Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 18:59
Behavioral task
behavioral1
Sample
573ffa96a1eef92c16afe4abb49eba66.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
573ffa96a1eef92c16afe4abb49eba66.exe
Resource
win10v2004-20231215-en
General
-
Target
573ffa96a1eef92c16afe4abb49eba66.exe
-
Size
85KB
-
MD5
573ffa96a1eef92c16afe4abb49eba66
-
SHA1
22a1786eea9b288b700f2d06ee81f3c1f7752a0e
-
SHA256
c79979c67ec4b3318e16cc6fed8015dd9a51cef8ecd9210c6e68e66df3c6868b
-
SHA512
bc9f87aa028ca5d0590c164b05ae5e5f921edad7122d9ea1e9a6048f95a92ce2268bbeed906b07594d40a2e9431d6e32b1f49f439d1b66ab9f23e6ad7a040878
-
SSDEEP
1536:SKcR4mjD9r823FwUWQtgyeHwVmW2CNbjcuBEJsJUmFlN+Qo0/:SKcWmjRrz3GUWQtLGwp2svcuuSJ3UL0/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 940 RZEpLh0UP8cGOLp.exe 1244 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4832-0-0x0000000000760000-0x0000000000777000-memory.dmp upx behavioral2/files/0x000700000002321b-6.dat upx behavioral2/memory/4832-7-0x0000000000760000-0x0000000000777000-memory.dmp upx behavioral2/memory/1244-8-0x0000000000940000-0x0000000000957000-memory.dmp upx behavioral2/files/0x000900000001e7e2-13.dat upx behavioral2/memory/1244-43-0x0000000000940000-0x0000000000957000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 573ffa96a1eef92c16afe4abb49eba66.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 573ffa96a1eef92c16afe4abb49eba66.exe File created C:\Windows\CTS.exe CTS.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4832 573ffa96a1eef92c16afe4abb49eba66.exe Token: SeDebugPrivilege 1244 CTS.exe Token: SeBackupPrivilege 4280 dw20.exe Token: SeBackupPrivilege 4280 dw20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4832 wrote to memory of 940 4832 573ffa96a1eef92c16afe4abb49eba66.exe 89 PID 4832 wrote to memory of 940 4832 573ffa96a1eef92c16afe4abb49eba66.exe 89 PID 4832 wrote to memory of 1244 4832 573ffa96a1eef92c16afe4abb49eba66.exe 91 PID 4832 wrote to memory of 1244 4832 573ffa96a1eef92c16afe4abb49eba66.exe 91 PID 4832 wrote to memory of 1244 4832 573ffa96a1eef92c16afe4abb49eba66.exe 91 PID 940 wrote to memory of 4280 940 RZEpLh0UP8cGOLp.exe 92 PID 940 wrote to memory of 4280 940 RZEpLh0UP8cGOLp.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\573ffa96a1eef92c16afe4abb49eba66.exe"C:\Users\Admin\AppData\Local\Temp\573ffa96a1eef92c16afe4abb49eba66.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\RZEpLh0UP8cGOLp.exeC:\Users\Admin\AppData\Local\Temp\RZEpLh0UP8cGOLp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8083⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD52a70c42089a7050040e87d8f8a9b03d6
SHA167f0b606f488a9bd9ef8e2710a856abdb04ea874
SHA2568003d0b82cd12826b476b6d11aa8c82c98a4bd32ea9ec6ea73ad237552ff1397
SHA512e1714d011b4caaa2ef9a831fce4d4ccd9826e42da2e2f0f0057057716843f82f6176daa13d7f57459182af0b4c29af8a8f6ac54bc0c30093eedd0c22a6e1c9f4
-
Filesize
56KB
MD5e115521ba14b75f53dcdff087ec6898f
SHA187103a892bb514a93d485fba221bacb9da3aae25
SHA25659b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29
SHA512ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5