Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 16:43

General

  • Target

    5115238a76ae23232fa810ad55091309.exe

  • Size

    123KB

  • MD5

    5115238a76ae23232fa810ad55091309

  • SHA1

    bd76b05f881e3f6f4033db9125d38fc05083521a

  • SHA256

    74c71e3021d6bc23a08cc8019b8bfc648d83e164edb4aafb63dd2b88168a0f43

  • SHA512

    0c2f3c31535f8e1ab52ccfefcb80ac851c3e847dd378b0728d6fee97bd1ae9552012bf626c639e4588b844419f3e0dc22d417a652219d86adeed061559a3e478

  • SSDEEP

    3072:SKcWmjRrz3ZKcWmjRrz36LZ7YCKnF8VDfq3mCqUT:hGyG4UOVDfq3mCr

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5115238a76ae23232fa810ad55091309.exe
    "C:\Users\Admin\AppData\Local\Temp\5115238a76ae23232fa810ad55091309.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\Dd8tzQF1DYfSyg2.exe
      C:\Users\Admin\AppData\Local\Temp\Dd8tzQF1DYfSyg2.exe
      2⤵
      • Executes dropped EXE
      PID:2476
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Dd8tzQF1DYfSyg2.exe

    Filesize

    123KB

    MD5

    ef296205718c8588c1c800ff1bfeee37

    SHA1

    42703a10e713fc2f09a759588979a5d3464e000d

    SHA256

    3b0d4cabc9167e87d23536f1913c420ab8a039bf172b188080dd6201c1aa345b

    SHA512

    4e42ce05552eb1f79d1f3d33a5f3875958f809fa599b2087a9b19d86b45540f08541f70f98635d6b5e7f8c3c95e495fdab4bc1afe99a5e15f094ca219ed3523b

  • C:\Windows\CTS.exe

    Filesize

    59KB

    MD5

    5efd390d5f95c8191f5ac33c4db4b143

    SHA1

    42d81b118815361daa3007f1a40f1576e9a9e0bc

    SHA256

    6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

    SHA512

    720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

  • \Users\Admin\AppData\Local\Temp\Dd8tzQF1DYfSyg2.exe

    Filesize

    64KB

    MD5

    a32a382b8a5a906e03a83b4f3e5b7a9b

    SHA1

    11e2bdd0798761f93cce363329996af6c17ed796

    SHA256

    75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346

    SHA512

    ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

  • memory/2328-18-0x00000000008E0000-0x00000000008F7000-memory.dmp

    Filesize

    92KB

  • memory/2472-0-0x0000000000090000-0x00000000000A7000-memory.dmp

    Filesize

    92KB

  • memory/2472-15-0x0000000000090000-0x00000000000A7000-memory.dmp

    Filesize

    92KB

  • memory/2472-14-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB

  • memory/2472-24-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB