Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
290s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-ja -
resource tags
arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
20/02/2024, 19:50
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20240220-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation b2e.exe Key value queried \REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation batexe.exe -
Executes dropped EXE 2 IoCs
pid Process 2872 b2e.exe 4708 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4708 cpuminer-sse2.exe 4708 cpuminer-sse2.exe 4708 cpuminer-sse2.exe 4708 cpuminer-sse2.exe 4708 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/4568-8-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4568 wrote to memory of 2872 4568 batexe.exe 86 PID 4568 wrote to memory of 2872 4568 batexe.exe 86 PID 4568 wrote to memory of 2872 4568 batexe.exe 86 PID 2872 wrote to memory of 1452 2872 b2e.exe 87 PID 2872 wrote to memory of 1452 2872 b2e.exe 87 PID 2872 wrote to memory of 1452 2872 b2e.exe 87 PID 1452 wrote to memory of 4708 1452 cmd.exe 90 PID 1452 wrote to memory of 4708 1452 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4D64.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FF5.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD5bd2239a7cb978a0185053bff7479c967
SHA1db41412ba5872f2da47d1079b1eb26a1fca1fb86
SHA256fda9a63c07775dbeac59a4716e4397483965218fa1bdb6a0cf9625feae98c32a
SHA51247eacfe8a83f859737e4ecbf2bd62885769a0f06117b7510f38e90414e82cd5b2ac649f442ac24b315370d18626ae56008fb51b92a6f20c5c52e771b9876937e
-
Filesize
2.6MB
MD5cfd846d3c6ad2bd5eaedf04a53077cb0
SHA14c71561eac56854abcc7cfd2637974c38dd18447
SHA2565ee93a9931d7838dec275a34a87a6158de84b9ed9cbbd0e0c67a5ea312cec718
SHA5122ed6bd3cbbaff48e3155f92be41e63a6f45fc11f3e985828ed98ced1cb375554dfdece2545f5d75165b7d0243d0119bb1f52701f0ec7ff7105113fbb590b3916
-
Filesize
2.8MB
MD513ac31ab86c586afcb30f3b6f3bae194
SHA1e3bdefff7c5d39766b5edf8b49b09694e3c2d180
SHA25622890c2a6fcba93284db1da23468927b6a00c1d3144e74417bd1599d5b25d44a
SHA5120d6d48cc36bfe8260bdb6d404ca7aa86b048036f23062983254ce4d4d8881c324b76e66839c37d479bca0e701bd343c576dab42d7d349b735a96e985419bafb3
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
1.2MB
MD5a447d122272c9a62f714c4e08b527bac
SHA184cc4b10caaa836b80ae4b16db78bbd8ef4f0ced
SHA2566abffaaeaca3f9544303cf6a3f6b9cbb027aa86f18f26540eac4792ec5fd6dc2
SHA5129d5a0b27beef9bb481b3bdf6f31228168f48e96cd210799feba429adc95dfb62318085a105a99f50e8419cb409a4b06d6ac30f6751c5de1027ea64d21694e59a
-
Filesize
1.0MB
MD5ff91ab17b91a93072668a5ef207fecc8
SHA1c0b80791e7edcebf81ec1a919738622c50e7fc8c
SHA256c879e880f216a5574434d5b189f5d5fa024ada83748fb6a9a7ec88e09f930e95
SHA512bd408064f822e5d2b439ac137513b6d058200ec3ebed60849ffd91a2fcd1c0f675e8397e891a796f1ef20b13cc49f39511745572f13b8c1cc20b1a996fdcca8d
-
Filesize
686KB
MD54ddcd0aa025cb7c97f6986b652d32dd3
SHA13ba3d0c609b01524e4353488613ea9f780780c4a
SHA256e83b2ca2f2765e555bb777d282d189d4f0689fb26b2062ed06a5d9b2fdc972f6
SHA512ed1f3835f38753c542dbdf228833509b09c0c233adc56cbae54df14ae9acea280d7c45c7f8dda6fa6f2163936732358a3c3364436589b6201ff7789c2e340c5e
-
Filesize
515KB
MD5541640d009b4615661760944003cca96
SHA1af4bddce1461e4ff984f27fbfc727921cb6e446f
SHA2567f80f216f323b871e27c73633bfc4c4eb62011b0afd5e3ab706c17254f9c3cb7
SHA5128a84708e036aea1049dd5547e6d56983fc79cf204acebf42b99395dd5091b8419008a0d87dc5dafb208a3fedf7b1e7b476190416b54594b2254806bba988d97b
-
Filesize
893KB
MD53aaa3fa14721d90c75d31e62d4db40b6
SHA184995a857f64b1a61a9a3f82dcc1a9512986de04
SHA256cb349ded1060e46786aaf23220edfd099df01dbd1ce427b4dde1c943b3ef0c0c
SHA512af37079ed3014e0af5ab2a6574a8360b0d976b3b482bebd7308d9649906751ee7f1652710f192f34ed19c3ab64eebf58c69ba70e6e79bc5293b72fa2c69325b0
-
Filesize
735KB
MD5f716c97279401e50acc54100a64fa8e6
SHA1e956364a50b6d8f14d545fc02103eca32144d13d
SHA2564ce65153e050d2290e546cb5e557dd866441dccb84952a4cc2a8f11033748933
SHA512bd12188d84e7c3b596bc5e1689536bf551c7f686f11f103aced7c5d82f4c9848f21b2289be1047da1228383f691da8b2f061935412cd77821095ec3dc4ca2d58
-
Filesize
580KB
MD54d5194f282223f80aa4bd155b00723fd
SHA1c9e37e815d33c4ab56cd68aeed5304078cceac61
SHA256542a69ca236b11003ffdce75bca6971af6ae63cbbe0d1903c5127d39e5bbe290
SHA51233868af94f177ababf5bf736d883b153a783b570a66e8f5b961ef68ee75536f4fb7fcf4b31ce857a488a1993d25dd771d8a20bb5378a3620b8b4074445a28c12
-
Filesize
692KB
MD51053b9c42bee3c805fe1643ee45b1b8a
SHA195c164af72e7faa3d9bce6e9474492de15524a44
SHA256e7f8637fa8bd4c5b4da92c75ee3a49ee1aa42951e593544b91551730337f4950
SHA51261c433d175f5065c364146622e133de131fae70e62bb7b40a92381c56f4993b44d2a2bd9e4a687ff61b86c9b266ca14ffa89678168f71561e31605359a9ddfdf
-
Filesize
881KB
MD58f7a296169aa05d7df851b1e5a22d4fe
SHA1a4864e85e07db4e3e3afb84f4cadd64b2baa1c20
SHA25696dbf8d16448fec0a3a732faa595996d0f42f07a392c29cb5d5c416b823b8f73
SHA512f9e929ffca6f2858f0e1e9903e2b634180a27e10ea83fd5a9abfe99f4c1bd7a8a84c92834cb0cce3a394d74ae9470e60dd415bd6c9ed27e02a78175e9ff7007b
-
Filesize
557KB
MD57c8f297cd4005d73f0a18a5e7e23fcff
SHA1775fe1f57e857ec6f706e0d6395da7731d74e04b
SHA25636d243321f616fe8505a387b65e6e087adbe50a5a36ef6975a2d92c711aea4b2
SHA51214f8c8b7fd5adaee20bfd8808fbd2771234eadce59f30e80d6a3674a3ee4320c2006e3b7ea1a0969c5b29707537bf96bc862a70d381d4523d8f36ec07ebbeddd
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770