Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

batexe.exe

windows10-1703-x64

7

batexe.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    295s
  • max time network
    303s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-ja
  • resource tags

    arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
  • submitted
    12/02/2024, 08:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    batexe.exe

  • Size

    9.4MB

  • MD5

    cdc9eacffc6d2bf43153815043064427

  • SHA1

    d05101f265f6ea87e18793ab0071f5c99edf363f

  • SHA256

    73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

  • SHA512

    fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6

  • SSDEEP

    196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\batexe.exe
    "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D793.tmp\batchfile.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
          cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2532

Network

  • flag-us
    DNS
    yespower.sea.mine.zpool.ca
    cpuminer-sse2.exe
    Remote address:
    8.8.8.8:53
    Request
    yespower.sea.mine.zpool.ca
    IN A
    Response
    yespower.sea.mine.zpool.ca
    IN A
    198.50.168.213
  • flag-us
    DNS
    213.168.50.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    213.168.50.198.in-addr.arpa
    IN PTR
    Response
    213.168.50.198.in-addr.arpa
    IN PTR
    minezpoolca
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    253.15.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    253.15.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • 198.50.168.213:6234
    yespower.sea.mine.zpool.ca
    cpuminer-sse2.exe
    7.0kB
     8.0kB
     74
    75
  • 127.0.0.1:49841
    cpuminer-sse2.exe
  • 127.0.0.1:49843
    cpuminer-sse2.exe
  • 8.8.8.8:53
    yespower.sea.mine.zpool.ca
    dns
    cpuminer-sse2.exe
    72 B
     88 B
     1
    1

    DNS Request

    yespower.sea.mine.zpool.ca

    DNS Response

    198.50.168.213

  • 8.8.8.8:53
    213.168.50.198.in-addr.arpa
    dns
    73 B
     100 B
     1
    1

    DNS Request

    213.168.50.198.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    253.15.104.51.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    253.15.104.51.in-addr.arpa

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe
    Filesize

    3.1MB

    MD5

    ce4a1aedf0a19c71d5ebc1e79a9c8cd7

    SHA1

    6ced51a37dae1ab677bedf7c74817131fa59f59f

    SHA256

    10578fbc72a24785f8b1801c56099a7dbb4718e83bc3171fe26f0d15f677502d

    SHA512

    8d0dcad0ec95b3498d57bba0defe6c18a42c661ce794f52abc5dd1ab1d4b18f3d469dc3361e408a72b8d23a71075394be74333fdc6e36731f9a012655dc2bc4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D1E6.tmp\b2e.exe
    Filesize

    3.8MB

    MD5

    2c18eeccf0c1c22b7ad2504b27664d97

    SHA1

    ea29f9545a185c6b6ec98d05c1ff23c9efecb576

    SHA256

    59e4cc79906f1c2cfd3fdd0b8d32d151eca7cdd89cee8bbf065898eed0951685

    SHA512

    140a6ca0eb91d7ccef460f54d5412cd86e7a681e3358867a643931162832a9cb8bbbf07535847ef53e25326fb23f85ceb964a17ff902bdd6cd5e3acb10b6a5eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D793.tmp\batchfile.bat
    Filesize

    136B

    MD5

    8ea7ac72a10251ecfb42ef4a88bd330a

    SHA1

    c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

    SHA256

    65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

    SHA512

    a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
    Filesize

    840KB

    MD5

    056889ef74e2a2f4650a5c228119812a

    SHA1

    d4d6285d1408050b007a21104b4a39d1d20f79bf

    SHA256

    375d6fb14fbad319c923e0de43106262fa6543c0a7743c87e110c912ecce49ef

    SHA512

    c7d5e8df0a0aaf6a5df5bb499c35e79fd98a4997d9d508249d27e98b63a81bdcbbd7f389d689918164015cb2ce8bb0f4c21666986d6b46bd87deb1369083ea5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
    Filesize

    736KB

    MD5

    d1763a0ac9b6996e41d20ec9a860dc98

    SHA1

    6755f34107584e6229e92590dc5dc7a52b969fc3

    SHA256

    98251829507f4096abd8947d232880033aa6d94cc24cb68bacfc24c6f20a6d42

    SHA512

    e87059431d1b544d7f6bd16fffc33ee12ea5c94b0170f81644f1c92be0819068ed12f54efd5b2d2681436023aa7db9a66d46ebfee98916daaa785f0f0b970c45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll
    Filesize

    746KB

    MD5

    0a4caa9dadf2137486cf24c70f6066be

    SHA1

    8e87c80ff9fedee3bf37725a0b3f1dc84fc96798

    SHA256

    f2b09e13be9c6f94b97458e6fe26d915d82a2f3c1c5ed0b9cdc90812124f934a

    SHA512

    25e73c97fdc8e305d780c21e6d34caba7a60cba2eceed98c39838cf41a92c4d0563abfb80fdf1754d32a812762a63dfb56e0047c57bbce96fdf1fda4b96c5087

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll
    Filesize

    691KB

    MD5

    7fbf37fbe48396b4888527c3e1d5f8b8

    SHA1

    1545f96b1df0b20ba1484e7c71e0fcda5cf35457

    SHA256

    8c407306a140e5284c55fa70b84c6019b9c6fac709fa0ae43c5c68aa6f099aa4

    SHA512

    708da84ca48dceea1812a835d93b2087417453b93bde1915dcf1835f651d4bfdf9b4f09460ea5c78b5418f9418c576022c2959268d0ea65597b24e457fd857d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll
    Filesize

    873KB

    MD5

    cba25dbb8e399017b21cfb22b91bdf8b

    SHA1

    a3ed3e6f22b8baa06b3cef30ffd2039fac6b7e5d

    SHA256

    7c18f63ebef457721dd980574ebf77d3d5282e176a55a3cbe362aeec710a8460

    SHA512

    77f3ada3280a785c2890fc1226925baba0bebc50088bf26fabd70a9dea5022af55e10ed40cfbe348e97981def960952619b22570148a695aca3ddc9659701a59

    Download Submit

  • \Users\Admin\AppData\Local\Temp\libcurl-4.dll
    Filesize

    836KB

    MD5

    aeab40ed9a8e627ea7cefc1f5cf9bf7a

    SHA1

    5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

    SHA256

    218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

    SHA512

    c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll
    Filesize

    904KB

    MD5

    be610ec6dec10fdba68e97e117cacee7

    SHA1

    07b84cbfb7f39a2a6667955a32a606336f4830b4

    SHA256

    fcea8a2935d61616f47169e8201360d36846efe9b29d2e6744b94cbb46dadebc

    SHA512

    a659552ccc0fc795ed643a5aab36d9ca9631301088e2f613abd6e77338f6290b5d176f2ab87e57785a6f97bdcd940352966d4f623f70bc31f1294f57dce0d3f4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\libstdc++-6.dll
    Filesize

    766KB

    MD5

    dd8c719f34b769a3d242a1b31b5b9dcb

    SHA1

    61768291653027055b2e674ca55f57a67b648b6d

    SHA256

    6c74671fa23bcd45a583e0ee408f71feeeeed4adb19bd8f2fe3683c55568dcae

    SHA512

    ee770c900fe15681013bc13965c9b963add9073f8d346ab91ed41efd75611a76a61dbe1c800fcdf6fe9897aecba6e2f53afb74d835e411cef982bfe6b3035dbf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\libstdc++-6.dll
    Filesize

    663KB

    MD5

    6304fd6e8d2bf779b9b09085aa3ee36f

    SHA1

    3233c937319b3f03cedb35eee43885d27d44c679

    SHA256

    f003107a13ab0148f28ce072fdee243ef1fa2619ad1667631bd37b73aa8cea7d

    SHA512

    b34b8915135811960d3536530f36c06b80fd6dd358075cff8c0972a6fc8f24d28b2557e3afb452c6abd84d1247364a738697fba81e8dafd574227bc9f93c8306

    Download Submit

  • \Users\Admin\AppData\Local\Temp\libwinpthread-1.dll
    Filesize

    606KB

    MD5

    585efec1bc1d4d916a4402c9875dff75

    SHA1

    d209613666ccac9d0ddab29a3bc59aa00a0968fa

    SHA256

    2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

    SHA512

    b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

    Download Submit

  • memory/1584-6-0x0000000000400000-0x000000000393A000-memory.dmp

    Filesize

    53.2MB

    Download

  • memory/2532-66-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-56-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-40-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-42-0x0000000061440000-0x000000006156B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2532-43-0x0000000077A60000-0x0000000077AF8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2532-44-0x0000000001030000-0x00000000028E5000-memory.dmp

    Filesize

    24.7MB

    Download

  • memory/2532-45-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-101-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-41-0x0000000070800000-0x00000000708BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2532-61-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-51-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-96-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-71-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-81-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2532-86-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3216-4-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3216-50-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.