Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
295s -
max time network
290s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
13/02/2024, 04:13
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 5624 b2e.exe 3344 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3344 cpuminer-sse2.exe 3344 cpuminer-sse2.exe 3344 cpuminer-sse2.exe 3344 cpuminer-sse2.exe 3344 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/732-7-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 732 wrote to memory of 5624 732 batexe.exe 65 PID 732 wrote to memory of 5624 732 batexe.exe 65 PID 732 wrote to memory of 5624 732 batexe.exe 65 PID 5624 wrote to memory of 544 5624 b2e.exe 83 PID 5624 wrote to memory of 544 5624 b2e.exe 83 PID 5624 wrote to memory of 544 5624 b2e.exe 83 PID 544 wrote to memory of 3344 544 cmd.exe 88 PID 544 wrote to memory of 3344 544 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\733C.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3344
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD5cb57d5bc889b34b316a70009e4df5d10
SHA1db400322e1c8225491a0299dd8bd34991ca94200
SHA2562e67079adebe6b9e3c50198a06b04116f94db3bd89e02026e4491c224aea4140
SHA51253d3d98f6c1479351fd0dace240e52e410374ada50b91ea387b5d771b64d19dd55cb1485c748a046e1e188a0554fe753af11176bf9411a0a15993a96982038b7
-
Filesize
75KB
MD5e0617a0745ec4f9d8ac89fb6a2c31142
SHA1fd5a165a4d04d11fcf9b010432fa02e0164ef018
SHA256cb99046c7ef20960c2180fcb49bab132e163556948b07840e23bc5786d613a34
SHA512b3b836d848ad6423283dc25bf47eb279ca70eaeca6e97c4ee96ea3daa2dacb1cdf2cd8f2990de27d2c43978a8699b679b2418338969443db21456b313a126fa7
-
Filesize
12KB
MD59321d7aafa6b53b1741e3e440d835659
SHA18724e9619888f0751313c90be88b8060e59328a7
SHA25666f920074dd235835932948a9c597ef87f08da92200b8292abb122bf590d710a
SHA512c5f44c0f64baacb4d7fb0a15cb40b3cab3f2f6631c340b60bbf5fb6cab94d5ba4daf70c59c93b513d199c112a42988555f8f059f0158bb13fb75e0bd1f88074f
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
190KB
MD59238e78e68dd632d7de40a167eb78d16
SHA11f17b9666db428418c07086d06cfb8c5e3701204
SHA256c16c5e5d510fca35ea9283d75c6ad83ae23bb5963cb55b5006a45c120ae2b6fb
SHA512788543b82f969ebf9699de0fa63edda618ff87b7cc3853123e6bc3a4982aa192f0d24a4fd4dc116e3bd863ee5fa6d5d66e7aedc112f2cca88bf88df2249cc51c
-
Filesize
79KB
MD5394a3ac6ca55cd97265f1313078af6d6
SHA1d4effb21e53ae53cfa9c86bfae826cfa7c1e3eab
SHA256fef32308329dd9640929e835bc93ee8395337e78bf6bb804041bf3d8cd20589e
SHA512a9fb545d250ce73cc1540372fc7295efa31c16edf9ae99af5636b364166a5fbc2b83f1c5582095ad443fffc38798417a79c90f666b2b40ce3a0388dbd7e306dc
-
Filesize
92KB
MD5e727c96c1f4c853a6b2e00c03110bc90
SHA1b4179d244c3b16e8ec70424e37ffc37a016f6775
SHA256556aa4087990a2160c34c55fea1bfc3dd614824a7e8cf2631511a18d36993295
SHA512add2f735bc54cd9cb2b22750384ff2d2dba79de3dec0ad9a9219db6dc01636e5a56182ffec012f8137d055198917ed91f02d08ed3b2ce8b05c93b0ed9d1a8843
-
Filesize
173KB
MD599c4ee394c9e1bcd0c8195cb630bfd2d
SHA1b31209326ad107adc659e4ec8edd6706261978ed
SHA2567b92ab7e90831b43b4e45fa33385f2711a313af839954ce77efceea8f72346f1
SHA51213ca4cf00e9cf66e9a5df0c97624daf81b74647e972ff29d564e1ed0818e2c57ace223111b10a0cfc3fc928c36e9328591cc06b9367ee6b702f0d769202026d7
-
Filesize
122KB
MD56bdc429ccf5d1d622b7792d0687247a0
SHA1ea3c0cd9be8a98014519cd310d9c7e27ec82c418
SHA2563fd0085311dc59c703de7099ce9f2b811188fae691cb931b7716a9a40687b723
SHA512764bf1f1ba4387e8d8ca401ac2314640bc01d240c64fc93627fd281482722122f803bcc9ac224704882f716b0006901e6fa80e8bdf7bb9bb02cf3f6f3e5b3e30
-
Filesize
154KB
MD52cd8087496a9ad41433e18146d84aab6
SHA17ef5ee75ac50f6d86272b5eb3bad6f5732e5bdf9
SHA256f7af524e5b18b13f32d1f1c6aafaded34ae914cd1ec4893eda7679e5c7835b4c
SHA51229e77554ebd2726209e917d774f96cbe02233c68ef6dea91a8ede8c7ced62b7ae65671b873d0768df94ef1f66c56868b5d9f1f6bbb2c324972a9714e67768335
-
Filesize
211KB
MD5aeef9bf015075e1a739e1af9205ffb3f
SHA19b3f53d1eadfdb236718f34f46581a744461930f
SHA2561e265bb01e91e2b584933d0c70b8f959715b6a067c085fcbbc6d40815e8608bf
SHA512103ab066a28815c5c76f834112a53c8d9cda87e4eae610cb8b73c4601c739e2c910545daec2c31ca963119bb57f8e49f38d7471e500ab868db5a8216718090eb
-
Filesize
91KB
MD5bb534db6c77c314758d2ef7b6cbb98aa
SHA1b6355c25a5702285fa996abfbd2cafac1069bb89
SHA256d7645e66779df37ae743322b410ebba461d83614591a690caac08ee8e7c727d5
SHA5125ee652c59d639f245cb4aaccebf52f811d2805f16c987c6f5ea08b49b7f3d49c6f20cd2d973f57de90f78fa36816dd4dc1ed33c980113b258bd7eb4da222c5bd
-
Filesize
56KB
MD5f12dd034386af00026320575455e714f
SHA1bcdb2b78cc1487f979ba7d17bd0798b978b5047b
SHA256503dd05316594ddec88ad2322713acb044e00f0cec7881b13b50075456234156
SHA5120e3e6e1fdeeb3b505072b00f739c5cc3f4e3533175361e5c318ed0752f9d81dd1ea935247899377d610f9dc85124a55032e7570811219a94fa90479d16f4117c
-
Filesize
72KB
MD5a30987bca1f5190c1a5ac817c852793d
SHA1ab474c5382e84ccd0409342c4a0440f0886a9c24
SHA256ff342c08be75275ccc2880dfeb413f716d65b16181228004b7543b46df985e2f
SHA512987896e29cd1ca993924f740ad63054794dc4286956ba84d98612d3e2ae2deb3724e4efeec2bd10dab31323285eaa6e33e8230e6b0ae796d5df2b98b8908e307
-
Filesize
70KB
MD55b48e80f8b74ef84312c3ff1bedc850b
SHA1c83fb869b5ef33af2347e1deddafae48ba1300b3
SHA256516cd99dfdb5046372b19a53194456b81424a2fb3d7da82c04d6d77d0454c7a6
SHA512ddc9634b8b66752b22f467abd5b2d41c7dd625a0d3e9995c2717b9831600fd7f73131a435538e09db5e2fc710a31d3841f9f8db27e39fcf3bf93c53b2abbe0e2