Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

4a1a9518ec...72.exe

windows7-x64

7

4a1a9518ec...72.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a1a9518eccb04ac641890743df25d72.exe

  • Size

    32KB

  • MD5

    4a1a9518eccb04ac641890743df25d72

  • SHA1

    88081b5fcd981aa581c2bb36229478582eabffd7

  • SHA256

    05c602cf7bd2e8b19f40b891e08e16bfceb99fd3db3b6bb59506c2b366891ff2

  • SHA512

    8ca7cf06d237f2510ba2d98385a884c5059ba26f6312f156b43235f2726bf622061619e7654e63b3a44a4f428235de0acedfc59f5bd596d78229cc7bacfa634a

  • SSDEEP

    768:XkX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIoHq:6KcR4mjD9r827

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a1a9518eccb04ac641890743df25d72.exe
    "C:\Users\Admin\AppData\Local\Temp\4a1a9518eccb04ac641890743df25d72.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    355KB

    MD5

    4689606c7f5befde2b71a0a2e82ade9f

    SHA1

    9008e1f5c7e519cba7fbe65d6d14fd3bc3b76765

    SHA256

    49a92c355bfac077ecd9caebabd44edde0ce07672d687b9957da755477467ecd

    SHA512

    4102dc6c73e1c2ca9c92c2a93174ab9f50735f1bcb7e65db57770ecdfab32047e8326c935a0d57f10e632cbf30481599177253696e8a8201df0804ac4afa7908

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\0eIjEDzkZW87Uy3.exe
    Filesize

    32KB

    MD5

    a5c65e1d641964a986703b3c445ec061

    SHA1

    253325fef15f01cc9756428c8d0ede065fa02ed6

    SHA256

    4708b91c880138b706ca3900d6ae61f1df8ed9d6fc0bcb0fe74eab58ea2a2eff

    SHA512

    6cdbb7381c37567753aa39fa4228a73b3dcaa89255cc827d05259cc19d53e2b67141b94f49ff3552c8abd2d4265cfe0687a053721fedeb716db53f87c0e0a633

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    32KB

    MD5

    70c2b7b30042b4ef55eb264151a77fe7

    SHA1

    d07aeeaa1a0fe8bb5d4f0bcd6832189716e1749a

    SHA256

    fc44d7a036bb45e7299b6ed991cb7f83ea56130975b35f623719f16b06876120

    SHA512

    5146de549de6af31299c716958d86c52657d138e95b05634745b1d80d992f3c265c4f97a771148a3aa2538029e4d704f47f484c15b1b3fc1def7bb06e07cfa71

    Download Submit

  • memory/1248-0-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1248-1-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1248-6-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1248-11-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-9-0x00000000003E0000-0x00000000003F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-32-0x00000000003E0000-0x00000000003F7000-memory.dmp

    Filesize

    92KB

    Download