Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 16:43
Behavioral task
behavioral1
Sample
5115238a76ae23232fa810ad55091309.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5115238a76ae23232fa810ad55091309.exe
Resource
win10v2004-20231215-en
General
-
Target
5115238a76ae23232fa810ad55091309.exe
-
Size
123KB
-
MD5
5115238a76ae23232fa810ad55091309
-
SHA1
bd76b05f881e3f6f4033db9125d38fc05083521a
-
SHA256
74c71e3021d6bc23a08cc8019b8bfc648d83e164edb4aafb63dd2b88168a0f43
-
SHA512
0c2f3c31535f8e1ab52ccfefcb80ac851c3e847dd378b0728d6fee97bd1ae9552012bf626c639e4588b844419f3e0dc22d417a652219d86adeed061559a3e478
-
SSDEEP
3072:SKcWmjRrz3ZKcWmjRrz36LZ7YCKnF8VDfq3mCqUT:hGyG4UOVDfq3mCr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2476 Dd8tzQF1DYfSyg2.exe 2328 CTS.exe -
Loads dropped DLL 2 IoCs
pid Process 2472 5115238a76ae23232fa810ad55091309.exe 2472 5115238a76ae23232fa810ad55091309.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2472-0-0x0000000000090000-0x00000000000A7000-memory.dmp upx behavioral1/memory/2472-15-0x0000000000090000-0x00000000000A7000-memory.dmp upx behavioral1/memory/2472-14-0x0000000000070000-0x0000000000087000-memory.dmp upx behavioral1/files/0x0008000000012281-13.dat upx behavioral1/memory/2328-18-0x00000000008E0000-0x00000000008F7000-memory.dmp upx behavioral1/files/0x000b00000001225c-20.dat upx behavioral1/memory/2472-24-0x0000000000070000-0x0000000000087000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 5115238a76ae23232fa810ad55091309.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 5115238a76ae23232fa810ad55091309.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2472 5115238a76ae23232fa810ad55091309.exe Token: SeDebugPrivilege 2328 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2476 2472 5115238a76ae23232fa810ad55091309.exe 28 PID 2472 wrote to memory of 2476 2472 5115238a76ae23232fa810ad55091309.exe 28 PID 2472 wrote to memory of 2476 2472 5115238a76ae23232fa810ad55091309.exe 28 PID 2472 wrote to memory of 2476 2472 5115238a76ae23232fa810ad55091309.exe 28 PID 2472 wrote to memory of 2328 2472 5115238a76ae23232fa810ad55091309.exe 30 PID 2472 wrote to memory of 2328 2472 5115238a76ae23232fa810ad55091309.exe 30 PID 2472 wrote to memory of 2328 2472 5115238a76ae23232fa810ad55091309.exe 30 PID 2472 wrote to memory of 2328 2472 5115238a76ae23232fa810ad55091309.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5115238a76ae23232fa810ad55091309.exe"C:\Users\Admin\AppData\Local\Temp\5115238a76ae23232fa810ad55091309.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\Dd8tzQF1DYfSyg2.exeC:\Users\Admin\AppData\Local\Temp\Dd8tzQF1DYfSyg2.exe2⤵
- Executes dropped EXE
PID:2476
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD5ef296205718c8588c1c800ff1bfeee37
SHA142703a10e713fc2f09a759588979a5d3464e000d
SHA2563b0d4cabc9167e87d23536f1913c420ab8a039bf172b188080dd6201c1aa345b
SHA5124e42ce05552eb1f79d1f3d33a5f3875958f809fa599b2087a9b19d86b45540f08541f70f98635d6b5e7f8c3c95e495fdab4bc1afe99a5e15f094ca219ed3523b
-
Filesize
59KB
MD55efd390d5f95c8191f5ac33c4db4b143
SHA142d81b118815361daa3007f1a40f1576e9a9e0bc
SHA2566028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d
-
Filesize
64KB
MD5a32a382b8a5a906e03a83b4f3e5b7a9b
SHA111e2bdd0798761f93cce363329996af6c17ed796
SHA25675f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346
SHA512ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c