Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 10:20
Behavioral task
behavioral1
Sample
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe
Resource
win10v2004-20240226-en
General
-
Target
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe
-
Size
423KB
-
MD5
83f6b3d285a8310bce78a9840696bd1e
-
SHA1
4dfffd351c342590321e342b226bde9d16ff83b8
-
SHA256
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc
-
SHA512
6cae58765486ee0f7f1c52b4bc3cbb7d146d7ad3d7bee87f06145df615a77f271055e940d8a122e25945c5cf11a6ccd10d0f0977f446f6b075a7b7c9c897c3d1
-
SSDEEP
12288:GnRCG8owe1SRHCxH3VrBLfWHoCveTA745E:GnRCG8owe1SRGH3VrBLfWHoCveTA0S
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral1/memory/844-0-0x0000000000400000-0x000000000046C000-memory.dmp UPX behavioral1/files/0x00260000000144b0-12.dat UPX behavioral1/memory/2672-21-0x0000000000400000-0x000000000046C000-memory.dmp UPX behavioral1/memory/844-22-0x0000000000400000-0x000000000046C000-memory.dmp UPX -
Deletes itself 1 IoCs
pid Process 2672 Sysceambnrce.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 Sysceambnrce.exe -
Loads dropped DLL 2 IoCs
pid Process 844 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 844 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe -
resource yara_rule behavioral1/memory/844-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/files/0x00260000000144b0-12.dat upx behavioral1/memory/2672-21-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/844-22-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe 2672 Sysceambnrce.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 844 wrote to memory of 2672 844 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 29 PID 844 wrote to memory of 2672 844 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 29 PID 844 wrote to memory of 2672 844 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 29 PID 844 wrote to memory of 2672 844 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe"C:\Users\Admin\AppData\Local\Temp\e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\Sysceambnrce.exe"C:\Users\Admin\AppData\Local\Temp\Sysceambnrce.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5ae7ec2a239d136e43aa3450a4cb93edf
SHA194fd98068d074096fb3ce9346c57676c9e8d1b98
SHA2565245bbba76bf9d36ba1a71ae05b89f04a7f8432b0e24104184d0262f7068950d
SHA512229970ac55341a9f6d27b3f0af7c58d79eb5bf6bf1ed3b418f4e7dfd95dac2361ce662c63bfd2058a0453f0c6e413bd371af68e035302708b38dc32986b187d0
-
Filesize
423KB
MD50fd6f4022e60d5d326eab050a400f127
SHA1102138cd0aa0481f01941ac6f9096f5ad9fbeb23
SHA256c05505a22cdbabe526b9576a4da0a09e85c7bd5d8257b2af0d880a240369847c
SHA51294ae16ce37b6992e0456c8f95ce82aa926d5a7e72c2f45791aab465cf7ea793109bdc82706b856429d89366509a029efbf4cb971ba00474bb794f46799152762