Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 13:50
Behavioral task
behavioral1
Sample
38b30e46b383413eea7cafd9a87b3e9a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
38b30e46b383413eea7cafd9a87b3e9a.exe
Resource
win10v2004-20231222-en
General
-
Target
38b30e46b383413eea7cafd9a87b3e9a.exe
-
Size
29KB
-
MD5
38b30e46b383413eea7cafd9a87b3e9a
-
SHA1
3b1e44bbaf087db7dd35162b2d58a0f8d91b377b
-
SHA256
9db75c3e599c1f73c42a5b0eeb3bdcf27be8e55da0cdf2d1fddcacc79bdf2756
-
SHA512
9f5d0d2b9afe3a097f2c6379833cb12e758dea19bc5994fe0f3162e61792fc3a64da1bf7328cd299a64bdd237d744fb7962657f7be89c3ad5e9939dce162ce96
-
SSDEEP
768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFF:SKcR4mjD9r823FF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2404 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2220-1-0x00000000009B0000-0x00000000009C7000-memory.dmp upx behavioral1/files/0x000d0000000122f6-9.dat upx behavioral1/memory/2220-8-0x00000000009B0000-0x00000000009C7000-memory.dmp upx behavioral1/memory/2404-13-0x0000000001380000-0x0000000001397000-memory.dmp upx behavioral1/files/0x000800000001224a-15.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 38b30e46b383413eea7cafd9a87b3e9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 38b30e46b383413eea7cafd9a87b3e9a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2220 38b30e46b383413eea7cafd9a87b3e9a.exe Token: SeDebugPrivilege 2404 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2404 2220 38b30e46b383413eea7cafd9a87b3e9a.exe 28 PID 2220 wrote to memory of 2404 2220 38b30e46b383413eea7cafd9a87b3e9a.exe 28 PID 2220 wrote to memory of 2404 2220 38b30e46b383413eea7cafd9a87b3e9a.exe 28 PID 2220 wrote to memory of 2404 2220 38b30e46b383413eea7cafd9a87b3e9a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\38b30e46b383413eea7cafd9a87b3e9a.exe"C:\Users\Admin\AppData\Local\Temp\38b30e46b383413eea7cafd9a87b3e9a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD58330bad30575ba56da74dce38eaa64ec
SHA1e352071ba6c5cec3624219b622afeafeaf0c350c
SHA2560bf0046b61155b297ee8f3d6011cd1ed0eeefe0dc7919077bba9cbe30657e0d6
SHA5123e97f2c8ae34923b58187d10333810b9f1e305b98dd319336dcfc46fe96e1b4387e87ceb64f0af05dd156fec77e0f46ec44771135faa67646d75f39989f6b9ab
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5