Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 14:57

General

  • Target

    a2225205742586130c18d1f65e2688d0.exe

  • Size

    369KB

  • MD5

    a2225205742586130c18d1f65e2688d0

  • SHA1

    59e5c184419736a9a05e63ab574f6db422573037

  • SHA256

    300e447312373cb4ed1dbfab0b84a49ef7da51697a9e289441900177087dfd56

  • SHA512

    cf575794cc7e7633bab5a4559cbad51327b10100dcaeddce7e8dca469689d06fbc636a822ddb92e90ccd46a5f1f17ceed86397296ec4f51daea306116e88b322

  • SSDEEP

    6144:/PtDM7Wr7HeWjgkRbMJ401RNocTNhrERPu0onIPdb9uPoBJn0EMy2BRsrEk0l6oA:/I7WXR4PRbTwRm0vFwwBJn0EMyMRsQkV

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2225205742586130c18d1f65e2688d0.exe
    "C:\Users\Admin\AppData\Local\Temp\a2225205742586130c18d1f65e2688d0.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\m05IsmrUYypsw9X.exe
      C:\Users\Admin\AppData\Local\Temp\m05IsmrUYypsw9X.exe
      2⤵
      • Executes dropped EXE
      PID:64
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    357KB

    MD5

    bd47722404c90c07c0232536d77436e0

    SHA1

    81c7a6ca02f0182bd4712133ef8392d18697f418

    SHA256

    0526c692d7cf30fc1efd314e0e73b51cf7ed7865668a0034ea1f5b857b14287b

    SHA512

    d6bb600e528742baa453a598014999f404732908bb4ddd3d00511c2c34e001dddd6016d6fd514260cd71e60eda9a424b45826cc715fa40adca2dcfadb16e5b66

  • C:\Users\Admin\AppData\Local\Temp\m05IsmrUYypsw9X.exe

    Filesize

    369KB

    MD5

    4e16abc029af9127e2a9431551228bad

    SHA1

    33524cafe4cd2d77258357a8af87e05465536009

    SHA256

    12b17ffa2654659084db871a24a72e72f32728ef5ecec1b1da4fba45c0303b54

    SHA512

    50d3e234600a3d20433617f8aeccc87951dd8d404ee07a875568ba228101dd7c1ddadca77ff9c88c22bf2931cdba0e8f8e5cc9f737c702a7ec93b53a1d141dee

  • C:\Users\Admin\AppData\Local\Temp\m05IsmrUYypsw9X.exe

    Filesize

    334KB

    MD5

    f310d4e936b68a5d76b7b808507e99f9

    SHA1

    6dccf493508f97212688413bec28f86befbff8e2

    SHA256

    58b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60

    SHA512

    daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d

  • C:\Windows\CTS.exe

    Filesize

    35KB

    MD5

    93e5f18caebd8d4a2c893e40e5f38232

    SHA1

    fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

    SHA256

    a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

    SHA512

    986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

  • memory/1588-0-0x0000000000250000-0x0000000000267000-memory.dmp

    Filesize

    92KB

  • memory/1588-9-0x0000000000250000-0x0000000000267000-memory.dmp

    Filesize

    92KB

  • memory/3096-8-0x0000000000CB0000-0x0000000000CC7000-memory.dmp

    Filesize

    92KB

  • memory/3096-33-0x0000000000CB0000-0x0000000000CC7000-memory.dmp

    Filesize

    92KB