Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 00:55
Behavioral task
behavioral1
Sample
0938b53cbd901f8218bcd01116312f8a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0938b53cbd901f8218bcd01116312f8a.exe
Resource
win10v2004-20231215-en
General
-
Target
0938b53cbd901f8218bcd01116312f8a.exe
-
Size
42KB
-
MD5
0938b53cbd901f8218bcd01116312f8a
-
SHA1
8feb5285db9078d12456f604d6c1b1f44b99f8c9
-
SHA256
4109262ae0fc39424e57cc6eb837db2c4c4e17e32ab4554f7ee43f35262d5b52
-
SHA512
ae4e348ed72dde2e98fd3404d59d9ac4b2fb49d7a5b5855d9946bd1932372f788b915b520b85021313ec159bb19fd897ba7575a901012a2cad5e9f07dade0bda
-
SSDEEP
768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFHnqoJF4h9949XJqfyD:SKcR4mjD9r823FHqc2hu+yD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2120 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2344-1-0x0000000000140000-0x0000000000157000-memory.dmp upx behavioral1/memory/2344-9-0x0000000000140000-0x0000000000157000-memory.dmp upx behavioral1/memory/2120-12-0x0000000000F40000-0x0000000000F57000-memory.dmp upx behavioral1/files/0x000e0000000126a6-11.dat upx behavioral1/files/0x000e0000000126a6-10.dat upx behavioral1/files/0x000b00000001226e-14.dat upx behavioral1/memory/2344-5-0x0000000000070000-0x0000000000087000-memory.dmp upx behavioral1/files/0x000e0000000126a6-8.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 0938b53cbd901f8218bcd01116312f8a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 0938b53cbd901f8218bcd01116312f8a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2344 0938b53cbd901f8218bcd01116312f8a.exe Token: SeDebugPrivilege 2120 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2120 2344 0938b53cbd901f8218bcd01116312f8a.exe 14 PID 2344 wrote to memory of 2120 2344 0938b53cbd901f8218bcd01116312f8a.exe 14 PID 2344 wrote to memory of 2120 2344 0938b53cbd901f8218bcd01116312f8a.exe 14 PID 2344 wrote to memory of 2120 2344 0938b53cbd901f8218bcd01116312f8a.exe 14
Processes
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe"C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5328955d012857bf5880e0b84979f4f3f
SHA16b4b7f27300a13e1ea6cc2a8c5b134af09afb644
SHA2569ca47e4e23b1a2f2c8643aa825504f9f4c4e2731ec27096c50d094a95b55bd33
SHA5120f25c81eb14dc2a96c3ca53eefe3f2991ee285f7b4b66872928f03fcc961917e50e0512133ed323d07cb6759ee48926e932491be952af38c09a88e33d0def140
-
Filesize
1KB
MD50859db8e0dd402c618fb5f557f761b2a
SHA15d7eecfaffa59685cf7816f532ad4a031ea17c0b
SHA2562da091816b2151449d2f65c8190862c2848bf39f57ac60a7582307ba769f4f29
SHA512c1f345ecf0ee5592c84bdf2c0d173bb63d4605b04096d4ac4b7f0187a6c7d4391cd5f71accbb3aa3192a8079c0373f90919d78364c0db8042976347e3bb79f50
-
Filesize
24KB
MD5154e54e3d0b8cc52ec474cd4a2e69f14
SHA12aec01c9734e3298c6bb33d091ce9cb7b9020c7e
SHA2563818a0cac1623e0a0dbe4378aab67de7550631fe0e318d1ccf330ff2c6aa86b3
SHA512e05573bf9c3a4023eb81b2a42c5b6b39286fbbb97106cc62a09cf0e0b801117e71edad591041fd7cf6620f70a8cc0a4d6465a467f69c379eea0e6794bc45cd2f
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5