Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
17/02/2024, 13:46
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231222-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 3424 b2e.exe 4412 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4412 cpuminer-sse2.exe 4412 cpuminer-sse2.exe 4412 cpuminer-sse2.exe 4412 cpuminer-sse2.exe 4412 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/4912-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4912 wrote to memory of 3424 4912 batexe.exe 84 PID 4912 wrote to memory of 3424 4912 batexe.exe 84 PID 4912 wrote to memory of 3424 4912 batexe.exe 84 PID 3424 wrote to memory of 4224 3424 b2e.exe 85 PID 3424 wrote to memory of 4224 3424 b2e.exe 85 PID 3424 wrote to memory of 4224 3424 b2e.exe 85 PID 4224 wrote to memory of 4412 4224 cmd.exe 88 PID 4224 wrote to memory of 4412 4224 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61C7.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4412
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5d37cdb775587bf3e660c34c3294e4373
SHA166a9066df4bf469c298426e5c512ef0dc4f6d362
SHA25645a5e3c0238df709f010898459e5a84369a5528b2611f6ead4271efa3754ffdd
SHA512b0d7be6f1113a88535789e85ebdc27ec7aae23f87390e257fefd4cfcdee57fe8044a2913c9f0822a497b0c3b24301bb59bdcabadc8ca3e3c5decefae9281f8d6
-
Filesize
2.2MB
MD5998e9301dce0fbf032fca9df021fc4ae
SHA1f503ee26148291430af85f8446e0f57be9aaffe4
SHA256b369c8213fb912e0b3897919430a7d1d5df34cc0fec88831ed704eaa103a6c69
SHA5126c8e0ae1c074762bd85e7d6882b2e1925def81670ada77624c5f8a63b4cb1e48ddc62f67b9c933a31b0a3ba0be87fae07229c92ca1a1b34bd7910e246ea4a0e6
-
Filesize
2.1MB
MD57c9498b2e29f15c814d3b099c28a481c
SHA15bcb81dbc42114a2d91315b4fa756d0c87bf80f4
SHA2564f51ba35dd666796eac0165d75a2064e0719702b20b279ed0a717659bbd37fea
SHA51242513ffeda4ca8a477a0dd2a3339e386c7e1b763c75a168221e63899be2d2f0dea1dd7b27d5c72695bcaaf3d91ef99d4bcd925d105aa3912c4ce30aff3f2b896
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
570KB
MD52fe65dbfa1d8654c7c614ee8abdf9533
SHA14a4d5f824e91dec07aac551112468cb6a1d55565
SHA256cb38b4238ef0bbf3d8114ec177d860d2342ef4e5b00cd9a9d241a457b6705925
SHA512d35e503da301264bf89e5ff05d4ab2d07a80fac37cad5381471bed9f46d597a209d7f1219446901a60f5056783f3d936f6ee21037ee1d245bc33d1b467501111
-
Filesize
738KB
MD5b8ae83ce4e9208e3971932200d7bd83b
SHA1fc8a05e069b1c6f18ac3c000b7d937c33c148ab5
SHA256bb6c640b42c31486e54ec495b58c23425f1f001f3b0d3b27af679d214e17082e
SHA5121a2688cd83614bf95b51ac9947669575c1bfda35e0f32dbf01499aa24e90f56756688e049b49889a9d747feca4fd788b69ec7ddf87f7583f84ddf9d251bd6c59
-
Filesize
591KB
MD5bbd264cd6fa2c018c8f5187750c48a59
SHA1886e7e5ee404038d132dd56db86d35a69959b2b8
SHA2561ab9a1ac0a01cec1c163e6900c18d1c9a739662c865849c036eea30c5822c8fd
SHA512b4f4189860e2e5f46d46845b52d642c7d27301637c79328cb4c643d7b67e68d84429ecd14ccc3183e362ed696ae56d88494009b67826b18f88c08f0a78eabf5f
-
Filesize
726KB
MD5460cd5c103381903a4c7d1fc5682e720
SHA1f921c59bf292d34339f0be06c4f75c25b4f40f73
SHA256b2067c70d9e483cc9b0def17585b58379f902250481997466e05b4fdb8b3c797
SHA5125ca957100c8df58444bf7437c6a6632e4bebf02d431d391f74c24f7315dfaac3826b59f18fbba8a9a15624ee8f92eaf532c629624032b9a3f5a5e5117df5f9ff
-
Filesize
705KB
MD57c420c7458be6518ac95d8ee4e7639e5
SHA15f4bf77199cd3b85bed2b9204280498fdc459fe7
SHA256802a256bd20c3b151281d3e0e3ccfc12fc69c709b8928ea23834e9e167a1a2e0
SHA512e0a72678aa49e9d470c9bb1dcdd9b667595523c7d3c662e0947ca948ad4727957440f2933646f671d7d3059dd8aaae1ee19060d8221d85b6912101cd26ee9db1
-
Filesize
572KB
MD5517af97f1ccd3b2a8694f55f952d6667
SHA11691e220fc1040d4149691f5c24b796e3dabef29
SHA25676578ef376a8595b392a6da8dd3af034ee7b5a583012bad43d8b01df01f65561
SHA51205ddb820ae6894e07191e83a6e4eed33eab7b75a6986679d7c528fa9820e0337457554a205efc603f2f32ca6d5f037d22cab9891cc2d491449774ca5131e81cb
-
Filesize
768KB
MD5613807ad6d525aded318b643c33bc17e
SHA12c9a4180140838c69c20bc4047c3d2d777d3bee4
SHA256896775bd33edafb0d219d1ae3e973e71aa29a4937d0252bd3a4cad074c004971
SHA512d688b0f2570944898097dcc6acb56b3a4c901073f0ce22b5ea260b05a37fe2840d84b44e7aa74c7d73078b0e5a45c24994852f5c03f049982b6ddca6ead89539
-
Filesize
107KB
MD52c98cbb7d5471c2b848c754f4c0e59fb
SHA1da5ecc13b2b5fc99a75633389d2d92a28efd2d75
SHA256d5f2daae02565e1506376c894cccf19e91491605d1789b9b5d412090c32fa750
SHA512cba0d16940533f913c7ff411629ebfa6a7dd7c44bf3d64a7a3c28825a15acf0e9d2a7d380a64399341a7c15e7917d143618ed36e1b3d3dbd4e77614fe85ffce8
-
Filesize
57KB
MD54a91d8f522a86a4a67e44a7667410a6f
SHA17ecf2598d4da2b1b105991b2f5a49c8e14e648a4
SHA2564ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c
SHA512aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3
-
Filesize
482KB
MD506984433e230afb70d3efb82084effe2
SHA1834ccf21246774f8f8e461671d817c4d1078a28e
SHA25694a4f6d1908548d29a75bda74380b950b124ba603166879ad2848ce856887ae9
SHA512f06801bca657e65f5659d1f18ddca5e1d6cc8277a3219ba0dd1179a884acb4f258456c524020f60c73a696c13efd135c415509a987e86669494a3de04f48ad10
-
Filesize
570KB
MD5fa6d0b9ab18a931a7d746b2d5dfd00a8
SHA132fd16c43a615f3c7c2f9c2ec772907e04f640ed
SHA2564bc62a30d1a83c42a17e0648f1a535539835a370c19463552c12feb79ba5888c
SHA512328a0afe2cebf57d2d812c3361a8caf4d2a05180dcfef7110cae197b9893c578ebb06a1530fbaf9e776b0806ec5d41a3f77ecc156fe882393fc3605d7a2cb35c