Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 14:19

General

  • Target

    b79cd78bf2260f39ce8783f622c1d072.exe

  • Size

    35KB

  • MD5

    b79cd78bf2260f39ce8783f622c1d072

  • SHA1

    9c73fb3ec734e9f56edc0d224a1af5905b5048d6

  • SHA256

    6d48a4399aafabf4110a0b624ff21cea51616a6e4ec35c70a762a1b7250e373f

  • SHA512

    7c9f965f9b250d6039f227ebc60adcadc89f3f9fc6a450552764a58534bb18cfbe05157bec770e59ad1c6fb26f1e4c52750ee39b82e827c85f60289932dc6015

  • SSDEEP

    768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+Is:s9Z3KcR4mjD9r8226+F

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b79cd78bf2260f39ce8783f622c1d072.exe
    "C:\Users\Admin\AppData\Local\Temp\b79cd78bf2260f39ce8783f622c1d072.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pCA8sajuwlHvn3L.exe

    Filesize

    35KB

    MD5

    16491ffd86f74c2125fba1577989dc68

    SHA1

    a97a39ca35f1139499ab72534dd21ebfc06ffcad

    SHA256

    00af960a1ac6eeb696f455385d19747291986bae25f669f50be3c62e7dbde235

    SHA512

    4209e3d5da16bf50ba42036629863805e27eb2bb2d7ab143ec562a531613fa5af2a9f1876e1e3c36865d16e9a2829cf8aa63bf751e8c18c6693d9602b67dab7f

  • C:\Windows\CTS.exe

    Filesize

    35KB

    MD5

    93e5f18caebd8d4a2c893e40e5f38232

    SHA1

    fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

    SHA256

    a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

    SHA512

    986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

  • memory/2196-12-0x00000000001C0000-0x00000000001D7000-memory.dmp

    Filesize

    92KB

  • memory/2416-1-0x0000000001060000-0x0000000001077000-memory.dmp

    Filesize

    92KB

  • memory/2416-8-0x0000000001060000-0x0000000001077000-memory.dmp

    Filesize

    92KB

  • memory/2416-11-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB

  • memory/2416-19-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB