Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/02/2024, 05:09
Behavioral task
behavioral1
Sample
a2f9230b9f3cf5d35621bee925a57057.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a2f9230b9f3cf5d35621bee925a57057.exe
Resource
win10v2004-20240221-en
General
-
Target
a2f9230b9f3cf5d35621bee925a57057.exe
-
Size
393KB
-
MD5
a2f9230b9f3cf5d35621bee925a57057
-
SHA1
4fd726a244348fafe97905a67e3890f8cce605e0
-
SHA256
5717bf456130fadb8c206e6affd7ef8ae896b4228a69f9e3b7cd1da2f90be2b1
-
SHA512
e2f3f5d19eee210c1fe04102cd2b01f6a8d388e5c1c47d16c4a952837c4f842867f0e068d4b9fa9c9d09bcc85d4e2b6f19a0fc2131aff607f9923896da7a4f5d
-
SSDEEP
6144:hGyGar3rO+xX/veMg1r0O4N0hvsrSGbijtL1wtAfmYLfk:h3pXOcvWMg1ro6hvRYijp7fLg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1616 iTmD2lItSZJyOoK.exe 2740 CTS.exe -
Loads dropped DLL 1 IoCs
pid Process 2168 a2f9230b9f3cf5d35621bee925a57057.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2168-0-0x00000000008A0000-0x00000000008B7000-memory.dmp upx behavioral1/memory/2168-8-0x0000000000280000-0x0000000000297000-memory.dmp upx behavioral1/memory/2168-12-0x00000000008A0000-0x00000000008B7000-memory.dmp upx behavioral1/files/0x000d00000001232c-14.dat upx behavioral1/memory/2740-15-0x0000000000280000-0x0000000000297000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" a2f9230b9f3cf5d35621bee925a57057.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe a2f9230b9f3cf5d35621bee925a57057.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2168 a2f9230b9f3cf5d35621bee925a57057.exe Token: SeDebugPrivilege 2740 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2740 2168 a2f9230b9f3cf5d35621bee925a57057.exe 29 PID 2168 wrote to memory of 2740 2168 a2f9230b9f3cf5d35621bee925a57057.exe 29 PID 2168 wrote to memory of 2740 2168 a2f9230b9f3cf5d35621bee925a57057.exe 29 PID 2168 wrote to memory of 2740 2168 a2f9230b9f3cf5d35621bee925a57057.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2f9230b9f3cf5d35621bee925a57057.exe"C:\Users\Admin\AppData\Local\Temp\a2f9230b9f3cf5d35621bee925a57057.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\iTmD2lItSZJyOoK.exeC:\Users\Admin\AppData\Local\Temp\iTmD2lItSZJyOoK.exe2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393KB
MD5a00f46ca4c0855722835cc576bb82151
SHA1c0576ff0800623fbd23f986cf5b00a000479cf93
SHA256df0e6f4e8669ceaaae4c448c0e771a55e60f291857d226649f613f72acc3cf37
SHA512d8325f914ab7f9119c500e9f59a01f1128f72b53df6281b41dbc0dfd66fc3efbee0194a0c7501c39f4f65b08a5fefe1da87a4844cf5f973497d587afe613c528
-
Filesize
59KB
MD55efd390d5f95c8191f5ac33c4db4b143
SHA142d81b118815361daa3007f1a40f1576e9a9e0bc
SHA2566028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d
-
Filesize
334KB
MD5f310d4e936b68a5d76b7b808507e99f9
SHA16dccf493508f97212688413bec28f86befbff8e2
SHA25658b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60
SHA512daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d