Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 10:20

General

  • Target

    e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe

  • Size

    423KB

  • MD5

    83f6b3d285a8310bce78a9840696bd1e

  • SHA1

    4dfffd351c342590321e342b226bde9d16ff83b8

  • SHA256

    e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc

  • SHA512

    6cae58765486ee0f7f1c52b4bc3cbb7d146d7ad3d7bee87f06145df615a77f271055e940d8a122e25945c5cf11a6ccd10d0f0977f446f6b075a7b7c9c897c3d1

  • SSDEEP

    12288:GnRCG8owe1SRHCxH3VrBLfWHoCveTA745E:GnRCG8owe1SRGH3VrBLfWHoCveTA0S

Score
9/10
upx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe
    "C:\Users\Admin\AppData\Local\Temp\e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Users\Admin\AppData\Local\Temp\Sysceamtsiyf.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysceamtsiyf.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Sysceamtsiyf.exe

    Filesize

    423KB

    MD5

    2bf0af537ab989aeae1cbae5363d50b6

    SHA1

    498e2a1795d8364d23032f5b45745a607fcd08fd

    SHA256

    d2ccbcc39c2898b514873f17a4067f24de9a61092809690b16fe7f202651e1d1

    SHA512

    538d74421c168c98bb2dd44fa2f055f6a4b8b969f0c068a8c03ab15c9880bead4e21f68560f0539d2ec0e51acb45aefe20768522186e4b18b3436feb3778728a

  • C:\Users\Admin\AppData\Local\Temp\cpath.ini

    Filesize

    102B

    MD5

    ae7ec2a239d136e43aa3450a4cb93edf

    SHA1

    94fd98068d074096fb3ce9346c57676c9e8d1b98

    SHA256

    5245bbba76bf9d36ba1a71ae05b89f04a7f8432b0e24104184d0262f7068950d

    SHA512

    229970ac55341a9f6d27b3f0af7c58d79eb5bf6bf1ed3b418f4e7dfd95dac2361ce662c63bfd2058a0453f0c6e413bd371af68e035302708b38dc32986b187d0

  • memory/776-42-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/3340-0-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/3340-41-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB