Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 09:36 UTC

General

  • Target

    2024-05-12_b9cbf396b5b2bec35c8c263ce308347b_bkransomware.exe

  • Size

    96KB

  • MD5

    b9cbf396b5b2bec35c8c263ce308347b

  • SHA1

    feb97af72f1fe5266c7c898c21723cb16bf07d07

  • SHA256

    4ff9ec4f05c9f69abd24e4a262fd47575b45f329cadf69295bc1a22a11cebfb2

  • SHA512

    ac1fb80dc4b69e646277f334bec83102d3b978422d57f52d35d037830e0a0e8ca93d7285c9fe722afcc5d555faafadad718c43f847bc28d99252b7d1a62e0627

  • SSDEEP

    1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazT8vGjQ8/KAFFhj9C4D6:ZRpAyazIliazTwGj3KA3hjLe

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-12_b9cbf396b5b2bec35c8c263ce308347b_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-12_b9cbf396b5b2bec35c8c263ce308347b_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Local\Temp\rCxHMCoTWQvq4tY.exe
      C:\Users\Admin\AppData\Local\Temp\rCxHMCoTWQvq4tY.exe
      2⤵
      • Executes dropped EXE
      PID:2188
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rCxHMCoTWQvq4tY.exe

    Filesize

    96KB

    MD5

    bd72ef5ed427bc4d05540a8ef51ebf8e

    SHA1

    409f7a657f98fcfbd714d387dffc18cea98dc5e7

    SHA256

    40a05c3643ae2debe6bb00750a11a033122c619389a5cea33ab061476a201b2e

    SHA512

    31e00db07f3a0437ddf32a6c4d89dc0827c48095e12e70324156c3bf6d4f1cc425c660b1d371d361f37c548cfa3c0bfebbdb6be6e0adc24935befa9d52622f3b

  • C:\Windows\CTS.exe

    Filesize

    71KB

    MD5

    f9d4ab0a726adc9b5e4b7d7b724912f1

    SHA1

    3d42ca2098475924f70ee4a831c4f003b4682328

    SHA256

    b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

    SHA512

    22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

  • \Users\Admin\AppData\Local\Temp\rCxHMCoTWQvq4tY.exe

    Filesize

    25KB

    MD5

    abbd49c180a2f8703f6306d6fa731fdc

    SHA1

    d63f4bfe7f74936b2fbace803e3da6103fbf6586

    SHA256

    5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

    SHA512

    290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

  • memory/2188-15-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.