Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 11:48

General

  • Target

    0a15cb345ff9c3b6166e3139e2522b93_JC.exe

  • Size

    896KB

  • MD5

    0a15cb345ff9c3b6166e3139e2522b93

  • SHA1

    3cc8c220c33352ec5dbe5f067f9e8ca94d30adf7

  • SHA256

    e143b7d574448259a7460817662e75e5f17c4686462b3f5b7422c82486f53abd

  • SHA512

    5db7d77117bdee841f3bb8220907157f70394e60bd71706d3d7fcfb4d2d1ba1cc3158a01f5b9d862ed04947610c173ffdd7c3d0f595ef0870ae289b89519a0f4

  • SSDEEP

    24576:ZRkkvPYlaAD2E3Qi0hAPlFtweDp4in8GgEdunxLW0E:ZRk0PMaMJQiSAt0eDp4i8GnQxLPE

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe
      C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe
      2⤵
      • Executes dropped EXE
      PID:2188
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

    Filesize

    896KB

    MD5

    79727aea15bd68bdcb537abb8ec4e1e4

    SHA1

    ed22462a47308fecca9d6666f22b1d7815c24453

    SHA256

    53de7ca72be47c622bbd89a02cc1c266e633d7c8e93609f7aa3e5cb5714fd399

    SHA512

    24c6e36c6ac3589efda10a2726c2b287d6f174ec862a1efe1b6353dce5c0bbfe052fd891175f61a54ea962eb282607740e6eb95aa689cd4b8c54aac700d4dcdd

  • C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

    Filesize

    734KB

    MD5

    7d65d4df4668d117f25e083dd9dda24a

    SHA1

    d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

    SHA256

    d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

    SHA512

    044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

  • C:\Windows\CTS.exe

    Filesize

    161KB

    MD5

    e8f8a485ab339763f170f82d68d4107d

    SHA1

    460dad0367cb4cdc47abd3c56f08f93693aff1c9

    SHA256

    371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

    SHA512

    7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

  • C:\Windows\CTS.exe

    Filesize

    161KB

    MD5

    e8f8a485ab339763f170f82d68d4107d

    SHA1

    460dad0367cb4cdc47abd3c56f08f93693aff1c9

    SHA256

    371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

    SHA512

    7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

  • C:\Windows\CTS.exe

    Filesize

    161KB

    MD5

    e8f8a485ab339763f170f82d68d4107d

    SHA1

    460dad0367cb4cdc47abd3c56f08f93693aff1c9

    SHA256

    371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

    SHA512

    7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

  • \Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

    Filesize

    734KB

    MD5

    7d65d4df4668d117f25e083dd9dda24a

    SHA1

    d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

    SHA256

    d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

    SHA512

    044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

  • \Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

    Filesize

    734KB

    MD5

    7d65d4df4668d117f25e083dd9dda24a

    SHA1

    d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

    SHA256

    d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

    SHA512

    044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

  • memory/1704-15-0x0000000000220000-0x0000000000248000-memory.dmp

    Filesize

    160KB

  • memory/1704-16-0x0000000000220000-0x0000000000248000-memory.dmp

    Filesize

    160KB

  • memory/1704-0-0x0000000000E70000-0x0000000000E98000-memory.dmp

    Filesize

    160KB

  • memory/1704-13-0x0000000000E70000-0x0000000000E98000-memory.dmp

    Filesize

    160KB

  • memory/1948-17-0x0000000001190000-0x00000000011B8000-memory.dmp

    Filesize

    160KB

  • memory/1948-22-0x0000000001190000-0x00000000011B8000-memory.dmp

    Filesize

    160KB