Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
294s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
14/02/2024, 04:48
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231222-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 3900 b2e.exe 1648 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 1648 cpuminer-sse2.exe 1648 cpuminer-sse2.exe 1648 cpuminer-sse2.exe 1648 cpuminer-sse2.exe 1648 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/876-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 876 wrote to memory of 3900 876 batexe.exe 84 PID 876 wrote to memory of 3900 876 batexe.exe 84 PID 876 wrote to memory of 3900 876 batexe.exe 84 PID 3900 wrote to memory of 4224 3900 b2e.exe 85 PID 3900 wrote to memory of 4224 3900 b2e.exe 85 PID 3900 wrote to memory of 4224 3900 b2e.exe 85 PID 4224 wrote to memory of 1648 4224 cmd.exe 88 PID 4224 wrote to memory of 1648 4224 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5F18.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6225.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.7MB
MD5770454601e4b41e80980a21849871173
SHA1cf0c3e0319cd88f6269c1dbc5bf2f71242207dc4
SHA256a79230f98649d9370d01fd8cb4a4e901c8b06025a335f49bc39ffdae9f4b81b2
SHA5127b94ec0b5ffe6a01cedb3a22093410485c755aab0d89acace9207284185361f96602581a785c921ba9b892a080b89d365c7ae8acfa3fa61a2d43384cea9cdbe5
-
Filesize
5.3MB
MD5d08594191f07852576dab240f587d610
SHA145486880de26efc3731de7c37897acdad6106ec4
SHA256054fff0d1178253a1df3620f42b1a72d9fb604ab89b97c031278325d8876489f
SHA5124975f0c72902ddf93288691afb6752750af1c783fe1614f73f915a7e4d49ac90f1b0ec5b00c5cb22d71385dd862904de2fc70e69587c332850523afba6599c25
-
Filesize
4.0MB
MD5097bb2dd878e47200b83f21cc68df657
SHA1d8ce046b034f22c5c36513bacb7bb8647a0ebeb9
SHA256af58df26bac428365eeec6f2c2ac87713ba36a7b1acd5f3f9f2256a1e5fe44f8
SHA51228689c6d523176843376ac27cee4db5f33626f7f61f084c5137cbdb57141b32a4b26d9c981f7f0d8a849621a28ce323d0c4f7f7323cbd93c560fd068f439586c
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
1.3MB
MD506cdf1b25624314eb2d87e9ec3d6fbb7
SHA16a5161e9e8faa0636ed5967840115de1ce2c5862
SHA256728fd985479158e3ccf15f3fbf97d41a4752e64e9b3f55a7ba94aff3b1aebf45
SHA5127c31ea1f0a3f909a5c5662fecdaddc82acf35dc27fa1980cfb42859dfb5558f11cc056baedd789eeeb8179b006ce7cf1a1966a1b4389c5187d893705d3a29cd1
-
Filesize
680KB
MD51fb28ee7ac9fdf5b0d283d127fc45e17
SHA1ce3cc2478b5226486afd413d5cc680150bb6bafb
SHA2563a722ef4f62886cb0a0fdeb665f87033dba486391a118214fa102d46fc924612
SHA512deb4add65f587ca10fe1eaecd8e5135454ccf0301ad615a8e7404b3da3044be7fbd853bb747a9d83936f0ef87f08c0462048a5339408304cbafe6859e2b765e0
-
Filesize
753KB
MD538829a6604585703a437539063157dd5
SHA121584bfcb6b60e43aef1700f4aa8f65adbc2e82a
SHA2567139c92dd564bff4b5e3e8fbf5c9a16a78bc90e6d8cfdc82bf2b8cb07969dc45
SHA5123fd237a588df58076924991ea8449f9deb5bf6afdf8987f3e18b33b1a05a2546f4783a3d1d6e93a2dbbc7d53581f3f4f8558b2c195832eaab7e6285ce367bfe3
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
1.1MB
MD5673b7ed6aa5daa684642917b389b033a
SHA18726d6bc9ea5a1743adb6860a6c180d7a1c0873a
SHA256eefd8ac300ed9eea0c0eacea436e2a218692068ea62b798fb865e0ffd6c26dc0
SHA512618f87e06be6b4ff18c7792f7fb0b46aa5ef8faf08d94d6c8762690b3a42d488d4f2ec4490264a6f1d77215f3af5d73e61c39c3b9723b3e8c274299506e8666a
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
1.1MB
MD5fd9250eb790ba6687fb9d7fbcb6508bf
SHA1b6eb0a3d89c93e3e00ed81d9be10946372bf97da
SHA25675472c78d3eb1a9fda3284baa42b92a9c81b39d956ebd3bff90dac6b7f9c0f3a
SHA512253acdb6fafc5f22c272cae78f28fc19e12ec25f71188da4f2ea0f9ae0459a080b83b2ec36d07fb9326eba23621f52d20f7e8c0d8663bf652ba264cd1caead8c
-
Filesize
783KB
MD59ad376d5b260d37f67c39ce8d4cbd78a
SHA1d4fc3b490b57f24c1aa33382de05a6aa715c3124
SHA2565e0a308f5a3ab12f5540d229d3399a77fbd9b7cbab23df3313b1c36aa731a984
SHA51251191e00adba5f58a7eb40ae4892a3ad506f3c7b16fb9f991aa621f203bf61acc3617849fb33290db175d01ee9708088c53f6cc7bc2d44fa1776d7999f2cb23b
-
Filesize
1.2MB
MD5df14bf47780d1e806ab9ef6d2e30feb1
SHA1840d21833e8b67c2d195e8572dfa3049ae4891a9
SHA256e82c666020de6a712a696aae4fa88213212130499f6e647c19a2818b291562c7
SHA512ea99541db01526a0824e815f94e21b88785a1e75b47d3d6ea926d836e59afb5ca0a305d2dd40fc6ba73b30448bf2322e4c4ed5e9bcc47a9ce9b92ccef00d6241
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770