Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 20:24
Behavioral task
behavioral1
Sample
03019ca8a4cab959ba202bba1990a3ff.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
03019ca8a4cab959ba202bba1990a3ff.exe
Resource
win10v2004-20231215-en
General
-
Target
03019ca8a4cab959ba202bba1990a3ff.exe
-
Size
103KB
-
MD5
03019ca8a4cab959ba202bba1990a3ff
-
SHA1
24ebcfbe2687d451831e0f146bfa3cad0037b1e0
-
SHA256
d78bfa2a5b36e21a96eba053882465f0950ce5fdf1b5f4ab6c00a5e56faa2c78
-
SHA512
310604f051ce8ae6e3338140d5c692ca41f2b6b133e42332bd58d48fc36ccd74dfc54c48c1bb7293aa7b178eb05986ce44d62f99e16fe792a9f84e58c3ba8daa
-
SSDEEP
3072:sr3KcWmjRrzSw4Sg7/2PHoF/hEXCqROe0Dzj:/x/iHouC+t0Dzj
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4672 OWSrr5hZrNFVwCP.exe 3620 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/488-0-0x0000000000120000-0x0000000000137000-memory.dmp upx behavioral2/memory/488-9-0x0000000000120000-0x0000000000137000-memory.dmp upx behavioral2/memory/3620-8-0x00000000004F0000-0x0000000000507000-memory.dmp upx behavioral2/files/0x0007000000023214-7.dat upx behavioral2/files/0x0007000000023214-6.dat upx behavioral2/files/0x0005000000022717-13.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 03019ca8a4cab959ba202bba1990a3ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 03019ca8a4cab959ba202bba1990a3ff.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 488 03019ca8a4cab959ba202bba1990a3ff.exe Token: SeDebugPrivilege 3620 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 488 wrote to memory of 4672 488 03019ca8a4cab959ba202bba1990a3ff.exe 21 PID 488 wrote to memory of 4672 488 03019ca8a4cab959ba202bba1990a3ff.exe 21 PID 488 wrote to memory of 4672 488 03019ca8a4cab959ba202bba1990a3ff.exe 21 PID 488 wrote to memory of 3620 488 03019ca8a4cab959ba202bba1990a3ff.exe 25 PID 488 wrote to memory of 3620 488 03019ca8a4cab959ba202bba1990a3ff.exe 25 PID 488 wrote to memory of 3620 488 03019ca8a4cab959ba202bba1990a3ff.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\03019ca8a4cab959ba202bba1990a3ff.exe"C:\Users\Admin\AppData\Local\Temp\03019ca8a4cab959ba202bba1990a3ff.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Users\Admin\AppData\Local\Temp\OWSrr5hZrNFVwCP.exeC:\Users\Admin\AppData\Local\Temp\OWSrr5hZrNFVwCP.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5c195b79e5712f38b3706f63190b1f3ea
SHA1dcce28a83366002ad254779a44d5d0e61d4862fe
SHA2560f03dab1cb32190b84bf3cf7ce7c2ee73c2c47eddb7affc0b081dcf6783acf70
SHA51264cbf8ac4fd5ac386e1caebece44218bae7cad6e683453ed8024ecc5704eb5d12cb9ba090daa241224ee5d4b773c6d06c631e2cf3d5b1db6cd92043265ccca36
-
Filesize
64KB
MD58163f3510e8127b50641a08542519933
SHA14e411a187a5e06dbac00b5d4b92effedbef257f7
SHA2564a02f0433da057a8607c168ba5755d4f0f3eda73f2cdcf32f26821e25a59961a
SHA512bbd0e2a427015fee64c8d24787e80a7999769935323636db8bd72b2cecb4264bd9fe12614f38ca880a8e142b7d50f1f51dbdfcdfaa59b5725b94c3f0e5fc6231
-
Filesize
5KB
MD50d51b592564faf26be91b697b8c2e336
SHA1a5b5ba186c723535455a59d53c42d46bb1fc6368
SHA256d2a57890046872488701be9bee16ad76ff85aac04b3a81287a46f0c9b0cd63b6
SHA5129deb2c3f292fbdaf6d62bb105a9943fbe9287656b6b4531fba78ef87657b9af2d07b897f079139c57859686c606a8a4a72cc714fde3de064e05e05c5fff7f2e0
-
Filesize
26KB
MD56937040182e71cb4cfaa2fa206d6b425
SHA184419081ccfee401a562fd5855581533d86ed7c6
SHA256b5ab0495d5f6fdb358ebbb655e9e9cfbf80461b35f5baa3aeb8bb6ebfd9d431f
SHA512f2f9ded4c0ad22e41c4d0a10d3e44dd272b303264078c06258d6c3d9adb392687d5b1ac1507b3ef8e9e3376f93f03f7cae9bdb5644d051ec9230bbf5ae111285
-
Filesize
35KB
MD593e5f18caebd8d4a2c893e40e5f38232
SHA1fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54