Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2024, 13:45

General

  • Target

    b246e55df34671bdda4bdb3451634aa2.exe

  • Size

    1.8MB

  • MD5

    b246e55df34671bdda4bdb3451634aa2

  • SHA1

    c364a3dce87dd37f30bf9b7ca0b4acb2ebc6fd8c

  • SHA256

    2e1e00ecb82b5055185935ada275a1022daa7849f052ccd62d5d708a94524357

  • SHA512

    862e83733cc833852b4b3259ec2fe5545e4fe0a7b5fe451404d3ccefac6fe73686d955ceaaf90c491fb027ef47495adcd5fe227b6b5d5ec1e58d1b8eb699c3c6

  • SSDEEP

    49152:SYkiFwgZwmfOf6h/nhQ3De0jU5SQZW/W7xn59eyXMKl4CIq:vfZpG4nhsDXCSl/W7X4xKaJq

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe
    "C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exe
      C:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe
        "C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:760
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    348KB

    MD5

    26a09cdb073cf17d7dd6668947712e94

    SHA1

    f70f1119be8c2de70fcbb97ef6ef8c1de427462d

    SHA256

    8c8df550fd6cfaf98c99ca7da69ccd47501ffefb54d4d1fd65919dc7b4f68437

    SHA512

    46b27da299e78c2123dbd9a6c1a540e155d0036c722028456662fb9419802a26a9bc640a28cde304f5ccaae1eabb939b83b040bc168b84fc83482f0d5d7ffebc

  • C:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exe

    Filesize

    1.8MB

    MD5

    544e07d620d3108b9b6aa3384d02dea5

    SHA1

    9897596f3c4ec39e38ef7f1081783db7693ae0b2

    SHA256

    a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8

    SHA512

    3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

  • C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe

    Filesize

    1.6MB

    MD5

    109cbe148f827137c3ba62261f01b29b

    SHA1

    2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12

    SHA256

    394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a

    SHA512

    a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

  • C:\Users\Admin\AppData\Local\Temp\jusched.log

    Filesize

    154KB

    MD5

    4897edf4404f7f82829e0911d132c15d

    SHA1

    326ce4567e28ffcf9b4c22dcb7afe16ee3f4868f

    SHA256

    3583c8d757273c88169678a2a8a78b3bcd21a4d0874d97e0056b99d7733f2acd

    SHA512

    640d0bd78ae888c0e0e828b8f23052538bbbcc647934cbde41529719deda63fcc5448776466d18b35cac26ef84ab5abdf73ee40d485c1bc6cb30ae40636b39de

  • C:\Users\Admin\AppData\Local\Temp\jusched.log

    Filesize

    154KB

    MD5

    aef24836762628af7617e91435188e6e

    SHA1

    c8f990df9486c479287700dd93842e0a290b5344

    SHA256

    fcb3cf2f4a3d046c500293057ddf1b9c2fa40d94b8d01fedd8d72d6f73597131

    SHA512

    9da02999dd26849d9480607a8ec557c4107ccfbbcd33ec772e4b1171a3e67aa3f3d7968694eabd2b0d0f9702df5a67ebaa5960c8bae6ca470aa95efb278cccc7

  • C:\Windows\CTS.exe

    Filesize

    26KB

    MD5

    641f2acbcf02682f7b0e9f18a36d0998

    SHA1

    3d71e3c26c9073444064ce352b968191881185cb

    SHA256

    2b697324dd222529c9342faf00133a2accd7a3552325db1e2b70f2ddc0f98bab

    SHA512

    6283c06cc4190fcb708583c49df4e8fca15aa11f50a8d53827d8ac3466393a7f9d4a246b6300eb575e514ead682b0849f014e522ab706349d760fa595d78d999

  • memory/3184-0-0x00000000007F0000-0x0000000000807000-memory.dmp

    Filesize

    92KB

  • memory/3184-16-0x00000000007F0000-0x0000000000807000-memory.dmp

    Filesize

    92KB

  • memory/4648-8-0x00000000006F0000-0x0000000000707000-memory.dmp

    Filesize

    92KB

  • memory/4648-131-0x00000000006F0000-0x0000000000707000-memory.dmp

    Filesize

    92KB