Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

b7254d7583...4c.exe

windows7-x64

7

b7254d7583...4c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7254d758341d446daa16cc9c9cd6d4c.exe

  • Size

    130KB

  • MD5

    b7254d758341d446daa16cc9c9cd6d4c

  • SHA1

    087a5bae305600aa9fe1a294581801fac09ac4ef

  • SHA256

    26dda853b5d6f5d9df23b9b26b5e287268b4e3323272d193ad366a0bc59d2ad4

  • SHA512

    2bdeab1fb6e86fc1897e0a60b7adb15b99962da185fe97cb7634d354698f02113c4d3a268c509f5ee788b61fa54ba8c8346e17bb6681c0715d3469909501217b

  • SSDEEP

    3072:sr3KcWmjRrzSE5/XwqlJ5oe/ziC20MJmYHgBCsN0bvsGz8I:/sXl/bIKYYHo5QI

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7254d758341d446daa16cc9c9cd6d4c.exe
    "C:\Users\Admin\AppData\Local\Temp\b7254d758341d446daa16cc9c9cd6d4c.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4912
    • C:\Users\Admin\AppData\Local\Temp\8l3T5CJJnnH0anb.exe
      C:\Users\Admin\AppData\Local\Temp\8l3T5CJJnnH0anb.exe
      2⤵
      • Executes dropped EXE
      PID:4776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8l3T5CJJnnH0anb.exe
    Filesize

    94KB

    MD5

    9a821d8d62f4c60232b856e98cba7e4f

    SHA1

    4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

    SHA256

    a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

    SHA512

    1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    36KB

    MD5

    d23b958b292229b9c4449af4799e5199

    SHA1

    4edca4f5650a46b49f38cdc3da76df63be05d00a

    SHA256

    590c7a8236b0a29ae55e001361e3365bcaaeefe732d6061da12175343026e50a

    SHA512

    1e758b59e2b89c8313027d609949eeadc4a40ebe9c27de72bf16be4f0a5e8dafceb787d92e1324f217059bd83363368718d4bbf88841fbb50cd11d3113177c56

    Download Submit

  • memory/2472-0-0x0000000000CB0000-0x0000000000CC7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2472-8-0x0000000000CB0000-0x0000000000CC7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4912-9-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4912-32-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

    Download