Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

be56f7870d...29.exe

windows7-x64

7

be56f7870d...29.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be56f7870daba51872c7ab4b6d3b7a29.exe

  • Size

    41KB

  • MD5

    be56f7870daba51872c7ab4b6d3b7a29

  • SHA1

    90803adb28d41708b46857024fecd97608cfb452

  • SHA256

    2b67832d57df0c5a133fc5d252c836d752e73541d18ee83264ce1fa1ca2f7024

  • SHA512

    fbf5a1f7fc574602572424ada1725dc5310b526799beeb17d04b21ba005be19c5e48491de2e4af40498f2545bbcfe6e9b9d2a4f0e66697bfb39f9aeb76aca4df

  • SSDEEP

    768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+I9vzineMf:s9Z3KcR4mjD9r8226+MieO

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be56f7870daba51872c7ab4b6d3b7a29.exe
    "C:\Users\Admin\AppData\Local\Temp\be56f7870daba51872c7ab4b6d3b7a29.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VZmUuJT1bLIQvUA.exe
    Filesize

    41KB

    MD5

    6c52e2f5e0186dd070cf2d782146268d

    SHA1

    c8d15b9acbf42055c3b2d5fa21d09da5ac445a6d

    SHA256

    2b671f8d8453e7d271427dda77330dc85e5fe064515f13907b7073b54422fe67

    SHA512

    b75d2e1fb6e5d02ddf557cd76384cce3db3ff11994ae88b0fe7fee4db48878f7e25b33f20714ebe56ea77c96e7d655678c5eb6fb183db74f3ba1cf777a6b8f70

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    35KB

    MD5

    93e5f18caebd8d4a2c893e40e5f38232

    SHA1

    fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

    SHA256

    a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

    SHA512

    986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

    Download Submit

  • memory/2252-12-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2300-0-0x0000000000FA0000-0x0000000000FB7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2300-9-0x0000000000FA0000-0x0000000000FB7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2300-8-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

    Download