Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
294s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-ja -
resource tags
arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
21/02/2024, 04:29
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20240220-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 1604 b2e.exe 4932 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4932 cpuminer-sse2.exe 4932 cpuminer-sse2.exe 4932 cpuminer-sse2.exe 4932 cpuminer-sse2.exe 4932 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/1000-8-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1000 wrote to memory of 1604 1000 batexe.exe 86 PID 1000 wrote to memory of 1604 1000 batexe.exe 86 PID 1000 wrote to memory of 1604 1000 batexe.exe 86 PID 1604 wrote to memory of 3932 1604 b2e.exe 88 PID 1604 wrote to memory of 3932 1604 b2e.exe 88 PID 1604 wrote to memory of 3932 1604 b2e.exe 88 PID 3932 wrote to memory of 4932 3932 cmd.exe 90 PID 3932 wrote to memory of 4932 3932 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66E8.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4932
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD5e5709ee4ed3357d395d0d3aa26c45233
SHA1ce08ad0633e3d2422772b00af22fbbd98af6ce2a
SHA2563c2ad8442c17fe8d700a545c244e563daa88c03514224cbf42fed7401c28cc0a
SHA512e261de3775a7d6c2b9fa614220f03fed97cd11235f6e9d63c6a2eea203e3f4dc8f755177796aa9979e744b7b30fe15eeeac587f94757f851edc214e9cc8c265b
-
Filesize
2.0MB
MD5c80432ff2ddc9324a60903e1f256891f
SHA14959e9b6355ee8494f2f25c54aac2e88bf7648c3
SHA2560db1df91e958f3d2a3eb2222a28a0f82f60c2428b6c6c4e485d38b8fefd3ff0b
SHA512a6f6a6b704f33e7dad27a1e09fc5611b89a70528e458236bbb058d1f76d2e3ceb02a1c727b70748c6f8819347d1a874746720f05363e42e49d686192b17c370f
-
Filesize
1.7MB
MD5a44eff551358dfc45c04729e71fccc9a
SHA14190c4813964e6c73f76acda5cbc0ae245a7f66a
SHA256d2d6bfe138a13e97e2554a2d41ca9e109b56004b2786d29cef7ebff3fad8d10b
SHA51282d219e6a60e802b35e8838779a0187e4d59f0e698209989f3efee0cac971cfaed3c74dd424ae36f2a2f473b6d252bd600ac2cf16f5662438247df3c651acbad
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
304KB
MD521ee216eb3abcb38feb819d0b9ab5f69
SHA1d885ad789b2fca1382add60030582d2fa82aa655
SHA2565eadd1a58fba7af956c61f7d96d7aafbb80dfd70f034ef5ab8dc4b1729f9b227
SHA512e8ae37a48d9668a6ef1d8fd6eded9ae2ff26f5f43f234a31750bc1a20afdc96b283e90f4b009f2e9f2a3ce6b4dd9e51d514a04bab93a978b51d49afe7a0c0775
-
Filesize
357KB
MD596eee095d6f3f7913e922a219be8fdab
SHA167ab4271ad7412ef91ea54e12d754904b7d76ab4
SHA256049b8835f1dd05b79ce0f9b035eaf7f6b5e33beb3a11c1e20b28aa97ac12d568
SHA512ba95c8fb647452c2219d72124467ce1cee381d8930139094a46c6b227f7cf4807910a0e19dfc2c8e171b3de6400de0f77b9641bd01fc9a2247d9af9579de7e48
-
Filesize
389KB
MD5dc19bdc8b9a2ac039fbdf1110b61d048
SHA1a4e6ccc7cd2eb5b0a9a23e938fd54c173eb88c3a
SHA256d4a2d2e33e28d61cd8e08927bb36c7e609001ecf87c0247eddaf519c803daa0e
SHA512705d7f595bb42b9758c0c13b6133b961e621ecbe01ec0bbc76718712081348356f371c18c6ec79e07e3bf1170279c5ee6a1dc5874168c61380e634c6009de734
-
Filesize
359KB
MD5ee37151825f3badd0168b0c7ebb3496c
SHA14e72efa6d8abb6cb23423e038aba1aad0ecc4008
SHA256650ec4c3207bf2ad2c50c1c57689636f41c68665e319e6415e8e0d7266bf68a4
SHA5123d4914d8fd66041c8bedfdfc4b375a2638d34931ec70fad0383e3f6e2550b591fd9175080f18e7a2c3437f89f859e78453ebf550b5cf583ea5aaefa8658c82d0
-
Filesize
365KB
MD551436e72cc5b6e7c81bd5078e05aeeea
SHA1b1b0558c2ed29bf063d601767a19cb77ea8d691a
SHA256f0bd9869a8e664f047b7f0cb36b7491f45ff62efd96c380a07255f5ef0f62f5e
SHA5127dd0b4c9e9d17d47668161c01b8986104e5330a704263232cfdfab0607e9022bc8bcbca96a862fb6a7b02b59e062ca15e0e8b0059b46ab5a4757503c8fdc9b1d
-
Filesize
667KB
MD56a3afb0e8a02774f9c6873d27a40eac2
SHA19aca9152f4b5a46fb0f7594150706b90a2d3bae3
SHA256c3337e4e2ed8b6487bb4319093d7c85b2d23ccf3facb0d39e0c4dde7f0b03c65
SHA51273a6e72ab8245e8f2a517967f0d1cd5ffd79529d9a22ff865b6a812f4939374ce102d23ea983360b3d1982fdbc4fdfc72a9f0b810d807c1fb56b1ea603c49728
-
Filesize
311KB
MD5fec402c90ae5204a92a5d1c46fe27004
SHA1d66291cec23ecccb5706df1dd471f88006cadc36
SHA2567f7bf7d5484026113579aedaeace90d1ff42471b1160414063ee2405b2a47955
SHA512eb7f01ced734ec36edc2efd614b1af8a4f8e06f3698e0ed80e90c39b5ade84ad564dff8955395adbae0ed144ccd36515eb8ddd8d1169040cfabed0b5daa53d71
-
Filesize
318KB
MD5389bac59aa4ddad632b636cd2c98f5f4
SHA14f86f2434d3759cc686aacf2851d3dd49de6979d
SHA256068f127a38677cf5fa2c4f5b12bca8cb3514361b80e02d41bd1cc1d7feb83c5a
SHA5126fb367a7a76cb559354023cc6734c3676ca8b23e42fcd9199bc64fd02eec3952d2087e235249f14838e4ee70e182e8224166400a68bd4a53dc74eb8a2db513f0
-
Filesize
243KB
MD543b4d7aebf1cdfad98cc76ac57fc376d
SHA1021ebf69a729bbc3047c6f2285b37622d1847c33
SHA256f026a066397ac09fb7436c87b1e1a756cd3cbc12414641d55106e7e7ceb720f1
SHA512855cd038528fb5a3a5b99f9f135e4d262ff419a9d0f438835d7eb881da46df588acf9f333e8783adf46b8972c23d80bfcc672d0c69b1d1a98796c86c686906f8
-
Filesize
447KB
MD5bbb1f07caa4d3ed352ede757a364b476
SHA19106dffaaeb50fb4feb7078c4ad3d04c2f1f284b
SHA256323de0ee187a3304dd8c4ad13bffc7f0471da4d33579fd14bbf960603146af16
SHA51249eee07086ca521b9be214051a19e015c4ae660731ecded0127a09c435c97251e7fdaad74d4c8ba637ceb2f5d7532e17e644f4332b7efdd4ed97dd26a96a9118
-
Filesize
304KB
MD5aea38ff9d453dfdc2bd0091701892a8f
SHA184b91dccf347c7118b2140168a2f76e5e5f26bdb
SHA25653f2f8605e684d320f6bae2bbe122231b8583c86ca2c16ba95786778992d2011
SHA5124372b1bed859e180871b919e42f8b0d3c272d9ea14d0c094e0d5cdb61cbabd09bc0de486f711ac3b974502a66f6e830c5808987defaa4fce08c7e380b1af3444