Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
231s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 18:17
Behavioral task
behavioral1
Sample
33e826176ff4e48466375ffa5c9ecf85.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
33e826176ff4e48466375ffa5c9ecf85.exe
Resource
win10v2004-20231215-en
General
-
Target
33e826176ff4e48466375ffa5c9ecf85.exe
-
Size
85KB
-
MD5
33e826176ff4e48466375ffa5c9ecf85
-
SHA1
7f8e2aee8e179e8ac1967c58019951a687474951
-
SHA256
52b1196caaf09ae059ad90da293552299c414c666df6d058f06e088db8775f6e
-
SHA512
5a7c5e84e860d72e19b8c84285b3e9242476117cd498510965ae7a7a6def9a8aac72ec2af01d97db3fddf7622e2ea364b288ed0cd1c1a24b7c460759ba5c3450
-
SSDEEP
1536:SKcR4mjD9r823FSBLrfbKjCX43ZsY+bpmf3Z:SKcWmjRrz3b8sZsbbpmf3Z
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2944 dMGv9lNRAG13a2X.exe 1656 CTS.exe -
Loads dropped DLL 1 IoCs
pid Process 1116 33e826176ff4e48466375ffa5c9ecf85.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1116-0-0x0000000001360000-0x0000000001377000-memory.dmp upx behavioral1/memory/1116-2-0x0000000001360000-0x0000000001377000-memory.dmp upx behavioral1/files/0x001000000000b1f5-13.dat upx behavioral1/memory/1116-14-0x0000000001360000-0x0000000001377000-memory.dmp upx behavioral1/memory/2944-17-0x0000000000B20000-0x0000000000BA0000-memory.dmp upx behavioral1/memory/1656-18-0x0000000000040000-0x0000000000057000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 33e826176ff4e48466375ffa5c9ecf85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 33e826176ff4e48466375ffa5c9ecf85.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1832 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1116 33e826176ff4e48466375ffa5c9ecf85.exe Token: SeDebugPrivilege 1656 CTS.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1116 wrote to memory of 2944 1116 33e826176ff4e48466375ffa5c9ecf85.exe 27 PID 1116 wrote to memory of 2944 1116 33e826176ff4e48466375ffa5c9ecf85.exe 27 PID 1116 wrote to memory of 2944 1116 33e826176ff4e48466375ffa5c9ecf85.exe 27 PID 1116 wrote to memory of 2944 1116 33e826176ff4e48466375ffa5c9ecf85.exe 27 PID 1116 wrote to memory of 1656 1116 33e826176ff4e48466375ffa5c9ecf85.exe 29 PID 1116 wrote to memory of 1656 1116 33e826176ff4e48466375ffa5c9ecf85.exe 29 PID 1116 wrote to memory of 1656 1116 33e826176ff4e48466375ffa5c9ecf85.exe 29 PID 1116 wrote to memory of 1656 1116 33e826176ff4e48466375ffa5c9ecf85.exe 29 PID 2944 wrote to memory of 1832 2944 dMGv9lNRAG13a2X.exe 30 PID 2944 wrote to memory of 1832 2944 dMGv9lNRAG13a2X.exe 30 PID 2944 wrote to memory of 1832 2944 dMGv9lNRAG13a2X.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\33e826176ff4e48466375ffa5c9ecf85.exe"C:\Users\Admin\AppData\Local\Temp\33e826176ff4e48466375ffa5c9ecf85.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\dMGv9lNRAG13a2X.exeC:\Users\Admin\AppData\Local\Temp\dMGv9lNRAG13a2X.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 3803⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1832
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5
-
Filesize
56KB
MD5e115521ba14b75f53dcdff087ec6898f
SHA187103a892bb514a93d485fba221bacb9da3aae25
SHA25659b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29
SHA512ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a