Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/02/2024, 21:49
Behavioral task
behavioral1
Sample
97b0b1c06121cf6c3c56b4e5b4bf678a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
97b0b1c06121cf6c3c56b4e5b4bf678a.exe
Resource
win10v2004-20231215-en
General
-
Target
97b0b1c06121cf6c3c56b4e5b4bf678a.exe
-
Size
29KB
-
MD5
97b0b1c06121cf6c3c56b4e5b4bf678a
-
SHA1
c5a6f4522a0a9e9c404025c5a65a30e71d6096dc
-
SHA256
1eabd0196907f69e2ec31cb4e77a0f23fbefc7be7c37cf7399261287b3ddf330
-
SHA512
4bd6fe55c847896901b87ebb82cc97d8b120730ab624f4b16605a9ed34187fdc8398f160bc5b0bc7b8fb135e29fa9af9ce82ba884ebb88a7abb877f1b6cf4b4c
-
SSDEEP
768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFw:SKcR4mjD9r823Fw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2764 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2336-0-0x0000000000EC0000-0x0000000000ED7000-memory.dmp upx behavioral1/memory/2336-5-0x00000000000E0000-0x00000000000F7000-memory.dmp upx behavioral1/files/0x000d0000000122f8-8.dat upx behavioral1/memory/2764-12-0x0000000000030000-0x0000000000047000-memory.dmp upx behavioral1/memory/2336-9-0x0000000000EC0000-0x0000000000ED7000-memory.dmp upx behavioral1/files/0x000c00000001225a-14.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 97b0b1c06121cf6c3c56b4e5b4bf678a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 97b0b1c06121cf6c3c56b4e5b4bf678a.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2336 97b0b1c06121cf6c3c56b4e5b4bf678a.exe Token: SeDebugPrivilege 2764 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2764 2336 97b0b1c06121cf6c3c56b4e5b4bf678a.exe 28 PID 2336 wrote to memory of 2764 2336 97b0b1c06121cf6c3c56b4e5b4bf678a.exe 28 PID 2336 wrote to memory of 2764 2336 97b0b1c06121cf6c3c56b4e5b4bf678a.exe 28 PID 2336 wrote to memory of 2764 2336 97b0b1c06121cf6c3c56b4e5b4bf678a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\97b0b1c06121cf6c3c56b4e5b4bf678a.exe"C:\Users\Admin\AppData\Local\Temp\97b0b1c06121cf6c3c56b4e5b4bf678a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD50a67ab098b3539e7ded8136630f283c8
SHA1c96fc89a6a0a23edbeeb08831384b05f6caeaa5b
SHA256dccc9c656e675abd7afbfa9a98a6b1320043c89b5ec2527f708875127dbfd938
SHA512465b582ab1d4151273173a6eec515a12701fd39b8064db6bbaa2534f701776bd4ff93e21be15d20d88215409ab8e0eb2058efb54621a032aaa81c9d60864f880
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5