Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
ectasy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ectasy.exe
Resource
win10v2004-20240508-en
General
-
Target
ectasy.exe
-
Size
66KB
-
MD5
de3594a88b85041ec31efcf0735b1906
-
SHA1
a8751a4a7fdf31dc82162a35e906644652d37c4a
-
SHA256
7bef6dcd145cb672fded1ae019319cc13441552de9d48e35975d771bbd531124
-
SHA512
1b41d72aa942aa607ec04eca67f56f76f9a65407c258f66d2dd4fb812bc5d1211c5578c251360088a266ff4b62aa7aae3c394d48fd60a5e57f795e6913ec292b
-
SSDEEP
1536:SQjspDSF7IyR5ukwL3qJgkkkSkkkkkkekNkkkkkkkkkLc/cicWbjS1jDEOKcl:jjMS/5G+gkkkSkkkkkkekNkkkkkkkkk3
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 2 pastebin.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4900 ectasy.exe 4900 ectasy.exe 4900 ectasy.exe 4900 ectasy.exe 4900 ectasy.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4900 ectasy.exe Token: SeDebugPrivilege 2724 taskmgr.exe Token: SeSystemProfilePrivilege 2724 taskmgr.exe Token: SeCreateGlobalPrivilege 2724 taskmgr.exe Token: 33 2724 taskmgr.exe Token: SeIncBasePriorityPrivilege 2724 taskmgr.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe 2724 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4900 ectasy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ectasy.exe"C:\Users\Admin\AppData\Local\Temp\ectasy.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4900
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724