Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 00:55
Behavioral task
behavioral1
Sample
0938b53cbd901f8218bcd01116312f8a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0938b53cbd901f8218bcd01116312f8a.exe
Resource
win10v2004-20231215-en
General
-
Target
0938b53cbd901f8218bcd01116312f8a.exe
-
Size
42KB
-
MD5
0938b53cbd901f8218bcd01116312f8a
-
SHA1
8feb5285db9078d12456f604d6c1b1f44b99f8c9
-
SHA256
4109262ae0fc39424e57cc6eb837db2c4c4e17e32ab4554f7ee43f35262d5b52
-
SHA512
ae4e348ed72dde2e98fd3404d59d9ac4b2fb49d7a5b5855d9946bd1932372f788b915b520b85021313ec159bb19fd897ba7575a901012a2cad5e9f07dade0bda
-
SSDEEP
768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFHnqoJF4h9949XJqfyD:SKcR4mjD9r823FHqc2hu+yD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2588 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4012-0-0x0000000000300000-0x0000000000317000-memory.dmp upx behavioral2/memory/4012-3-0x0000000000300000-0x0000000000317000-memory.dmp upx behavioral2/files/0x000600000002323f-8.dat upx behavioral2/memory/2588-10-0x00000000003C0000-0x00000000003D7000-memory.dmp upx behavioral2/memory/4012-11-0x0000000000300000-0x0000000000317000-memory.dmp upx behavioral2/files/0x000500000002270a-14.dat upx behavioral2/memory/2588-28-0x00000000003C0000-0x00000000003D7000-memory.dmp upx behavioral2/files/0x000600000001e71b-32.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 0938b53cbd901f8218bcd01116312f8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 0938b53cbd901f8218bcd01116312f8a.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4012 0938b53cbd901f8218bcd01116312f8a.exe Token: SeDebugPrivilege 2588 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4012 wrote to memory of 2588 4012 0938b53cbd901f8218bcd01116312f8a.exe 90 PID 4012 wrote to memory of 2588 4012 0938b53cbd901f8218bcd01116312f8a.exe 90 PID 4012 wrote to memory of 2588 4012 0938b53cbd901f8218bcd01116312f8a.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe"C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD558cf0c78de5b4db8d7605b0258e9ef7e
SHA13f80d7fc66968b12ad8b979e5e52b55aa8fc4f88
SHA25625f653eec1a4d704a75fb8d77e64cf69f883bc1c7f0f78a947ce4b294be7c7b4
SHA512b5cc138ae8fd8276847133d70012b1b23e746221ba09791cebb3e2c55d214bd23f7bafd50dbcaa603657278ea9acaf3163ec7e0f587552c8124935183b3e5e8f
-
Filesize
42KB
MD5b0c77e4a71f8a4d9f4933b05d5dfdd6d
SHA1d4f0dce4fa74e414960774aea9568d01d0b0d2cd
SHA256449e67d6e9c61321062b1b8fb85aaa58e5f519a7caa5d74aa6391d187b99dcf6
SHA512eee00ba9f9911e9bf1a4bb169a26efe30187996ff9fffacaea16d35f314de0e5c76588c97f99e154827a0672c21f79c8e93372b8e4a95eb790c353a1a2bb7572
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5