Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
294s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20231215-ja -
resource tags
arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
14/02/2024, 04:48 UTC
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231222-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2376 b2e.exe 2492 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 2492 cpuminer-sse2.exe 2492 cpuminer-sse2.exe 2492 cpuminer-sse2.exe 2492 cpuminer-sse2.exe 2492 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/4756-4-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4756 wrote to memory of 2376 4756 batexe.exe 74 PID 4756 wrote to memory of 2376 4756 batexe.exe 74 PID 4756 wrote to memory of 2376 4756 batexe.exe 74 PID 2376 wrote to memory of 4708 2376 b2e.exe 77 PID 2376 wrote to memory of 4708 2376 b2e.exe 77 PID 2376 wrote to memory of 4708 2376 b2e.exe 77 PID 4708 wrote to memory of 2492 4708 cmd.exe 78 PID 4708 wrote to memory of 2492 4708 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A44E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6EE.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492
-
-
-
Network
-
Remote address:8.8.8.8:53Requestyespower.sea.mine.zpool.caIN AResponseyespower.sea.mine.zpool.caIN A198.50.168.213
-
Remote address:8.8.8.8:53Request213.168.50.198.in-addr.arpaIN PTRResponse213.168.50.198.in-addr.arpaIN PTRminezpoolca
-
Remote address:8.8.8.8:53Request114.110.16.96.in-addr.arpaIN PTRResponse114.110.16.96.in-addr.arpaIN PTRa96-16-110-114deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request201.64.52.20.in-addr.arpaIN PTRResponse
-
9.2kB 12.9kB 98 100
-
-
-
72 B 88 B 1 1
DNS Request
yespower.sea.mine.zpool.ca
DNS Response
198.50.168.213
-
73 B 100 B 1 1
DNS Request
213.168.50.198.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
114.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
201.64.52.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD571443580121be47ed4f7f6775f35bcec
SHA1ab4cb085ae23ca04cf814ebd92f3a59a0d8eb41f
SHA2568bd2dcbcf8323c631a700e7ec07fbe10dbc7dc39b6a9597fe448806d99b4b38a
SHA51239b78201601334eaf8d6adf5825de1f3fac83a2fea2521007318bc1644c60953d9394b8efbd77b45f9c1674995694800d82067b746b47e31606b445043d26c44
-
Filesize
2.8MB
MD51cd1f1463362e82070bd38c1ad8de2d3
SHA102b59eedcca64d1bcdbebabb05228cd292c1fdde
SHA25680c54200113264848b0a02dfef414bee7e1000ae8db116136fad1a6474d43e29
SHA512f67290611bf4653411f513f696f93add280763b3da208f3ad6a5c2b171fde413daf0d6e4909a13d93a08eed4946e98332ba40d07e39ba686cf356da9d87c355f
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
559KB
MD5c5d003555a4d81f7b482f72a0ab4c672
SHA1adf05781bb073b3c64f7dc68f42d2222dba1e98b
SHA25601f92085ae5025863f577983a3a4075e3bcce5cd7b2ff7a6e3d30ddb1538ed0a
SHA512e5a5949015c9d310a3217f6946477925dbe5bfba052d4502a61dfc8f5e5b46f0f573607bcebad8bbd151a2be2fea38a3798e40da29ba18fe77815a8730674dde
-
Filesize
595KB
MD59a2ed94774a2df2e3c65820d66470279
SHA14712cfe8e080cac060bcb8e6849724a9a813c120
SHA25600dea52671c57a15975c74d148b14f8c83c5105c9fefb17f819192aaa309fdd1
SHA5129ac7ad0249062024028ea344dba08aef55172a5f56a0f95165c90fb88c6423a5c072e007a462803bb55a70ae88aa98d992aff92e507463ef9fc595a01bb810bd
-
Filesize
422KB
MD52d596c70499bd9cd10977b368cc23c9c
SHA197884aed5a743a79e443b8e8e299ed80d6837c86
SHA256dde3ad747ede33832cb327508c2bb518acc2b269969ab061bf25a74a5be8de80
SHA512e5993e9fb4e70b61b25713db841c9a02c95bc76682f07d2c49d456de2b311f07ae7c8538cc7fb968bceeda4db2cb937f0859d83816f62525489eb58a343e2f24
-
Filesize
235KB
MD5c36f45ab93611b2e3fbb8d695c7c6f27
SHA14d8e3fa6f2d3f42a82bd674b982e33d28faf9e26
SHA256a9b46fdfb5b52d75455cc5d43108e1c901204c5d0e09d706a73f3582ada49479
SHA5126f743d068886e8503b256050350b5eb82ba964bc500532961ccc0d3112114b18ddf296f4b0daf17b9572d888e90c1d796d218f43a4f9889799af2040e9f97aa6
-
Filesize
512KB
MD5a3dea3777f14f1235327b648410a9406
SHA19ab139a0c947962b3c471c36e8b9cca4d750c889
SHA256ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1
SHA512b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2
-
Filesize
213KB
MD5cb5dac942ba0dc400e63323c7bc94509
SHA14370008210ca876aaacdc82e411ebf32f8a7c650
SHA256b05aef9dfa890a65ce40a8f6ec667a396ee30846c1eba1eb92190c11b3c63f09
SHA512169dba5a33ba0eb643b3d5ced93896360e05aedd70875cd1b9b288d0a3fee99043b390c499534883699efc20ba91fdefb2737ccf9e35a037103c3827a0432c2a
-
Filesize
307KB
MD53eeeaff751b54809e15edb84f9ff74de
SHA12a717c81dd7658638fd38a346f700126b0abbe7d
SHA2562133e96dc7aee6db5b6eabbc8d14569739a692e0b2dd542d1aeea78d116522d6
SHA51273f52e06e8622c41d34711694c533603823a1450613a5dd8c46d8e6e188b535a8d87f732e68f7c4864f0deefb73c3a8e5999c87aa97528bf581f1a694824f671
-
Filesize
232KB
MD54970793ed597b9436c5be6583986113f
SHA16b3b18b8dc35cf49c3d15082a0107af8cb3f0a22
SHA2564e55fb72a796ea18fe6b211fb067beb84d6fe477713acb160c6e8c906fb376f8
SHA5128a6066b8fd86ce7b6597b01c36ebb804287752d99a23fd2f34d18b3f0d794c1f17566993b172c1f8dbdce3537e252e071adfaa18f59bd4d3e00e84e255e1ece8
-
Filesize
99KB
MD507aa1ed9dd6bc0e4507b306ed257fe27
SHA1f3cef873258d7ae6c54b06138a5f83a266162e32
SHA256ebb11119179c4fc66b2cd7552707552e6f877d9c05bf8f1a78ca3e73e189d59d
SHA5123808b983e83541f193a4372367a18a89365658a30bd71b35cde1dc53ca233bd1f3d5cb435dae6cde60bd193045a70988cdcab1f3985e23fa89bfe7aefd099d31
-
Filesize
119KB
MD5c17d2ee22f34fa9f5d41583ba95da402
SHA18252d5df6557325e7f090f3cecf9061b54438238
SHA2569bcbbd40421ca4c193f00dcfef70602b5bac419b47496ac3c66a6d79188b06e9
SHA5120ab9bdffc83f8103406a49b5dd720cddb833cab47aa347f55a0340c294baff2c6337553a8e3b3d61dc48d816d20b49f36b0ae40f9edd74477ce735499b6fd12a
-
Filesize
276KB
MD5c1537edb5709773f43992a403d853fec
SHA18f65b94f551279e5311a604316ae347af10f9c58
SHA256ca9c899afc0ba5800416d2467b037e7d023b6de0180f55c1ebd7686559ec7744
SHA5123c5643bd7ce82da9ec3c5d886b6028001ec9b64902bc53cdfb3d4ce1e0efdd3290c10b295b7203a75587f6fa11ef69379f368a6894a1761e091f767c8b4531de