Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 14:57
Behavioral task
behavioral1
Sample
a2225205742586130c18d1f65e2688d0.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a2225205742586130c18d1f65e2688d0.exe
Resource
win10v2004-20240221-en
General
-
Target
a2225205742586130c18d1f65e2688d0.exe
-
Size
369KB
-
MD5
a2225205742586130c18d1f65e2688d0
-
SHA1
59e5c184419736a9a05e63ab574f6db422573037
-
SHA256
300e447312373cb4ed1dbfab0b84a49ef7da51697a9e289441900177087dfd56
-
SHA512
cf575794cc7e7633bab5a4559cbad51327b10100dcaeddce7e8dca469689d06fbc636a822ddb92e90ccd46a5f1f17ceed86397296ec4f51daea306116e88b322
-
SSDEEP
6144:/PtDM7Wr7HeWjgkRbMJ401RNocTNhrERPu0onIPdb9uPoBJn0EMy2BRsrEk0l6oA:/I7WXR4PRbTwRm0vFwwBJn0EMyMRsQkV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 64 m05IsmrUYypsw9X.exe 3096 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1588-0-0x0000000000250000-0x0000000000267000-memory.dmp upx behavioral2/files/0x0008000000023204-7.dat upx behavioral2/memory/3096-8-0x0000000000CB0000-0x0000000000CC7000-memory.dmp upx behavioral2/memory/1588-9-0x0000000000250000-0x0000000000267000-memory.dmp upx behavioral2/files/0x0003000000022765-12.dat upx behavioral2/memory/3096-33-0x0000000000CB0000-0x0000000000CC7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" a2225205742586130c18d1f65e2688d0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe a2225205742586130c18d1f65e2688d0.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1588 a2225205742586130c18d1f65e2688d0.exe Token: SeDebugPrivilege 3096 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1588 wrote to memory of 3096 1588 a2225205742586130c18d1f65e2688d0.exe 90 PID 1588 wrote to memory of 3096 1588 a2225205742586130c18d1f65e2688d0.exe 90 PID 1588 wrote to memory of 3096 1588 a2225205742586130c18d1f65e2688d0.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2225205742586130c18d1f65e2688d0.exe"C:\Users\Admin\AppData\Local\Temp\a2225205742586130c18d1f65e2688d0.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\m05IsmrUYypsw9X.exeC:\Users\Admin\AppData\Local\Temp\m05IsmrUYypsw9X.exe2⤵
- Executes dropped EXE
PID:64
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357KB
MD5bd47722404c90c07c0232536d77436e0
SHA181c7a6ca02f0182bd4712133ef8392d18697f418
SHA2560526c692d7cf30fc1efd314e0e73b51cf7ed7865668a0034ea1f5b857b14287b
SHA512d6bb600e528742baa453a598014999f404732908bb4ddd3d00511c2c34e001dddd6016d6fd514260cd71e60eda9a424b45826cc715fa40adca2dcfadb16e5b66
-
Filesize
369KB
MD54e16abc029af9127e2a9431551228bad
SHA133524cafe4cd2d77258357a8af87e05465536009
SHA25612b17ffa2654659084db871a24a72e72f32728ef5ecec1b1da4fba45c0303b54
SHA51250d3e234600a3d20433617f8aeccc87951dd8d404ee07a875568ba228101dd7c1ddadca77ff9c88c22bf2931cdba0e8f8e5cc9f737c702a7ec93b53a1d141dee
-
Filesize
334KB
MD5f310d4e936b68a5d76b7b808507e99f9
SHA16dccf493508f97212688413bec28f86befbff8e2
SHA25658b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60
SHA512daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d
-
Filesize
35KB
MD593e5f18caebd8d4a2c893e40e5f38232
SHA1fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54