Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2023, 18:49
Behavioral task
behavioral1
Sample
d7418f626c566ce7713564ebdf968300_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d7418f626c566ce7713564ebdf968300_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
d7418f626c566ce7713564ebdf968300_JC.exe
-
Size
225KB
-
MD5
d7418f626c566ce7713564ebdf968300
-
SHA1
3878406fe886cbc5e4c426017c1f3d79c1a0a737
-
SHA256
d41daac02ffcc698e4ec8f46df9134532efd837ca02a6fed127e3c0fca2696c2
-
SHA512
7b6d43be3fa70d4e072d5946c786b8b8961eb59387f3d9e02717ff250b776b7bb8dd6c0796f451cfe9178132f8b5e77df207ff2580b31655e67353beac7e9fd6
-
SSDEEP
6144:9Zl2zI79jfoaIPXmjbeqsoxk9cGxu5jLi:9mcGfPwbeqor7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2632 LGC1nrA3XBBUi0s.exe 3680 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1660-0-0x00000000004B0000-0x00000000004C9000-memory.dmp upx behavioral2/files/0x00060000000231c1-7.dat upx behavioral2/memory/3680-9-0x0000000000F40000-0x0000000000F59000-memory.dmp upx behavioral2/memory/1660-8-0x00000000004B0000-0x00000000004C9000-memory.dmp upx behavioral2/files/0x00060000000231c1-6.dat upx behavioral2/files/0x00080000000230c2-14.dat upx behavioral2/memory/3680-34-0x0000000000F40000-0x0000000000F59000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" d7418f626c566ce7713564ebdf968300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe d7418f626c566ce7713564ebdf968300_JC.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1660 d7418f626c566ce7713564ebdf968300_JC.exe Token: SeDebugPrivilege 3680 CTS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2632 1660 d7418f626c566ce7713564ebdf968300_JC.exe 84 PID 1660 wrote to memory of 2632 1660 d7418f626c566ce7713564ebdf968300_JC.exe 84 PID 1660 wrote to memory of 3680 1660 d7418f626c566ce7713564ebdf968300_JC.exe 85 PID 1660 wrote to memory of 3680 1660 d7418f626c566ce7713564ebdf968300_JC.exe 85 PID 1660 wrote to memory of 3680 1660 d7418f626c566ce7713564ebdf968300_JC.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe"C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\LGC1nrA3XBBUi0s.exeC:\Users\Admin\AppData\Local\Temp\LGC1nrA3XBBUi0s.exe2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD5a2266804b50fff971f681f70e49a06bf
SHA1d2df346bf81c91db05755e0df384d4d041ddc256
SHA256483294b284ccaadd50515f2d6434dcfcdd47a87eca8b401763e231ea8b7af67f
SHA512fcc9c5c7e733c86bda889c752e3aefe1ab42c97869a8545a1ea4800ecc5e33102a81563392fc09b31f28e12096e96f62b69406806018795851cf9b62ade0e970
-
Filesize
143KB
MD5c583d768336377e263ed3de978da7c6e
SHA12c48977d57dfe983781ae622056588233d7d67ee
SHA25654836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac
SHA512284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93
-
Filesize
143KB
MD5c583d768336377e263ed3de978da7c6e
SHA12c48977d57dfe983781ae622056588233d7d67ee
SHA25654836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac
SHA512284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93
-
Filesize
82KB
MD5112e2e3d0f9b5bdfc715836bfd6360cf
SHA13376a739daff15255ad9b6552897856df1778ed1
SHA256739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db
SHA5126ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b
-
Filesize
82KB
MD5112e2e3d0f9b5bdfc715836bfd6360cf
SHA13376a739daff15255ad9b6552897856df1778ed1
SHA256739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db
SHA5126ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b