Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03/09/2024, 16:35
Static task
static1
Behavioral task
behavioral1
Sample
install.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
install.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
install.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
install.exe
Resource
win11-20240802-en
General
-
Target
install.exe
-
Size
3.4MB
-
MD5
7a2ac5711382c571a1adc3f296cf10dd
-
SHA1
101ea008e9556045ca374e7304680e164bcbeda8
-
SHA256
5ee907cd468e9d572557e7b8326cd1c577edb733117fa47949fde2989d32144f
-
SHA512
7d7a710b66dc015428e230182761094aa16cd5e48f459aa6e1a64bcdefbbcf5a37118a04bd79ba81f97b69ec8d0c75c9ba5cf8ed2cbae7389fdfb02dd28907a6
-
SSDEEP
98304:8heNC4sw6mh6TRKVilQsf4f6IBgCnKQJLCnYPNY:zNCvihGRKVilV4CGnKiOnYO
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
resource yara_rule behavioral1/memory/2344-75-0x0000000000900000-0x00000000009A2000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 4996 install.tmp 2344 ceastream32.exe -
Loads dropped DLL 1 IoCs
pid Process 4996 install.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 152.89.198.214 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ceastream32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4996 2428 install.exe 75 PID 2428 wrote to memory of 4996 2428 install.exe 75 PID 2428 wrote to memory of 4996 2428 install.exe 75 PID 4996 wrote to memory of 2344 4996 install.tmp 76 PID 4996 wrote to memory of 2344 4996 install.tmp 76 PID 4996 wrote to memory of 2344 4996 install.tmp 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\is-H3T7P.tmp\install.tmp"C:\Users\Admin\AppData\Local\Temp\is-H3T7P.tmp\install.tmp" /SL5="$501FC,3332875,54272,C:\Users\Admin\AppData\Local\Temp\install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\CEA Stream\ceastream32.exe"C:\Users\Admin\AppData\Local\CEA Stream\ceastream32.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5c047ad4d8c572b294e72cbf3d227035e
SHA104bed7e9ab63e29744885ab1f030a49ec6bfd447
SHA2560ff018b80cdb7529e03a73ba9940248728341f81aabd6ca7ca23c0a8f8fe4c43
SHA51234341c93ed698c0e55183a979c772d4aa8fd32fb2671de10d50a7e8855b3a9aa2b953071e16ae05538e13a4f6f268623d02d4e3266152b76a2063b6cac22ae1f
-
Filesize
680KB
MD5fcb9a039e355dca5927a620396662e9d
SHA1ebd8951e470635332cbf43afaf277e6eeaa1aaaf
SHA2567e94a78d2279d7b9760b5c720c4cab64cfe4384ec6ea6f4e39e1a65609890976
SHA512653b0fe17c4074a3c5e8058873b4a2ce7dcb2738f6f2e28dd00ca089214a8554b3782a1f152288cef96dd4027bf31b1d5672a906ccc21e4ceae14a43fa4d020d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63