47660fce781108e29be4356a7822d0dc20598eecfaee245dc3dbe619672f3112

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cc64db026fc758ff91fe4f77b017d6f.exe
Size

528KB
MD5

3cc64db026fc758ff91fe4f77b017d6f
SHA1

cb9c9f224e6f2603442e8b0a9c4ad90ae998950f
SHA256

47660fce781108e29be4356a7822d0dc20598eecfaee245dc3dbe619672f3112
SHA512

923a65edcd840af4a78d13e43c57f27d7419a1ee51822d38ce3d39eed01da8990a18251f10f5b77c1dece0f04fd63efa0a549455f6ff882b4cbd13b2a36289d7
SSDEEP

12288:hmLoLgmqLjKDzsMLYvNMy2RFQny1nve0mi:hmLoLgJLjKDzs9NMy2RFQny1nve0/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	3cc64db026fc758ff91fe4f77b017d6f.exe

Deletes itself 1 IoCs

pid	Process
2524	Sysceamosaip.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	Sysceamosaip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3cc64db026fc758ff91fe4f77b017d6f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe
2524	Sysceamosaip.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 2524	3364	3cc64db026fc758ff91fe4f77b017d6f.exe	84
PID 3364 wrote to memory of 2524	3364	3cc64db026fc758ff91fe4f77b017d6f.exe	84
PID 3364 wrote to memory of 2524	3364	3cc64db026fc758ff91fe4f77b017d6f.exe	84

C:\Users\Admin\AppData\Local\Temp\3cc64db026fc758ff91fe4f77b017d6f.exe
"C:\Users\Admin\AppData\Local\Temp\3cc64db026fc758ff91fe4f77b017d6f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\Sysceamosaip.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamosaip.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysceamosaip.exe

Filesize
528KB

MD5
219e5ba3c2623ed42d737d4da2c39445

SHA1
95def7572c8d004fcf86c79e892fd1f901e520c0

SHA256
a08babb48ebb842d9a9001562df56a043c60a0e773d851755ecc7fcdb1df1951

SHA512
d8db58fa5eec37a613f019bd86acfbdd519aae163476e6f057100651e21cf82f3bb9189bd8f4d536156d273ac5c98901a474b4367e5628e9141bbabe05d785a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
70B

MD5
bd94f77be20a3300b02c3a04e3da6025

SHA1
6764e81e2dc65cd8280ab280b71017ad19a0341e

SHA256
2436c4f51ce7d9855615b8fde67901f6b2e634b612a914b8968509c1cb241ac3

SHA512
fa5eb90f5100db5ca579cae944e1757c3fc4286e3d2a791f03120ca9fe4ed931d9a065870b25b701916ae20c955cd9d065333d59c9f00ddf44417dedda5912c5

Download Submit