Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
295s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
14/02/2024, 12:04
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 552 b2e.exe 3928 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3928 cpuminer-sse2.exe 3928 cpuminer-sse2.exe 3928 cpuminer-sse2.exe 3928 cpuminer-sse2.exe 3928 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/3468-8-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3468 wrote to memory of 552 3468 batexe.exe 85 PID 3468 wrote to memory of 552 3468 batexe.exe 85 PID 3468 wrote to memory of 552 3468 batexe.exe 85 PID 552 wrote to memory of 6092 552 b2e.exe 86 PID 552 wrote to memory of 6092 552 b2e.exe 86 PID 552 wrote to memory of 6092 552 b2e.exe 86 PID 6092 wrote to memory of 3928 6092 cmd.exe 89 PID 6092 wrote to memory of 3928 6092 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\6C08.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\6C08.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6C08.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F73.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:6092 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3928
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.2MB
MD5a2900bba6dc7810cf52bc1bdb32a153c
SHA13cf9dd0bc5c1875b2ffce702a4f551ec212ddf13
SHA256ba2dffcd458cec2501884b54d028e505ac42ca2964b46c242d26cb8a32f5c6e1
SHA512e09da380dfe50a1f217fd89ccef52c95d794d246ec292b769e6b3d6836508fdc1a411e5f2b1f38b253656dd5654a01285b1680223d05feee37f74f63390530c4
-
Filesize
8.2MB
MD5a1df112a1281af657c00ca33cd594aa2
SHA1e6ed580602294b69b165b9e1e8d1766ea1be0036
SHA25640b26bc0a0a5accb0a04d7d3f064fc8a9f6b35285ea9a2d58338bd3b2cea5554
SHA51225df7a6a41620c40e654a9d489dbf7c7bcbfcee50fbc62d74fbb9c7b53647487bf3e124d79d54eedda966197f4d442e957e0a23c7142637989f70cc9ef9d2f78
-
Filesize
5.9MB
MD570eba0614ac298d368d5c74f355c2b6f
SHA1d36496447380796a9b6145475c87ccf500e845e6
SHA256778b290d15a60f0093319bc1a0e488c88e79e4c2a30a1a0065f413ec9dea64d2
SHA51265cb683fcee9d7446e3554eb073fb367bee15198064d6c0220924a9f7aa769e60505d65442ac458c9ebbd8d3ea306a263913945ff19c57c5e8f5c2b3c61eb459
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
2.2MB
MD53e9327d3c42cb85cf192d9c264444959
SHA16609e1177f51c6093152f9246f411cf58b8a6541
SHA256f2b81f6d8c8f2ef5480d36b9b3e079f298c449b0109754811583e4994c9264c6
SHA512b3ab2a2b8f05bbe201ac3e3b33608e2ba68ace4a1248f31a569b56c7f095870e5859480b828f60459330255d49d2cf1ef86e4f6bae72b1adb02f8deb8ccd8002
-
Filesize
2.3MB
MD54c04147c386ba8792ac6a03069572a8a
SHA1dda67789fc1d0f2469ca95f01a5c81034853ca6a
SHA256c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd
SHA512a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
2.0MB
MD505e69d61121061e47034ed6bf72ecca0
SHA1d90c67f78b203215e55f8bc73253c6e4d5b358b4
SHA2568f22e7633ea461ab02a7f21806264eb2631c9a724c98bb046041086e3a2aee23
SHA51293c0b4c4bb05b753c6b8ba6232ab610f94b6a42630aa5405cba5ffbf5f4ef48829668032198acad5b90cc0c1f4b57e890955cf776afbc695b6d377a73ae30f22
-
Filesize
2.6MB
MD565ad2d1ed9f2d194bf4c66dfdc9e506e
SHA1ad59d82f94320c7526127b15524bc7ccc102f08a
SHA2565f9162c294b6f67cf0d105feb20d1896fa8c91ef4cb70cfd662477d15d648931
SHA5128ecd23393b2e854addbbfb0b1f5ec2767f275cc8fdb6aa94d66afb5e96284768055dc658e43296f56d4fce1490cefb25b84ad8e53b2908b2596fa85eefa9233b
-
Filesize
2.4MB
MD58a26576ae5daeee1a07616db071c2f36
SHA1e8148c3357578e8aab83b9f687662e907144720f
SHA25693ddc25ef10ba85f56ff393035a7cb64187d28460e8d1092829b595aab8c5eb7
SHA5127064b479092be772c961b8a9ebe65172e7ae4cad43a99297818738dbaaf337732bfb30823458ce91b580401dfee2b7bad5c3347f38eb975191fb3e8c80911483
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770