Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-ja -
resource tags
arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
22/02/2024, 15:15
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240221-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20240221-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 5372 b2e.exe 404 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 404 cpuminer-sse2.exe 404 cpuminer-sse2.exe 404 cpuminer-sse2.exe 404 cpuminer-sse2.exe 404 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/4216-8-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4216 wrote to memory of 5372 4216 batexe.exe 88 PID 4216 wrote to memory of 5372 4216 batexe.exe 88 PID 4216 wrote to memory of 5372 4216 batexe.exe 88 PID 5372 wrote to memory of 5564 5372 b2e.exe 89 PID 5372 wrote to memory of 5564 5372 b2e.exe 89 PID 5372 wrote to memory of 5564 5372 b2e.exe 89 PID 5564 wrote to memory of 404 5564 cmd.exe 92 PID 5564 wrote to memory of 404 5564 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5227.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\54B7.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5564 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:404
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.8MB
MD5a132b15ca428dd9af883c530355ef778
SHA1bfb8de637f523aa2c1aa2031f5446fae8040e857
SHA256d26d6611457d0ee7bcf19cfb11161a1dc4513e7d54a058441e12068d454507df
SHA512cb12dd3f84aa6947015b295abdf89b65124b9217fb466ecf6441dd139289408adbb78473a007f2b4d215b46aa19df4a1dc566b087acb4b9082e5391010e8f8a0
-
Filesize
5.6MB
MD5f87a5a52a7840d77e77152d0a560ddf0
SHA1c9d7db30d1d713988b50dd637a6e7ad03ab45786
SHA256917c3585a396f6063fb801cea7ab3d4793e89243c4de2e1cd2b96921dbb05b10
SHA51215fafc27204ccca1f147845c2efc366f29e0a27dec67e934467757413bdb5ea7288221c0fae6678d69e1c7c58a83fac828d17f5eb76637469dbd7dcdce1fc1a3
-
Filesize
6.2MB
MD51c767a6d35a11a32aacaba9f82c3abe9
SHA15f155a280048b89ab160aaf314a0155ca9100bf1
SHA256674b3faa81e977a38eba462d7a564efa2933998af60a3904a637adacc68053df
SHA512f26bf05d75f847e7acab17f378269175acd7ff47709be90ef2771812bd4c10f1c11b8c4f3be7af9a50b2c060313db429fc17c2d77d66dfdc387a1a58ccba11d9
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
1.4MB
MD553f8243e1aaf91f00025d66423a4a206
SHA1654344c5e90e6bc5ad65980b906e2d002d6a9af0
SHA256ddf7b58baf1e0449edf35c5f5bcdee4646257c63a07c34b19d6c478d0652d9b2
SHA512ed369b47bf0d9b50c680c1a7b29348c9bf14068d5226e237a0b2c902b7f2b6f4405b89b3ea1826b2020098f068b2d159e8c7659ae3680fd86ef12c5cfe256598
-
Filesize
1.4MB
MD52ef40d5c3b964c66392be6a3db51bf84
SHA1391a644aa11504129db4b42007b054f2c3bf5414
SHA2560ef835e2576ba8fbfcd733a66284579607cc8dafdc2b26fe3c0091dc66d8e707
SHA5120b568c8b5ef88af49c00801cd5eaf3e7262367d2a3356f1a685d36e3c1dff63babb5dd049d5a1e7fbe214cab35e6f271d0a105e073a1fb2c281bb5c0279b7107
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
1.1MB
MD50dd0b6a9679b16d7088116043505be33
SHA115ddeb889011c7f358ccfaa05134c37493e3b31f
SHA2560c473139c4b8cd2ffb967f0f1922aaa678f38ce29cd38caab3fb36d31fae1a8b
SHA512f99b72d1232792367cc68098e53eff24752780638caff27edd21ae80a20e0c1c85d7c282a1e63c29523461618f10ac5ff92c24c3caa6b77a8dd96ef4bb5bffb9
-
Filesize
1.3MB
MD5c0883b3eff55c8178c4ab9f87a344e92
SHA1d66d0fef7a62deec39d3e7e5bf7ae1be1f5b07e6
SHA256f1eba2523b67404470005593173899f89b6fb3dbf9b1f6ed74b194a9f459cc5a
SHA5129148dbec9d8981722fdf1ea5ecc03254bd93df0c1b19e611b7dd1486285e04bfe3a5abf843e4c433bd75a12df4b4f80d13f99ec254badf7d32588d29f4076537
-
Filesize
1.0MB
MD5ae6d25bb867a65dd87de856fe2cddab5
SHA14bdb2b15a9608551f99c989b7e6726f7f74ad72d
SHA25659a3ad6605a3a88ad68886cbf3c1ed245ae51a1f7d2e5ea4b243be132543bfc1
SHA512bd5bc33b62a67ef64a4cf2b2466b4b5dcb6773b1ac63e875dc909bc7760b8ebda9bc774434c65811db8e0172307c4fe848f26dfc79f0019a44e4e084f3e67d06
-
Filesize
891KB
MD5831dd9a2f32fe8e9237eb7bf96f4ad0a
SHA1346c221d37e1b8148e5003e3b8289f9dd83d92dc
SHA2566915fb2a50f5f8c66cd955b2f6adce995d11e051c6920c4dcd87ab522e765e25
SHA5128961dc4ebad390c05ca8fedc45ddaa07ac525b4eb4c7155c0a8e90b8739f4ae35b2aa4e799caa558da9570ae710e2551d22909efd798e8e2d8602910d9f6da10
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770