Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 11:48
Behavioral task
behavioral1
Sample
0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
0a15cb345ff9c3b6166e3139e2522b93_JC.exe
-
Size
896KB
-
MD5
0a15cb345ff9c3b6166e3139e2522b93
-
SHA1
3cc8c220c33352ec5dbe5f067f9e8ca94d30adf7
-
SHA256
e143b7d574448259a7460817662e75e5f17c4686462b3f5b7422c82486f53abd
-
SHA512
5db7d77117bdee841f3bb8220907157f70394e60bd71706d3d7fcfb4d2d1ba1cc3158a01f5b9d862ed04947610c173ffdd7c3d0f595ef0870ae289b89519a0f4
-
SSDEEP
24576:ZRkkvPYlaAD2E3Qi0hAPlFtweDp4in8GgEdunxLW0E:ZRk0PMaMJQiSAt0eDp4i8GnQxLPE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4212 LEWUcxMO46ZeT2U.exe 3824 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3516-0-0x0000000000540000-0x0000000000568000-memory.dmp upx behavioral2/memory/3824-8-0x0000000000FB0000-0x0000000000FD8000-memory.dmp upx behavioral2/files/0x000200000002288b-6.dat upx behavioral2/files/0x000200000002288b-9.dat upx behavioral2/memory/3516-7-0x0000000000540000-0x0000000000568000-memory.dmp upx behavioral2/files/0x000200000001e804-12.dat upx behavioral2/memory/3824-31-0x0000000000FB0000-0x0000000000FD8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 0a15cb345ff9c3b6166e3139e2522b93_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 0a15cb345ff9c3b6166e3139e2522b93_JC.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3516 0a15cb345ff9c3b6166e3139e2522b93_JC.exe Token: SeDebugPrivilege 3824 CTS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3516 wrote to memory of 4212 3516 0a15cb345ff9c3b6166e3139e2522b93_JC.exe 82 PID 3516 wrote to memory of 4212 3516 0a15cb345ff9c3b6166e3139e2522b93_JC.exe 82 PID 3516 wrote to memory of 3824 3516 0a15cb345ff9c3b6166e3139e2522b93_JC.exe 83 PID 3516 wrote to memory of 3824 3516 0a15cb345ff9c3b6166e3139e2522b93_JC.exe 83 PID 3516 wrote to memory of 3824 3516 0a15cb345ff9c3b6166e3139e2522b93_JC.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe"C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exeC:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe2⤵
- Executes dropped EXE
PID:4212
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD5ea1aefd5e952356f5f95ca1f7e3fb4b2
SHA160214a3b705685c5205edd6543aa7a6387214e26
SHA256ea614edaaadfbce5a3bce3eac5e4a7f0eaf0ee5695593ebb8bdcb9eae068cbe2
SHA512539a0b16c8f1f3f3bdfe4f7fde02f5269ffce0f3eac422b93f1728b1f7ab9c5bcc981279c8a7fa71db8a9f9e664893c40e10a8846e463de5aea5db8a2360c381
-
Filesize
896KB
MD55557e5806eb64c0fe35dcc87f7ddddbb
SHA16b15e5fb844f32d23b183297b7bf4dc480686510
SHA256f4492e7ca42163df13fffb76e0802e9e7b17005d522ddb16b1599d9fb606cd59
SHA512a68c0ce275546fa5856e4821def8d6e6c7c6a8e7e55d3ef7eb35cfc6de017103a11259a9171a658cfa26907b757211483e4580311bf0f4dfff1fb8615d201a7d
-
Filesize
734KB
MD57d65d4df4668d117f25e083dd9dda24a
SHA1d8b1bb64a08b0c4b42f8f63a630201d423ad30bd
SHA256d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd
SHA512044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd
-
Filesize
161KB
MD5e8f8a485ab339763f170f82d68d4107d
SHA1460dad0367cb4cdc47abd3c56f08f93693aff1c9
SHA256371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b
SHA5127d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5
-
Filesize
161KB
MD5e8f8a485ab339763f170f82d68d4107d
SHA1460dad0367cb4cdc47abd3c56f08f93693aff1c9
SHA256371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b
SHA5127d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5