Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240221-ja -
resource tags
arch:x64arch:x86image:win10-20240221-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
23/02/2024, 13:38 UTC
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240221-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20240221-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1256 b2e.exe 3744 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3744 cpuminer-sse2.exe 3744 cpuminer-sse2.exe 3744 cpuminer-sse2.exe 3744 cpuminer-sse2.exe 3744 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/1428-6-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1428 wrote to memory of 1256 1428 batexe.exe 73 PID 1428 wrote to memory of 1256 1428 batexe.exe 73 PID 1428 wrote to memory of 1256 1428 batexe.exe 73 PID 1256 wrote to memory of 2784 1256 b2e.exe 74 PID 1256 wrote to memory of 2784 1256 b2e.exe 74 PID 1256 wrote to memory of 2784 1256 b2e.exe 74 PID 2784 wrote to memory of 3744 2784 cmd.exe 77 PID 2784 wrote to memory of 3744 2784 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2D5.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3744
-
-
-
Network
-
Remote address:8.8.8.8:53Requestyespower.sea.mine.zpool.caIN AResponseyespower.sea.mine.zpool.caIN A198.50.168.213
-
Remote address:8.8.8.8:53Requestyespower.sea.mine.zpool.caIN A
-
Remote address:8.8.8.8:53Request213.168.50.198.in-addr.arpaIN PTRResponse213.168.50.198.in-addr.arpaIN PTRminezpoolca
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.173.189.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
6.9kB 9.0kB 73 76
-
-
-
144 B 88 B 2 1
DNS Request
yespower.sea.mine.zpool.ca
DNS Request
yespower.sea.mine.zpool.ca
DNS Response
198.50.168.213
-
73 B 100 B 1 1
DNS Request
213.168.50.198.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.173.189.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD51cd1f1463362e82070bd38c1ad8de2d3
SHA102b59eedcca64d1bcdbebabb05228cd292c1fdde
SHA25680c54200113264848b0a02dfef414bee7e1000ae8db116136fad1a6474d43e29
SHA512f67290611bf4653411f513f696f93add280763b3da208f3ad6a5c2b171fde413daf0d6e4909a13d93a08eed4946e98332ba40d07e39ba686cf356da9d87c355f
-
Filesize
2.5MB
MD535ffee4e793de9e8635fb4a825da13d7
SHA133e645756e7bd58ca2b085febdd3abbfc9e0627a
SHA25646ff93e4e4951c8f7bcd739c955a7175131da5abb67c7e57cf339265aa6f63ab
SHA512edb5cff501f7558320ba7644d226753cdcee3b2ca390ccd5a218ec3442766aed66d82f12d4d20ce264c89bc1f3f155afc60ee6c2e58f024ff556f65662f3366a
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
128KB
MD587bb74a6790018700645a8310bb9a32a
SHA1b0e3e91efa12e0df5ed4538d3b549ab5d9f6c16b
SHA256ee6a846f1dcf082d5216bf314e65e1428af13ce54dfaaeb371d1c54f330c5298
SHA512702e12a0858a1dd987d6a761f0ddc88fee9bce38be3d71f8c9be3fecc8cc6e88763967140f83caf4f2e10109ab95b811bb70bc70ff0b5cce8f0f32713ad3683b
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
128KB
MD59746d1ac79c8b499d8b2224394581fa7
SHA136b1985eabfd8131ad9f2b7f69c903a3fce67629
SHA25677941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182
SHA51261a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
64KB
MD57fcedb6e973c5df3b6652a2afafa6a13
SHA1116728803559ab58a8127544df80b75a0dd1c6d2
SHA256fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825
SHA51205c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd
-
Filesize
5.4MB
MD5dbefe05d4f1077997e9b3986d16468cd
SHA16a4539202a5cc50450139045a465ec383ecc784f
SHA256024f4bb4cf5a27bbc9bb527c496a162763eefd0ad511f4344449ec4ad00e367e
SHA512d1a8b9a6b30611501dd0ee95fec23619d214521ba6b24bc887bfaa71d9291f2048ccfcba440aed74a5e8e60e1076f07ae73a17010ee0f4e7a287cdd17fcf7e1a
-
Filesize
5.1MB
MD5a88372048aeb5e969e69f038273687b6
SHA17e836ade8c773d1589ac61962de7befbd2ada0af
SHA256355ef2688cc32d5fc38f7d514c5290b1d5609b64f3e93bf7f1d0dc43987a2bd9
SHA5125d2ba10b4afc505a5e091b468fabdf740d6e171abf688e2e933a2f70ceb6e7261f2cba0580f8f0e76bf4972e001fa90c03f4c3f31363c46e58a1e9ff2af8c9eb
-
Filesize
64KB
MD56cccf65bd7d7ff5b53aeb882e15c462c
SHA1a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d
SHA2561379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2
SHA512c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb