Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 14:19
Behavioral task
behavioral1
Sample
b79cd78bf2260f39ce8783f622c1d072.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b79cd78bf2260f39ce8783f622c1d072.exe
Resource
win10v2004-20240226-en
General
-
Target
b79cd78bf2260f39ce8783f622c1d072.exe
-
Size
35KB
-
MD5
b79cd78bf2260f39ce8783f622c1d072
-
SHA1
9c73fb3ec734e9f56edc0d224a1af5905b5048d6
-
SHA256
6d48a4399aafabf4110a0b624ff21cea51616a6e4ec35c70a762a1b7250e373f
-
SHA512
7c9f965f9b250d6039f227ebc60adcadc89f3f9fc6a450552764a58534bb18cfbe05157bec770e59ad1c6fb26f1e4c52750ee39b82e827c85f60289932dc6015
-
SSDEEP
768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+Is:s9Z3KcR4mjD9r8226+F
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2196 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2416-1-0x0000000001060000-0x0000000001077000-memory.dmp upx behavioral1/memory/2416-8-0x0000000001060000-0x0000000001077000-memory.dmp upx behavioral1/files/0x000c000000015cce-7.dat upx behavioral1/memory/2416-11-0x0000000000070000-0x0000000000087000-memory.dmp upx behavioral1/memory/2196-12-0x00000000001C0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x000a000000012252-14.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" b79cd78bf2260f39ce8783f622c1d072.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe b79cd78bf2260f39ce8783f622c1d072.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2416 b79cd78bf2260f39ce8783f622c1d072.exe Token: SeDebugPrivilege 2196 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2196 2416 b79cd78bf2260f39ce8783f622c1d072.exe 28 PID 2416 wrote to memory of 2196 2416 b79cd78bf2260f39ce8783f622c1d072.exe 28 PID 2416 wrote to memory of 2196 2416 b79cd78bf2260f39ce8783f622c1d072.exe 28 PID 2416 wrote to memory of 2196 2416 b79cd78bf2260f39ce8783f622c1d072.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79cd78bf2260f39ce8783f622c1d072.exe"C:\Users\Admin\AppData\Local\Temp\b79cd78bf2260f39ce8783f622c1d072.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD516491ffd86f74c2125fba1577989dc68
SHA1a97a39ca35f1139499ab72534dd21ebfc06ffcad
SHA25600af960a1ac6eeb696f455385d19747291986bae25f669f50be3c62e7dbde235
SHA5124209e3d5da16bf50ba42036629863805e27eb2bb2d7ab143ec562a531613fa5af2a9f1876e1e3c36865d16e9a2829cf8aa63bf751e8c18c6693d9602b67dab7f
-
Filesize
35KB
MD593e5f18caebd8d4a2c893e40e5f38232
SHA1fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54