Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:45
Behavioral task
behavioral1
Sample
b246e55df34671bdda4bdb3451634aa2.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b246e55df34671bdda4bdb3451634aa2.exe
Resource
win10v2004-20240226-en
General
-
Target
b246e55df34671bdda4bdb3451634aa2.exe
-
Size
1.8MB
-
MD5
b246e55df34671bdda4bdb3451634aa2
-
SHA1
c364a3dce87dd37f30bf9b7ca0b4acb2ebc6fd8c
-
SHA256
2e1e00ecb82b5055185935ada275a1022daa7849f052ccd62d5d708a94524357
-
SHA512
862e83733cc833852b4b3259ec2fe5545e4fe0a7b5fe451404d3ccefac6fe73686d955ceaaf90c491fb027ef47495adcd5fe227b6b5d5ec1e58d1b8eb699c3c6
-
SSDEEP
49152:SYkiFwgZwmfOf6h/nhQ3De0jU5SQZW/W7xn59eyXMKl4CIq:vfZpG4nhsDXCSl/W7X4xKaJq
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2588 DS2AYELno1notcd.exe 2852 CTS.exe 2632 DS2AYELno1notcd.exe -
Loads dropped DLL 2 IoCs
pid Process 2088 b246e55df34671bdda4bdb3451634aa2.exe 2588 DS2AYELno1notcd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2088-0-0x0000000000C10000-0x0000000000C27000-memory.dmp upx behavioral1/memory/2088-17-0x0000000000C10000-0x0000000000C27000-memory.dmp upx behavioral1/memory/2852-26-0x0000000000260000-0x0000000000277000-memory.dmp upx behavioral1/files/0x000a000000015cb1-23.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" b246e55df34671bdda4bdb3451634aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe b246e55df34671bdda4bdb3451634aa2.exe File created C:\Windows\CTS.exe CTS.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main DS2AYELno1notcd.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde DS2AYELno1notcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 DS2AYELno1notcd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2088 b246e55df34671bdda4bdb3451634aa2.exe Token: SeDebugPrivilege 2852 CTS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2632 DS2AYELno1notcd.exe 2632 DS2AYELno1notcd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2588 2088 b246e55df34671bdda4bdb3451634aa2.exe 28 PID 2088 wrote to memory of 2588 2088 b246e55df34671bdda4bdb3451634aa2.exe 28 PID 2088 wrote to memory of 2588 2088 b246e55df34671bdda4bdb3451634aa2.exe 28 PID 2088 wrote to memory of 2588 2088 b246e55df34671bdda4bdb3451634aa2.exe 28 PID 2088 wrote to memory of 2588 2088 b246e55df34671bdda4bdb3451634aa2.exe 28 PID 2088 wrote to memory of 2588 2088 b246e55df34671bdda4bdb3451634aa2.exe 28 PID 2088 wrote to memory of 2588 2088 b246e55df34671bdda4bdb3451634aa2.exe 28 PID 2088 wrote to memory of 2852 2088 b246e55df34671bdda4bdb3451634aa2.exe 29 PID 2088 wrote to memory of 2852 2088 b246e55df34671bdda4bdb3451634aa2.exe 29 PID 2088 wrote to memory of 2852 2088 b246e55df34671bdda4bdb3451634aa2.exe 29 PID 2088 wrote to memory of 2852 2088 b246e55df34671bdda4bdb3451634aa2.exe 29 PID 2588 wrote to memory of 2632 2588 DS2AYELno1notcd.exe 30 PID 2588 wrote to memory of 2632 2588 DS2AYELno1notcd.exe 30 PID 2588 wrote to memory of 2632 2588 DS2AYELno1notcd.exe 30 PID 2588 wrote to memory of 2632 2588 DS2AYELno1notcd.exe 30 PID 2588 wrote to memory of 2632 2588 DS2AYELno1notcd.exe 30 PID 2588 wrote to memory of 2632 2588 DS2AYELno1notcd.exe 30 PID 2588 wrote to memory of 2632 2588 DS2AYELno1notcd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exeC:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe"C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5109cbe148f827137c3ba62261f01b29b
SHA12cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12
SHA256394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a
SHA512a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799
-
Filesize
1KB
MD5253e8250a163eaf7cb4fb913a010a129
SHA1189fd76784d9b896c6d52e2b469ec6bf019c038e
SHA25689b8077d52131ccf7110a39e0bcaa4694016aa35c90dddb7403f3c41f4b5372d
SHA5128025974a98e7e7c6df047efffe262926ced59f0af787d9712da7aa17d8ed4e3a2e9bf3d690d3f060798eb0190496bf73102f2d1bd0d603a859d89f484befe946
-
Filesize
6KB
MD5451b4de0d522059e7465dffc7f832a61
SHA1ed21769aea3bd74b1cbfdae9aaab1ac78b48ef58
SHA256b4d678f38dba6566a30b753097a9a1a132e4566be216b1f5a180614e8d3e29a7
SHA51285e9c03304ef9b1d591d588aadd77c266c187867a7a8b933b0fa0607d2c92b5e35f31aaf9172c5dc4e0b62a6e6386bae1fa4ee7a7f8a225a89ed92f0f895323d
-
Filesize
26KB
MD5641f2acbcf02682f7b0e9f18a36d0998
SHA13d71e3c26c9073444064ce352b968191881185cb
SHA2562b697324dd222529c9342faf00133a2accd7a3552325db1e2b70f2ddc0f98bab
SHA5126283c06cc4190fcb708583c49df4e8fca15aa11f50a8d53827d8ac3466393a7f9d4a246b6300eb575e514ead682b0849f014e522ab706349d760fa595d78d999
-
Filesize
1.8MB
MD5544e07d620d3108b9b6aa3384d02dea5
SHA19897596f3c4ec39e38ef7f1081783db7693ae0b2
SHA256a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8
SHA5123663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c