Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
20894d7c8fa769521867065dc956ff34.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
20894d7c8fa769521867065dc956ff34.exe
Resource
win10v2004-20240226-en
General
-
Target
20894d7c8fa769521867065dc956ff34.exe
-
Size
71KB
-
MD5
20894d7c8fa769521867065dc956ff34
-
SHA1
4a5623d7f8705c417d51d4ac8a47bf15e9346dcc
-
SHA256
f5204eb2a2bc913dd2f447207299524e69acae95064c25f1c9f39358df5251ab
-
SHA512
1fad5d36df2edcd4b7afd83a99371d1107f277c542cfa35222d39be06169c4cfb7bf7cc27904fc18b11634d8ae63375904edc9113df992e387900e02ecd353dc
-
SSDEEP
1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTe:ZhpAyazIlyazTe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2032 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 20894d7c8fa769521867065dc956ff34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 20894d7c8fa769521867065dc956ff34.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2180 20894d7c8fa769521867065dc956ff34.exe Token: SeDebugPrivilege 2032 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2032 2180 20894d7c8fa769521867065dc956ff34.exe 28 PID 2180 wrote to memory of 2032 2180 20894d7c8fa769521867065dc956ff34.exe 28 PID 2180 wrote to memory of 2032 2180 20894d7c8fa769521867065dc956ff34.exe 28 PID 2180 wrote to memory of 2032 2180 20894d7c8fa769521867065dc956ff34.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\20894d7c8fa769521867065dc956ff34.exe"C:\Users\Admin\AppData\Local\Temp\20894d7c8fa769521867065dc956ff34.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD588e9b0fc8dc7c4fe78a8b29c4bf55520
SHA1afeeb255f5a2df0547de2e73c148facd954aae52
SHA256967a179f1a46e1add2d271d262f948758a7d36a6dcecf4ee3004b1d01bee7594
SHA5126572a055de7d05d7b56a48a445cb79c0267970f48acd2f946bb0783d0e534de84bee10d4d5b5d345d5051e2b98d2426c1545df5bcf48816bdbb5cacaa949bfd9
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25