Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 10:20
Behavioral task
behavioral1
Sample
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe
Resource
win10v2004-20240226-en
General
-
Target
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe
-
Size
423KB
-
MD5
83f6b3d285a8310bce78a9840696bd1e
-
SHA1
4dfffd351c342590321e342b226bde9d16ff83b8
-
SHA256
e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc
-
SHA512
6cae58765486ee0f7f1c52b4bc3cbb7d146d7ad3d7bee87f06145df615a77f271055e940d8a122e25945c5cf11a6ccd10d0f0977f446f6b075a7b7c9c897c3d1
-
SSDEEP
12288:GnRCG8owe1SRHCxH3VrBLfWHoCveTA745E:GnRCG8owe1SRGH3VrBLfWHoCveTA0S
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/memory/3340-0-0x0000000000400000-0x000000000046C000-memory.dmp UPX behavioral2/files/0x000300000002276e-10.dat UPX behavioral2/memory/3340-41-0x0000000000400000-0x000000000046C000-memory.dmp UPX behavioral2/memory/776-42-0x0000000000400000-0x000000000046C000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe -
Deletes itself 1 IoCs
pid Process 776 Sysceamtsiyf.exe -
Executes dropped EXE 1 IoCs
pid Process 776 Sysceamtsiyf.exe -
resource yara_rule behavioral2/memory/3340-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/files/0x000300000002276e-10.dat upx behavioral2/memory/3340-41-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/776-42-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe 776 Sysceamtsiyf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3340 wrote to memory of 776 3340 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 97 PID 3340 wrote to memory of 776 3340 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 97 PID 3340 wrote to memory of 776 3340 e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe"C:\Users\Admin\AppData\Local\Temp\e1e3a54eecac08c64bc8a7a38ab5e69135eb91407e49c5b25464e7f65c45d4cc.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\Sysceamtsiyf.exe"C:\Users\Admin\AppData\Local\Temp\Sysceamtsiyf.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD52bf0af537ab989aeae1cbae5363d50b6
SHA1498e2a1795d8364d23032f5b45745a607fcd08fd
SHA256d2ccbcc39c2898b514873f17a4067f24de9a61092809690b16fe7f202651e1d1
SHA512538d74421c168c98bb2dd44fa2f055f6a4b8b969f0c068a8c03ab15c9880bead4e21f68560f0539d2ec0e51acb45aefe20768522186e4b18b3436feb3778728a
-
Filesize
102B
MD5ae7ec2a239d136e43aa3450a4cb93edf
SHA194fd98068d074096fb3ce9346c57676c9e8d1b98
SHA2565245bbba76bf9d36ba1a71ae05b89f04a7f8432b0e24104184d0262f7068950d
SHA512229970ac55341a9f6d27b3f0af7c58d79eb5bf6bf1ed3b418f4e7dfd95dac2361ce662c63bfd2058a0453f0c6e413bd371af68e035302708b38dc32986b187d0