Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

2024-05-03...re.exe

windows7-x64

9

2024-05-03...re.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe

  • Size

    7.3MB

  • MD5

    46a27c782b09f4a602730e8b1cad3627

  • SHA1

    10b7660cccc7e4a3fe105fb9b1cad49732834a0b

  • SHA256

    14791264a3918650fcb150c11e59e308dc1131eb08cbbdfcfcca49ac5657a646

  • SHA512

    6502834a98d045c548e43cc30c78e4375e0aeaddd47706f172ddea4e06c6757e204500e7f992863e62036df55cb27f3427e5d66e30d7e19ce275506c7bce931a

  • SSDEEP

    196608:onG45fkN4b7cqKg4LK8VJFgDx8vfFe9WI+eAMrk1h:t4RkN4bAqtGtFYx6fU9WNe1g1h

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Detects executables containing URLs to raw contents of a Github gist 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\or3FvqCtFdp5bB7.exe
      C:\Users\Admin\AppData\Local\Temp\or3FvqCtFdp5bB7.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2072
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.backup
    Filesize

    809B

    MD5

    8b6737800745d3b99886d013b3392ac3

    SHA1

    bb94da3f294922d9e8d31879f2d145586a182e19

    SHA256

    86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

    SHA512

    654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log
    Filesize

    4KB

    MD5

    64db93bfd1c0bdecc50736c8cbf94071

    SHA1

    856436a74074a7d75f31b01ec7dbf67745c880d3

    SHA256

    00456cfbed4cca1ea5ee210287cc7cd277882b84b607f7d49d2c76083b7c2bdb

    SHA512

    73b979292d4bb55530978859f5a838c8bda6da63699a9b0c71f42aede8a2eeaeee7949dcbaaafb36d42231df89d42087b7504bfe64d6b9b2172fe135484d9759

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe.ignore
    Filesize

    2B

    MD5

    81051bcc2cf1bedf378224b0a93e2877

    SHA1

    ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    SHA256

    7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    SHA512

    1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    66df4ffab62e674af2e75b163563fc0b

    SHA1

    dec8a197312e41eeb3cfef01cb2a443f0205cd6e

    SHA256

    075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

    SHA512

    1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

    Download Submit

  • \Users\Admin\AppData\Local\Temp\or3FvqCtFdp5bB7.exe
    Filesize

    7.3MB

    MD5

    dd6b75a77601d62ac66df1b0a51a7de3

    SHA1

    699fc35deccb0cd6e341420903fc993535c2c98f

    SHA256

    2f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15

    SHA512

    43bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86

    Download Submit

  • memory/2072-16-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2072-17-0x0000000000210000-0x0000000000956000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/2072-18-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2072-26-0x000000001BE30000-0x000000001C112000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2072-152-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

    Filesize

    9.9MB

    Download