c20f8e02b6921a834c74a8e3
SHA25692a892830201a40ecafeddfbb88caae291241fc651238feebd54de02766ba871
SHA51214c9c169175027ad6aee639cf8a7ac3971fdbd84c7bdce27d5045008076e220b9bc0ba6411d0d40bc3ec2ac08ce60a0d0955c6b17c0c0af30e806b40c397ea4f
-
Filesize
71KB
MD56c47e9372e4ae152389a2253dbee4ad9
SHA171e5ce2cec437d9de1f92f65b3c2b55df2cb6a32
SHA2562f6a5267dac2bad90f24ddbf0fd3be9189ee8c9e2932abfe420ef45df7688a31
SHA512ec2caa079ed8c49cdc96b97bdf96eab9a91376945b2780ddf90f9de0c50dde9b9e8401bcea0b7d074cb2af3d2285d232a00abb655c67c2638513806544bcc076
-
Filesize
3.6MB
MD522d22b33e3e639e0357b88feae2de683
SHA18339b5ba415427d73ab57eaa1225fce87af2f1ff
SHA2569825528ce811ee38ba6d8f6e4d6b4bacc9587dcb7071ad4b1752c8b998d861d7
SHA5124252b5e359e3fc82fec4db5de4fe19074ec934df9ac98291ce8cf93e827aeffb82228a857d7bdb396c0ba3499cd421b05c5fd0538cff44a4cfdff2634a078445
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
758KB
MD59b6b5bbf2dc233256016cf94b67751bf
SHA1b63b96d56f48d22a0dfe4c9ea0053d4885193302
SHA25670c0457b305d6b56213fd1a4807f43f278a9ab3ab61e8ad6f570d1ae3ca0ea1b
SHA512739f0856f5373ceceb93100a1b1604cfc29e77c27fcc88bafffdb1bf90c45d6863f34e6df7724fb8bf72bbd68b662a49a36dfeafdbb7ff8430609af8bd0c01a4
-
Filesize
686KB
MD5246c5b4aeac891d251a91bc7ebbc1d95
SHA1f070c96843f283ba926931439832824738dfd90b
SHA2567d75fcc0cf8e651c5760b48923545513fd9b925297d317f5df5339fb733e4bae
SHA5127c15df10bf2cd10890afc6c66515843373a8f34ad4bbe8e211605581bd00e633f1f6bd0855aa15a7191323dc1a17207c58b14cb39c66b12b65641c8e9df7d5b8
-
Filesize
691KB
MD51e3614275da145bd569828f3ce596609
SHA1f1fd5d510cb36c97011e0307ad26e193d727b2ed
SHA256bb4127bcfa122ca2d0c55f1d44a1e22398d9fa0743cad7f99d92ae199281aa99
SHA512a3feaa5b9c8af8fc0cc12e83e8479182db86e16f797c044b6314d4e73604d4a34f1b863f1647c1051868f42feadaa79400d2142530962978a4979d67045c96e1
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
442KB
MD5b491ff26e0131e8afeb08aa39b9fc4d5
SHA1639884355add5a4a135f37a04a8175e573169938
SHA256a1574090582c1c86afe238e5078c6ca5b283671130df769b43bf44825721e469
SHA51217e224cf166ca781afa97d9ab7bdb15109d391d2473ea9113ae92a5ea0b8be84bc99be01e29f773df975effab5ec5bfcdbcb9fd0564b0167fd8fdc3c700c1a95
-
Filesize
530KB
MD58d6b4a74c6a55398d8e8f6a464f46d05
SHA199d22c4ec5ab88526b7a9685dc07aefdad3537f9
SHA256734096281559f01a8678cd2f8f8e8c282821ee3b2173e5dc581ce8c4935e8668
SHA5123d98ca9b198311a4a1e00ac121bd51362a56bbc1c946b5cc8c062bb144447402747f145313501242f042ee092fd28779e8cce251441250cf92786eb3adac6eae
-
Filesize
659KB
MD5ec615235450913ee3200f02f23ca5209
SHA101a19796db40802820e7ff819422649162a8bcc3
SHA25663682ece8421ed98bd4feddcda0ce01b3bd6c74375f9c246edff16ad7cd3fb88
SHA512dc99107ce837cac7b260ac93fc0f2555407a6782ec92331cfb301119c37fa58161e1801bcc0ac8e9ce5b14ae998f217227ffd8b2bd9bf1f57ba6aed541a366e1
-
Filesize
640KB
MD51b7339cbcb5b756c15c05fe0cc6443f3
SHA1abdba01c4526a9bbbb7fd3853e09bce3cbb5287d
SHA2565fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019
SHA5127661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439
-
Filesize
593KB
MD55bf5bfb3663feeb0fcdb89d4e9a2414d
SHA18dc1b6f47ab746874e7e2ffa8836e62de9ec0d19
SHA256aba94512c63b3d39aa08c2c3a64a899d8d828575b219db1701041d14949c5a3f
SHA512ea3a2c8a0e6709a41e3c650b53f3e7b2f2fb91eceb0a9e4d6f799b229eb06118b49177f0e5d7fbe834b24f1378bc200ef4f158abd603d96928cdc4afcbe48aab
-
Filesize
518KB
MD573ebddb3dc54ae1c1be8f3df21888228
SHA1f2276397945ac273fc3296d1390f1b80589d8085
SHA2561ab10e4f43b91862f183a7d44b764f478bfd1f4a47ee5b8a008a32fc7ab3e56a
SHA51235e00ff53bfe11c953cb81ad86f2f16f0dc69fad827178bcd4ab6f24b7f5f4215e7c7d224c39c6e2d88c705ca8fa3a9817dd4f6e537059a6a3b221db077a9667
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770