Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 11:48

General

  • Target

    0a15cb345ff9c3b6166e3139e2522b93_JC.exe

  • Size

    896KB

  • MD5

    0a15cb345ff9c3b6166e3139e2522b93

  • SHA1

    3cc8c220c33352ec5dbe5f067f9e8ca94d30adf7

  • SHA256

    e143b7d574448259a7460817662e75e5f17c4686462b3f5b7422c82486f53abd

  • SHA512

    5db7d77117bdee841f3bb8220907157f70394e60bd71706d3d7fcfb4d2d1ba1cc3158a01f5b9d862ed04947610c173ffdd7c3d0f595ef0870ae289b89519a0f4

  • SSDEEP

    24576:ZRkkvPYlaAD2E3Qi0hAPlFtweDp4in8GgEdunxLW0E:ZRk0PMaMJQiSAt0eDp4i8GnQxLPE

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe
      C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe
      2⤵
      • Executes dropped EXE
      PID:4212
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml

    Filesize

    162KB

    MD5

    ea1aefd5e952356f5f95ca1f7e3fb4b2

    SHA1

    60214a3b705685c5205edd6543aa7a6387214e26

    SHA256

    ea614edaaadfbce5a3bce3eac5e4a7f0eaf0ee5695593ebb8bdcb9eae068cbe2

    SHA512

    539a0b16c8f1f3f3bdfe4f7fde02f5269ffce0f3eac422b93f1728b1f7ab9c5bcc981279c8a7fa71db8a9f9e664893c40e10a8846e463de5aea5db8a2360c381

  • C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe

    Filesize

    896KB

    MD5

    5557e5806eb64c0fe35dcc87f7ddddbb

    SHA1

    6b15e5fb844f32d23b183297b7bf4dc480686510

    SHA256

    f4492e7ca42163df13fffb76e0802e9e7b17005d522ddb16b1599d9fb606cd59

    SHA512

    a68c0ce275546fa5856e4821def8d6e6c7c6a8e7e55d3ef7eb35cfc6de017103a11259a9171a658cfa26907b757211483e4580311bf0f4dfff1fb8615d201a7d

  • C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe

    Filesize

    734KB

    MD5

    7d65d4df4668d117f25e083dd9dda24a

    SHA1

    d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

    SHA256

    d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

    SHA512

    044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

  • C:\Windows\CTS.exe

    Filesize

    161KB

    MD5

    e8f8a485ab339763f170f82d68d4107d

    SHA1

    460dad0367cb4cdc47abd3c56f08f93693aff1c9

    SHA256

    371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

    SHA512

    7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

  • C:\Windows\CTS.exe

    Filesize

    161KB

    MD5

    e8f8a485ab339763f170f82d68d4107d

    SHA1

    460dad0367cb4cdc47abd3c56f08f93693aff1c9

    SHA256

    371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

    SHA512

    7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

  • memory/3516-0-0x0000000000540000-0x0000000000568000-memory.dmp

    Filesize

    160KB

  • memory/3516-7-0x0000000000540000-0x0000000000568000-memory.dmp

    Filesize

    160KB

  • memory/3824-8-0x0000000000FB0000-0x0000000000FD8000-memory.dmp

    Filesize

    160KB

  • memory/3824-31-0x0000000000FB0000-0x0000000000FD8000-memory.dmp

    Filesize

    160KB