Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 13:45
Behavioral task
behavioral1
Sample
b246e55df34671bdda4bdb3451634aa2.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b246e55df34671bdda4bdb3451634aa2.exe
Resource
win10v2004-20240226-en
General
-
Target
b246e55df34671bdda4bdb3451634aa2.exe
-
Size
1.8MB
-
MD5
b246e55df34671bdda4bdb3451634aa2
-
SHA1
c364a3dce87dd37f30bf9b7ca0b4acb2ebc6fd8c
-
SHA256
2e1e00ecb82b5055185935ada275a1022daa7849f052ccd62d5d708a94524357
-
SHA512
862e83733cc833852b4b3259ec2fe5545e4fe0a7b5fe451404d3ccefac6fe73686d955ceaaf90c491fb027ef47495adcd5fe227b6b5d5ec1e58d1b8eb699c3c6
-
SSDEEP
49152:SYkiFwgZwmfOf6h/nhQ3De0jU5SQZW/W7xn59eyXMKl4CIq:vfZpG4nhsDXCSl/W7X4xKaJq
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4408 gUgVflnTjTxGQhu.exe 4648 CTS.exe 760 gUgVflnTjTxGQhu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3184-0-0x00000000007F0000-0x0000000000807000-memory.dmp upx behavioral2/memory/3184-16-0x00000000007F0000-0x0000000000807000-memory.dmp upx behavioral2/files/0x0009000000022708-11.dat upx behavioral2/memory/4648-8-0x00000000006F0000-0x0000000000707000-memory.dmp upx behavioral2/files/0x000600000002304a-22.dat upx behavioral2/memory/4648-131-0x00000000006F0000-0x0000000000707000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" b246e55df34671bdda4bdb3451634aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe b246e55df34671bdda4bdb3451634aa2.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3184 b246e55df34671bdda4bdb3451634aa2.exe Token: SeDebugPrivilege 4648 CTS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 760 gUgVflnTjTxGQhu.exe 760 gUgVflnTjTxGQhu.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3184 wrote to memory of 4408 3184 b246e55df34671bdda4bdb3451634aa2.exe 90 PID 3184 wrote to memory of 4408 3184 b246e55df34671bdda4bdb3451634aa2.exe 90 PID 3184 wrote to memory of 4408 3184 b246e55df34671bdda4bdb3451634aa2.exe 90 PID 3184 wrote to memory of 4648 3184 b246e55df34671bdda4bdb3451634aa2.exe 91 PID 3184 wrote to memory of 4648 3184 b246e55df34671bdda4bdb3451634aa2.exe 91 PID 3184 wrote to memory of 4648 3184 b246e55df34671bdda4bdb3451634aa2.exe 91 PID 4408 wrote to memory of 760 4408 gUgVflnTjTxGQhu.exe 92 PID 4408 wrote to memory of 760 4408 gUgVflnTjTxGQhu.exe 92 PID 4408 wrote to memory of 760 4408 gUgVflnTjTxGQhu.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exeC:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe"C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:760
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD526a09cdb073cf17d7dd6668947712e94
SHA1f70f1119be8c2de70fcbb97ef6ef8c1de427462d
SHA2568c8df550fd6cfaf98c99ca7da69ccd47501ffefb54d4d1fd65919dc7b4f68437
SHA51246b27da299e78c2123dbd9a6c1a540e155d0036c722028456662fb9419802a26a9bc640a28cde304f5ccaae1eabb939b83b040bc168b84fc83482f0d5d7ffebc
-
Filesize
1.8MB
MD5544e07d620d3108b9b6aa3384d02dea5
SHA19897596f3c4ec39e38ef7f1081783db7693ae0b2
SHA256a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8
SHA5123663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c
-
Filesize
1.6MB
MD5109cbe148f827137c3ba62261f01b29b
SHA12cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12
SHA256394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a
SHA512a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799
-
Filesize
154KB
MD54897edf4404f7f82829e0911d132c15d
SHA1326ce4567e28ffcf9b4c22dcb7afe16ee3f4868f
SHA2563583c8d757273c88169678a2a8a78b3bcd21a4d0874d97e0056b99d7733f2acd
SHA512640d0bd78ae888c0e0e828b8f23052538bbbcc647934cbde41529719deda63fcc5448776466d18b35cac26ef84ab5abdf73ee40d485c1bc6cb30ae40636b39de
-
Filesize
154KB
MD5aef24836762628af7617e91435188e6e
SHA1c8f990df9486c479287700dd93842e0a290b5344
SHA256fcb3cf2f4a3d046c500293057ddf1b9c2fa40d94b8d01fedd8d72d6f73597131
SHA5129da02999dd26849d9480607a8ec557c4107ccfbbcd33ec772e4b1171a3e67aa3f3d7968694eabd2b0d0f9702df5a67ebaa5960c8bae6ca470aa95efb278cccc7
-
Filesize
26KB
MD5641f2acbcf02682f7b0e9f18a36d0998
SHA13d71e3c26c9073444064ce352b968191881185cb
SHA2562b697324dd222529c9342faf00133a2accd7a3552325db1e2b70f2ddc0f98bab
SHA5126283c06cc4190fcb708583c49df4e8fca15aa11f50a8d53827d8ac3466393a7f9d4a246b6300eb575e514ead682b0849f014e522ab706349d760fa595d78d999