Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
20894d7c8fa769521867065dc956ff34.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
20894d7c8fa769521867065dc956ff34.exe
Resource
win10v2004-20240226-en
General
-
Target
20894d7c8fa769521867065dc956ff34.exe
-
Size
71KB
-
MD5
20894d7c8fa769521867065dc956ff34
-
SHA1
4a5623d7f8705c417d51d4ac8a47bf15e9346dcc
-
SHA256
f5204eb2a2bc913dd2f447207299524e69acae95064c25f1c9f39358df5251ab
-
SHA512
1fad5d36df2edcd4b7afd83a99371d1107f277c542cfa35222d39be06169c4cfb7bf7cc27904fc18b11634d8ae63375904edc9113df992e387900e02ecd353dc
-
SSDEEP
1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTe:ZhpAyazIlyazTe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3508 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 20894d7c8fa769521867065dc956ff34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 20894d7c8fa769521867065dc956ff34.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3004 20894d7c8fa769521867065dc956ff34.exe Token: SeDebugPrivilege 3508 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3004 wrote to memory of 3508 3004 20894d7c8fa769521867065dc956ff34.exe 86 PID 3004 wrote to memory of 3508 3004 20894d7c8fa769521867065dc956ff34.exe 86 PID 3004 wrote to memory of 3508 3004 20894d7c8fa769521867065dc956ff34.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\20894d7c8fa769521867065dc956ff34.exe"C:\Users\Admin\AppData\Local\Temp\20894d7c8fa769521867065dc956ff34.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD526d0d9746f9555dd18433ecac37ce1d6
SHA1bf17261e17906a9fb8fd8e81dd9e4bdf198722b6
SHA25696f0c543b1d36541167c50fd8be64c7d8954b7558090377737c58b5fe45bbfa2
SHA512414ac25be88496575366831abce3b62e23cada9e0470a1e97712c695ca2a1941e72872354076923a86264cc966878dd387c0c811b5b0e968d8cb332f144b9658
-
Filesize
71KB
MD5067afc8e3d4bdcafbc3407fb1c10587b
SHA18e9ae0f3d7aba4204a1dc16f16b7480207c35d97
SHA256b4ca1c601110b388bc99820bae3b7940bf1972cbc1332f12993caf3aef6ca94d
SHA512068743e3cf6045f92c8adea33e4547079cb16cd371607706e526ac30b9e7fbde9f68ceeed311a9913078b1fdd226ee372b86ae7507f1d23f47d2a7a84f1aec05
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25