Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

d4abd5915f...f8.exe

windows7-x64

7

d4abd5915f...f8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2024, 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4abd5915fde80e0d1bd09708a984cf8.exe

  • Size

    99KB

  • MD5

    d4abd5915fde80e0d1bd09708a984cf8

  • SHA1

    9f22aac462e234e03e127e3b0d255a8a2fd17525

  • SHA256

    4d8241a40a4d6dff6ae3edb5703b2d111b58436528b40d5a410e506655158c16

  • SHA512

    1c4fe19680156bca4fb563f100a12a38306ad0fe847409f0ca4703de613f2e1d044d4f7239bfe6bf913074e7dcd22b647c5cc904aa848db166dea10047fd2921

  • SSDEEP

    3072:sr3KcWmjRrzSoDdk/URsXnq5Mby1x5CMnh0tj8/GXU:/hUuXnAwGSMmquk

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4abd5915fde80e0d1bd09708a984cf8.exe
    "C:\Users\Admin\AppData\Local\Temp\d4abd5915fde80e0d1bd09708a984cf8.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Local\Temp\1BzhZRDX6AT5AJj.exe
      C:\Users\Admin\AppData\Local\Temp\1BzhZRDX6AT5AJj.exe
      2⤵
      • Executes dropped EXE
      PID:1060
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3740
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
      Filesize

      753KB

      MD5

      a3d37ca48271155296800d4530586f7c

      SHA1

      edcc3169b835a64673643b5773b3bfb1402dd74d

      SHA256

      69477787a957b0275834614fc6034a97313c66791c8a5f2903b1dcc4d42dbef2

      SHA512

      f3e05f4857a1a38b1e56fe03b64dda141ddd708f5d1fd3ad2310acc9c72318014d57ff419789990fe284be82ccf96cb0df2d97e07a13494c71ba1e619563513f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1BzhZRDX6AT5AJj.exe
      Filesize

      64KB

      MD5

      a32a382b8a5a906e03a83b4f3e5b7a9b

      SHA1

      11e2bdd0798761f93cce363329996af6c17ed796

      SHA256

      75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346

      SHA512

      ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

      Download Submit

    • C:\Windows\CTS.exe
      Filesize

      35KB

      MD5

      93e5f18caebd8d4a2c893e40e5f38232

      SHA1

      fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

      SHA256

      a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

      SHA512

      986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

      Download Submit

    • memory/628-0-0x0000000000010000-0x0000000000027000-memory.dmp

      Filesize

      92KB

      Download

    • memory/628-9-0x0000000000010000-0x0000000000027000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3740-8-0x0000000000CF0000-0x0000000000D07000-memory.dmp

      Filesize

      92KB

      Download