Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
17/02/2024, 14:53
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation b2e.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation batexe.exe -
Executes dropped EXE 2 IoCs
pid Process 1124 b2e.exe 32 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 32 cpuminer-sse2.exe 32 cpuminer-sse2.exe 32 cpuminer-sse2.exe 32 cpuminer-sse2.exe 32 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/2008-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1124 2008 batexe.exe 85 PID 2008 wrote to memory of 1124 2008 batexe.exe 85 PID 2008 wrote to memory of 1124 2008 batexe.exe 85 PID 1124 wrote to memory of 2316 1124 b2e.exe 86 PID 1124 wrote to memory of 2316 1124 b2e.exe 86 PID 1124 wrote to memory of 2316 1124 b2e.exe 86 PID 2316 wrote to memory of 32 2316 cmd.exe 89 PID 2316 wrote to memory of 32 2316 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7733.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:32
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.9MB
MD57f370332a942cd7ec16eed23774b4386
SHA12beb6ae86fd0c4ca385ae331f9f74106ba09ff64
SHA25636e0c03edd4ef7fcc8958892b20d738b372cb58e7257e6972e4bdcdefddcb070
SHA512bee23010ac9fc8d0a3b479d799da532b00c3e15e244642dbec7b8432ece5b1fadd590349c0e48130f0c896b25aa56564b921748046e6aeda7e6290fd6a82fc9f
-
Filesize
6.4MB
MD5ebd57a76663c517ddb25dffe36d5d069
SHA18e73b80556b9f6da3c9235aed59f57745e994631
SHA25688689f769b034126a6b078c4027da34443efe93b1bc9e4d4fbb4d9c6f5895876
SHA512d4f141abdf28192686ef9205e87bb54294c78186b1a1205aea0c327fe3e8ce8a024fdefc4ff5130ed4eab005f678ba62656461e061edc98986fb8c31d2a4ebf8
-
Filesize
5.1MB
MD52a717cabcbb60f293002bf30828d27b9
SHA13329f5a03f6a6b9185a20e6e48f6d0304518c2be
SHA2560b64f36a955a38b1a256094758035c21cccbe3de50f05ceb1efb767bca5f7b56
SHA51263163026e7f7c60578710ea56fb4ed1f23f231ea15654eb7ac6b094bc3f8e7fc99eec41c636e2137603ca651abea6b08b3fc6dfef30aceaca5151d866899b06c
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
2.2MB
MD54e832967f75db4aea8231eeae5314f8d
SHA1596f1567b1fdd91e8379eb23ff0590d6f2a7dee4
SHA2566b3c9282f78affe75375958981c87d014e5ee155e1a3ee72822879b63e80d90d
SHA5121b9e21ee7fcc087cb243dd26cc587418bf4f01914fda2148b8fde92f1c27aae579f11fd3903494b2533a7f8a97201a7b94016af30d15b1809c8efbe584d3c01d
-
Filesize
2.3MB
MD5745251de2f7b279e22d969b8e0614e66
SHA176530ace0e939a169441cea0ea12c64f2546328d
SHA25636fd3cef1b2e70db7072eaa4e35912560a37cf3c1588e3c766a87f729ced169e
SHA5124e484aecae1036e332983d21d174ac772022e351f808ed83bde1fb8361eb1a61c57b3d678343873c62675a75cd52285312a0d969499a290f5b5b0255abd3d64d
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
2.2MB
MD5d85d58e3abed5ea0f426b287115490fa
SHA1c4849f291203d51b901e3ed67463550a1d9e96b8
SHA256b8ef9cf2690d1a65dfc25feb93e9db1d447d47cad654a41aa2d0be6e546e951b
SHA512f6eaf2d17a0404a27e90dff3d0cb38ef3db0ed0d71a3ccb01c2b8e00a198f2d25bf5073083f8e99ee6e32f41ba1158f2e11088dc23d4c224fcde75ffe3fc1cce
-
Filesize
2.8MB
MD582fbe16434269b22b1193d56d87f7647
SHA1241428fbd5189662b33039526cd44e55357bb5f8
SHA256dc299c38cb79d541f0b3fa3e65d94e9595aa88d6a0edfb4d8379c7c44443bb14
SHA5128ad61c3d1e77d583bd154d501b2f8cd8c1539016bf0b0fcc744eb5ac64a504716d545b88b4b843532eb5d9964852b2b167b2458e2f23797088ecc175dd3ca0d4
-
Filesize
2.5MB
MD57bfb5301f12c5dd4de25ea3d9068c3fb
SHA1422e9bc3a09a476aba273b6509cd07e60f41b8f2
SHA256a1cbc95081e71767bcbffa25c59744db3f818150d383d73aa8e49cfd27279376
SHA512559bb613ec219379071aade3ed039ce8ae05f525ca3dae0a31ea47af6e164c33fb4afcaabba4ab1ad7fdcc52096c38e9738c45ad64e599b8b48b289eaa328a52
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770