Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 14:58 UTC

General

  • Target

    2024-05-09_bbf5bac9498602c3d3a34575a7a80d8a_bkransomware.exe

  • Size

    135KB

  • MD5

    bbf5bac9498602c3d3a34575a7a80d8a

  • SHA1

    94fc2a3ea37a0dbec1bee2ba7b81871ef023415c

  • SHA256

    3e11dfbd50ae05e09e6408a6f9b0abfc27faa11ecfc121fccdab5abc18128bac

  • SHA512

    5e4522aca1180279ebfdf392ca5a1f459b0674af0d4f65672e5335c427d3a8b4ce212995fecc6fd7fe421e733547a29b8245bacf36c5660953624b6f308f3d3c

  • SSDEEP

    3072:ZhpAyazIlyazTECIFnXHdachgD6cdaB7GjwA8Qq1L:hZMazzIx9acO9dQ7GjwA8NL

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-09_bbf5bac9498602c3d3a34575a7a80d8a_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-09_bbf5bac9498602c3d3a34575a7a80d8a_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\E5bBXk2WN9deRfo.exe
      C:\Users\Admin\AppData\Local\Temp\E5bBXk2WN9deRfo.exe
      2⤵
      • Executes dropped EXE
      PID:2540
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\E5bBXk2WN9deRfo.exe

    Filesize

    135KB

    MD5

    9c74ee5545523425577c5be8a2a71475

    SHA1

    8d2c4855b1ef5c142b5d60ef9c91c26c5684caf2

    SHA256

    cf7fb7a80697c744b6c28ab54a4f126330aed8dc388d7c7bfd165ec46f60ae68

    SHA512

    fafd4db452b4005a2442e8299e99e0199e73d9e5063bf8fece2a8423020ad773742f81451f657444ffdcb447c8b1abff2a3a73f9b8d6e264dfff7b664035df90

  • C:\Windows\CTS.exe

    Filesize

    71KB

    MD5

    66df4ffab62e674af2e75b163563fc0b

    SHA1

    dec8a197312e41eeb3cfef01cb2a443f0205cd6e

    SHA256

    075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

    SHA512

    1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

  • \Users\Admin\AppData\Local\Temp\E5bBXk2WN9deRfo.exe

    Filesize

    64KB

    MD5

    ae6ce17005c63b7e9bf15a2a21abb315

    SHA1

    9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

    SHA256

    4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

    SHA512

    c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.