Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
18/02/2024, 14:08
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 3060 b2e.exe 2916 cpuminer-sse2.exe -
Loads dropped DLL 6 IoCs
pid Process 2916 cpuminer-sse2.exe 2916 cpuminer-sse2.exe 2916 cpuminer-sse2.exe 2916 cpuminer-sse2.exe 2916 cpuminer-sse2.exe 2916 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/1988-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1988 wrote to memory of 3060 1988 batexe.exe 84 PID 1988 wrote to memory of 3060 1988 batexe.exe 84 PID 1988 wrote to memory of 3060 1988 batexe.exe 84 PID 3060 wrote to memory of 2904 3060 b2e.exe 85 PID 3060 wrote to memory of 2904 3060 b2e.exe 85 PID 3060 wrote to memory of 2904 3060 b2e.exe 85 PID 2904 wrote to memory of 2916 2904 cmd.exe 88 PID 2904 wrote to memory of 2916 2904 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F6A.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD5af408b23fb68a72b39c093c225604cd9
SHA16fbd39519b45820c829144703f724698d3bc14e3
SHA256bea5cc0179a71e71b0ae296d28d8fcaf0ffcc2147cc1e5851b160745af5cb8ec
SHA51226d74bfcc22041a312d81e65f55b9fe2d51475a4b052f4211362d38894bb625918453118cbb75618e5593b104daf7b05fe8cc8144e5da3028c6523371ca5b472
-
Filesize
64KB
MD53e63d8d147aec3c4d5e3e08d79395350
SHA1633cc399218c2915b895a83bda89bce9f37e39dc
SHA25639cc053a2dc8074a4530b02f00bd8bb723e52196224d978d9aad3b0f75740320
SHA512545308057e5ea490e55f5bdd7fbec20fd954f847cae6f60460a4b135bf76c4c8502d922768d8e3a96d29d4c3a513b91ebc40bcaf5395de2c50d4368fd46fc536
-
Filesize
4.6MB
MD515fe147adb4bb214ec76192f47d38674
SHA1e4b565b43f51f9866e12ebc3fea50dcfe79f1ad2
SHA256f93a82d13e4ed6cc0f0faeb62e02ff51e9e04bf26c4318618831d44fc6f6acff
SHA512d7ec84bef8a06ddef92fda14f26fb7e2c327cdc289d8328d4106b8a12847038dbd053369aab780862bd9f86c1988a0508804033ca11dae1f297d75d8d838ffb9
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
106KB
MD5a09ea16ceeaac16c5ea74c61f5c6aa05
SHA12bc5980b6ef49875c2f1267c2765974d905c6584
SHA256da9ee92322ff1e4382e755139192f564bcf4b06f1a5f3008079797acc817df88
SHA5129b67525121f9c53f7f5239f4bfe7e2543077b008e8beff3e8c4199fa3b1ad19de92c752f6021c4e9f2b0d806932aea15554bc0577f8da40864fb70338b8ddc20
-
Filesize
131KB
MD5802beaa4f93c6d33f2093d32f5f6b813
SHA12c406d4527b89b008c2c15ea91a7bf4fde2ab982
SHA25696ed59bd2f3003b7ffad82ebeab33869e2e148f956b2cee7b3b63fc02c5535c4
SHA51224f19f0c7bfa1d9275e150e0dfbf8f6f64fd0d17c26a842590f0939c24d8be33847c350b2d3d9611c667e3b3a8a40b526a26508770dc0007c0be609f111469ea
-
Filesize
57KB
MD5e1decfb90b3eaca98b405d96c3f20dca
SHA1b64766693a58cde8a9a2e6abc6f826de9ed4f904
SHA256bbf5f3ce3eb31dab5f108303948c582911dec01f5dee104c29b7039698bdfd1e
SHA51207c049a8469bf3e0302c9d8dd79f9ecd2cab235f3c9ec2263429aa6e71d6ed280cf1063e726bb8b841750a87536cdf2b193c9651dd1bb2a98f76c7cce67f3607
-
Filesize
25KB
MD5263aed9740d582f5266428ec44350289
SHA11baf657934ccf46a074c49be929fa57f7f8ae3c4
SHA256363071e78dde5fe43a4e7959670e5f187a6e41dede28ae55096f1ce9cfb641c4
SHA5126e8c9e00693df2ee77cb58caa00d6136c9dd63a6a6c9ffe78a591e79195c11aa799837c8bb3891410cf5c2ad328f045e59ca37cd2ecf9380a49d860d0b1c1c9e
-
Filesize
673KB
MD557d07f6f04edd4f7047f073f951f593a
SHA1bb7b04e3b98a8d5103866bf8e3f65534f75b28a1
SHA25640915040cc09257f2950aae2c6106b3dbb1fb1534055f70f44ec46a4bd9f693e
SHA5125ea79e398bbbf49895f523a9ff5a5c87874a6b69e5085708ce179b21d4b160470ced21ad65cb04bb0d4050333d0213248aaf80c4f3cb5a251818ddadf6de7ec6
-
Filesize
42KB
MD51a2de40dd53d27cd668a69f2006410e8
SHA1195e3692d8cb252a9b926c9235d0494630767502
SHA2564eddf1079a34292e9ed8e4e674e390c0ef8b0ef2365e963237040b396182cf71
SHA512353b6f0a7dbf7ed1bb565c1377c00b8ee59b7fcac9e32da1b657f05d90ce3fa8d285a42ff8bcee22e6c030f69d0a11f56ecc336811c494cdafe3d00b56ea1dd6
-
Filesize
746KB
MD59140664f4bc828eb61429ffb3f42866d
SHA13d058887545ddfc1e16699b64514095b937125f2
SHA256e5059fb8f87d8114f1979756fa9e0d29d5d91233bab453736fe9c665972030a7
SHA512a0f2dddb4da1e341492ccdd7358046422f761fd280cacad857fc739d76e144b8ffc19b9784cc7cfdc330f71bea1e33d5350d9993e95f5f04078869e0579c787c
-
Filesize
910KB
MD57c693bc3ec123b58984ffe5e242eb7f0
SHA1df11d8e869435a1dc448a6eb6825351d10fa590c
SHA256df140c1b3a04df983fed84a52c84f644180a7b0781daf196c1dea23c7d9b559a
SHA512118067cb26e2414809c7ffa3a86a92010ef4c1aa6317eb444e339ed35a1b272be6f9a2bd243e55a3873b84252f88d0cc340c87e5c656cb7f5d92b9be6d9ca2cb
-
Filesize
89KB
MD53bc0850f9f22e8b815523d2236effbf1
SHA1e29030ddce585f19ee414c472d5d971513f44967
SHA256c4c1632530726b70b0471297306f5ea1a80063e46807c39d56c5551278167558
SHA512e68770cf680d419f03d7857bd1c4b7994f2542c650ce1a594ac227122f2f7329ec0f0b0009338bbb7fbd003a6ddce8b2b602beb3a82dec6839a4119f355f4176
-
Filesize
73KB
MD5dc2fc2dfaab3226bffdfa2e2624a12f9
SHA18ee4094ff772032bfa11f8dffc800624d8feedf8
SHA256e1d8270184d6f95176a2afff1b680249ce6cf84ae4f72ec422345916b231a7a7
SHA512699703761855a52f736f4152297e2bdf6f43a144f86ed8918fbc7e06e0ed2c9ffd126866293b5498b10c740bb2e545e78fa450c36d20fcd9d16776947528c406
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770