Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
18/09/2023, 18:49
Behavioral task
behavioral1
Sample
d7418f626c566ce7713564ebdf968300_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d7418f626c566ce7713564ebdf968300_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
d7418f626c566ce7713564ebdf968300_JC.exe
-
Size
225KB
-
MD5
d7418f626c566ce7713564ebdf968300
-
SHA1
3878406fe886cbc5e4c426017c1f3d79c1a0a737
-
SHA256
d41daac02ffcc698e4ec8f46df9134532efd837ca02a6fed127e3c0fca2696c2
-
SHA512
7b6d43be3fa70d4e072d5946c786b8b8961eb59387f3d9e02717ff250b776b7bb8dd6c0796f451cfe9178132f8b5e77df207ff2580b31655e67353beac7e9fd6
-
SSDEEP
6144:9Zl2zI79jfoaIPXmjbeqsoxk9cGxu5jLi:9mcGfPwbeqor7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1548 OmG9Ew14jnS6nTm.exe 2252 CTS.exe -
Loads dropped DLL 1 IoCs
pid Process 1496 d7418f626c566ce7713564ebdf968300_JC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1496-0-0x0000000000FF0000-0x0000000001009000-memory.dmp upx behavioral1/memory/2252-13-0x0000000000060000-0x0000000000079000-memory.dmp upx behavioral1/files/0x000e0000000122e4-12.dat upx behavioral1/files/0x000e0000000122e4-11.dat upx behavioral1/memory/1496-10-0x0000000000FF0000-0x0000000001009000-memory.dmp upx behavioral1/files/0x000e0000000122e4-9.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" d7418f626c566ce7713564ebdf968300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe d7418f626c566ce7713564ebdf968300_JC.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1496 d7418f626c566ce7713564ebdf968300_JC.exe Token: SeDebugPrivilege 2252 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1548 1496 d7418f626c566ce7713564ebdf968300_JC.exe 28 PID 1496 wrote to memory of 1548 1496 d7418f626c566ce7713564ebdf968300_JC.exe 28 PID 1496 wrote to memory of 1548 1496 d7418f626c566ce7713564ebdf968300_JC.exe 28 PID 1496 wrote to memory of 1548 1496 d7418f626c566ce7713564ebdf968300_JC.exe 28 PID 1496 wrote to memory of 2252 1496 d7418f626c566ce7713564ebdf968300_JC.exe 30 PID 1496 wrote to memory of 2252 1496 d7418f626c566ce7713564ebdf968300_JC.exe 30 PID 1496 wrote to memory of 2252 1496 d7418f626c566ce7713564ebdf968300_JC.exe 30 PID 1496 wrote to memory of 2252 1496 d7418f626c566ce7713564ebdf968300_JC.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe"C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exeC:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD5c583d768336377e263ed3de978da7c6e
SHA12c48977d57dfe983781ae622056588233d7d67ee
SHA25654836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac
SHA512284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93
-
Filesize
143KB
MD5c583d768336377e263ed3de978da7c6e
SHA12c48977d57dfe983781ae622056588233d7d67ee
SHA25654836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac
SHA512284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93
-
Filesize
82KB
MD5112e2e3d0f9b5bdfc715836bfd6360cf
SHA13376a739daff15255ad9b6552897856df1778ed1
SHA256739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db
SHA5126ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b
-
Filesize
82KB
MD5112e2e3d0f9b5bdfc715836bfd6360cf
SHA13376a739daff15255ad9b6552897856df1778ed1
SHA256739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db
SHA5126ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b
-
Filesize
82KB
MD5112e2e3d0f9b5bdfc715836bfd6360cf
SHA13376a739daff15255ad9b6552897856df1778ed1
SHA256739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db
SHA5126ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b
-
Filesize
143KB
MD5c583d768336377e263ed3de978da7c6e
SHA12c48977d57dfe983781ae622056588233d7d67ee
SHA25654836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac
SHA512284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93