Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 03:25
Static task
static1
Behavioral task
behavioral1
Sample
d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe
Resource
win10v2004-20240412-en
General
-
Target
d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe
-
Size
84KB
-
MD5
1aa5d12031db932b9763fb0e4be44922
-
SHA1
0ce1130afdbceb1c46ec414e5fc343c326e25a08
-
SHA256
d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d
-
SHA512
6985c7cfeb2e7c4247ceccaf54b7ae713fd763f43ba5d028118e859857fa23646b0acdc6d1d6c6e489bb539d9574c221b0fe86da7520725ec0fdc0474455e36a
-
SSDEEP
768:JNK2cNW0QbRsWjcd+6yBFLqJ4Z8qx70RM8/O/B2Z9tRQ1LVXq+:pcNjQlsWjcd+xzl7SMQQ3Xq+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1256 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2360 d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe Token: SeDebugPrivilege 1256 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2360 wrote to memory of 1256 2360 d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe 28 PID 2360 wrote to memory of 1256 2360 d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe 28 PID 2360 wrote to memory of 1256 2360 d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe 28 PID 2360 wrote to memory of 1256 2360 d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe"C:\Users\Admin\AppData\Local\Temp\d64886fa6c496b46f5faa38c407193bcfe85f734fa778cc08409cebd542bde3d.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD505b908cfadfd61a6465f139b81d949ec
SHA1f1bf323707c3c727e04036cdd75f39a978fa83ef
SHA2566d30d72e50af376537f71c271b424bcebc47a00617c18b2ab8eceb2f256832c8
SHA5123438755c0adaa542c9c0d6d458f5f0e2576199a75450559a0d78567ab55b5d1b1d972b5c96ff2eb28646ba37e3761358c9920ddc3a7790d382fa368434c6c538
-
Filesize
80KB
MD5ec704028ad7125c2fa52e04dc68c0ca3
SHA12a63f27d0138696c9c27a9ea2534e8f2ca11ddc4
SHA2565f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf
SHA512a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160