Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 00:55

General

  • Target

    0938b53cbd901f8218bcd01116312f8a.exe

  • Size

    42KB

  • MD5

    0938b53cbd901f8218bcd01116312f8a

  • SHA1

    8feb5285db9078d12456f604d6c1b1f44b99f8c9

  • SHA256

    4109262ae0fc39424e57cc6eb837db2c4c4e17e32ab4554f7ee43f35262d5b52

  • SHA512

    ae4e348ed72dde2e98fd3404d59d9ac4b2fb49d7a5b5855d9946bd1932372f788b915b520b85021313ec159bb19fd897ba7575a901012a2cad5e9f07dade0bda

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFHnqoJF4h9949XJqfyD:SKcR4mjD9r823FHqc2hu+yD

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe
    "C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    352KB

    MD5

    58cf0c78de5b4db8d7605b0258e9ef7e

    SHA1

    3f80d7fc66968b12ad8b979e5e52b55aa8fc4f88

    SHA256

    25f653eec1a4d704a75fb8d77e64cf69f883bc1c7f0f78a947ce4b294be7c7b4

    SHA512

    b5cc138ae8fd8276847133d70012b1b23e746221ba09791cebb3e2c55d214bd23f7bafd50dbcaa603657278ea9acaf3163ec7e0f587552c8124935183b3e5e8f

  • C:\Users\Admin\AppData\Local\Temp\LXX1yY4fvJDEgzK.exe

    Filesize

    42KB

    MD5

    b0c77e4a71f8a4d9f4933b05d5dfdd6d

    SHA1

    d4f0dce4fa74e414960774aea9568d01d0b0d2cd

    SHA256

    449e67d6e9c61321062b1b8fb85aaa58e5f519a7caa5d74aa6391d187b99dcf6

    SHA512

    eee00ba9f9911e9bf1a4bb169a26efe30187996ff9fffacaea16d35f314de0e5c76588c97f99e154827a0672c21f79c8e93372b8e4a95eb790c353a1a2bb7572

  • C:\Windows\CTS.exe

    Filesize

    29KB

    MD5

    70aa23c9229741a9b52e5ce388a883ac

    SHA1

    b42683e21e13de3f71db26635954d992ebe7119e

    SHA256

    9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

    SHA512

    be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

  • memory/2588-10-0x00000000003C0000-0x00000000003D7000-memory.dmp

    Filesize

    92KB

  • memory/2588-28-0x00000000003C0000-0x00000000003D7000-memory.dmp

    Filesize

    92KB

  • memory/4012-0-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

  • memory/4012-3-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

  • memory/4012-11-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB