Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 00:55

General

  • Target

    0938b53cbd901f8218bcd01116312f8a.exe

  • Size

    42KB

  • MD5

    0938b53cbd901f8218bcd01116312f8a

  • SHA1

    8feb5285db9078d12456f604d6c1b1f44b99f8c9

  • SHA256

    4109262ae0fc39424e57cc6eb837db2c4c4e17e32ab4554f7ee43f35262d5b52

  • SHA512

    ae4e348ed72dde2e98fd3404d59d9ac4b2fb49d7a5b5855d9946bd1932372f788b915b520b85021313ec159bb19fd897ba7575a901012a2cad5e9f07dade0bda

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFHnqoJF4h9949XJqfyD:SKcR4mjD9r823FHqc2hu+yD

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\CTS.exe
    "C:\Windows\CTS.exe"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2120
  • C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe
    "C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Lav4mfs6j0EZUi6.exe

    Filesize

    42KB

    MD5

    328955d012857bf5880e0b84979f4f3f

    SHA1

    6b4b7f27300a13e1ea6cc2a8c5b134af09afb644

    SHA256

    9ca47e4e23b1a2f2c8643aa825504f9f4c4e2731ec27096c50d094a95b55bd33

    SHA512

    0f25c81eb14dc2a96c3ca53eefe3f2991ee285f7b4b66872928f03fcc961917e50e0512133ed323d07cb6759ee48926e932491be952af38c09a88e33d0def140

  • C:\Windows\CTS.exe

    Filesize

    1KB

    MD5

    0859db8e0dd402c618fb5f557f761b2a

    SHA1

    5d7eecfaffa59685cf7816f532ad4a031ea17c0b

    SHA256

    2da091816b2151449d2f65c8190862c2848bf39f57ac60a7582307ba769f4f29

    SHA512

    c1f345ecf0ee5592c84bdf2c0d173bb63d4605b04096d4ac4b7f0187a6c7d4391cd5f71accbb3aa3192a8079c0373f90919d78364c0db8042976347e3bb79f50

  • C:\Windows\CTS.exe

    Filesize

    24KB

    MD5

    154e54e3d0b8cc52ec474cd4a2e69f14

    SHA1

    2aec01c9734e3298c6bb33d091ce9cb7b9020c7e

    SHA256

    3818a0cac1623e0a0dbe4378aab67de7550631fe0e318d1ccf330ff2c6aa86b3

    SHA512

    e05573bf9c3a4023eb81b2a42c5b6b39286fbbb97106cc62a09cf0e0b801117e71edad591041fd7cf6620f70a8cc0a4d6465a467f69c379eea0e6794bc45cd2f

  • C:\Windows\CTS.exe

    Filesize

    29KB

    MD5

    70aa23c9229741a9b52e5ce388a883ac

    SHA1

    b42683e21e13de3f71db26635954d992ebe7119e

    SHA256

    9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

    SHA512

    be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

  • memory/2120-12-0x0000000000F40000-0x0000000000F57000-memory.dmp

    Filesize

    92KB

  • memory/2344-1-0x0000000000140000-0x0000000000157000-memory.dmp

    Filesize

    92KB

  • memory/2344-9-0x0000000000140000-0x0000000000157000-memory.dmp

    Filesize

    92KB

  • memory/2344-5-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB

  • memory/2344-18-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB