Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    18/09/2023, 18:49

General

  • Target

    d7418f626c566ce7713564ebdf968300_JC.exe

  • Size

    225KB

  • MD5

    d7418f626c566ce7713564ebdf968300

  • SHA1

    3878406fe886cbc5e4c426017c1f3d79c1a0a737

  • SHA256

    d41daac02ffcc698e4ec8f46df9134532efd837ca02a6fed127e3c0fca2696c2

  • SHA512

    7b6d43be3fa70d4e072d5946c786b8b8961eb59387f3d9e02717ff250b776b7bb8dd6c0796f451cfe9178132f8b5e77df207ff2580b31655e67353beac7e9fd6

  • SSDEEP

    6144:9Zl2zI79jfoaIPXmjbeqsoxk9cGxu5jLi:9mcGfPwbeqor7

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe
      C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe
      2⤵
      • Executes dropped EXE
      PID:1548
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe

    Filesize

    143KB

    MD5

    c583d768336377e263ed3de978da7c6e

    SHA1

    2c48977d57dfe983781ae622056588233d7d67ee

    SHA256

    54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

    SHA512

    284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

  • C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe

    Filesize

    143KB

    MD5

    c583d768336377e263ed3de978da7c6e

    SHA1

    2c48977d57dfe983781ae622056588233d7d67ee

    SHA256

    54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

    SHA512

    284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

  • C:\Windows\CTS.exe

    Filesize

    82KB

    MD5

    112e2e3d0f9b5bdfc715836bfd6360cf

    SHA1

    3376a739daff15255ad9b6552897856df1778ed1

    SHA256

    739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

    SHA512

    6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

  • C:\Windows\CTS.exe

    Filesize

    82KB

    MD5

    112e2e3d0f9b5bdfc715836bfd6360cf

    SHA1

    3376a739daff15255ad9b6552897856df1778ed1

    SHA256

    739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

    SHA512

    6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

  • C:\Windows\CTS.exe

    Filesize

    82KB

    MD5

    112e2e3d0f9b5bdfc715836bfd6360cf

    SHA1

    3376a739daff15255ad9b6552897856df1778ed1

    SHA256

    739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

    SHA512

    6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

  • \Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe

    Filesize

    143KB

    MD5

    c583d768336377e263ed3de978da7c6e

    SHA1

    2c48977d57dfe983781ae622056588233d7d67ee

    SHA256

    54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

    SHA512

    284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

  • memory/1496-0-0x0000000000FF0000-0x0000000001009000-memory.dmp

    Filesize

    100KB

  • memory/1496-10-0x0000000000FF0000-0x0000000001009000-memory.dmp

    Filesize

    100KB

  • memory/1548-17-0x0000000000EB0000-0x0000000000ED8000-memory.dmp

    Filesize

    160KB

  • memory/1548-18-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

    Filesize

    9.9MB

  • memory/1548-19-0x000000001ACC0000-0x000000001AD40000-memory.dmp

    Filesize

    512KB

  • memory/1548-20-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

    Filesize

    9.9MB

  • memory/2252-13-0x0000000000060000-0x0000000000079000-memory.dmp

    Filesize

    100KB