Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 22:48

General

  • Target

    751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe

  • Size

    27KB

  • MD5

    997cfd640be6243a2add974d9bf9e105

  • SHA1

    471275f0c3420076a77be13f17fb408f75409ce2

  • SHA256

    751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d

  • SHA512

    67099eebd89075b80cd3482c7a29d9b1726a90816da1bfea1ecd1c08915a2f3e9d8ddd142aac1bff73f9aed2a59a59c0bb0968f773578138bf7bafc561fe51d6

  • SSDEEP

    768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCML:N5VzcfA/6LrVpL74gfh16nL

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
    "C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mI2n5t9uigPh9QU.exe

    Filesize

    27KB

    MD5

    588df9c67151d9b3914e44fe78787b25

    SHA1

    d1ca7fc3e36a155e6105e281031da055181ca236

    SHA256

    7cf6bae6bc936354554ac0da5393817dc4bbc0a2cc1db948f4feb760c3f03665

    SHA512

    8ad1afe1ae87c886aace82e8105bb41752d333d4b4d159d0cb3485c18984eb5bf7b814c744c84b80e87675999021f68d91b53437fbba052ead3254de1a00988f

  • C:\Windows\CTS.exe

    Filesize

    27KB

    MD5

    a6749b968461644db5cc0ecceffb224a

    SHA1

    2795aa37b8586986a34437081351cdd791749a90

    SHA256

    720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

    SHA512

    2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

  • memory/2948-13-0x0000000000910000-0x0000000000928000-memory.dmp

    Filesize

    96KB

  • memory/3028-0-0x0000000000E60000-0x0000000000E78000-memory.dmp

    Filesize

    96KB

  • memory/3028-5-0x00000000000E0000-0x00000000000F8000-memory.dmp

    Filesize

    96KB

  • memory/3028-10-0x0000000000E60000-0x0000000000E78000-memory.dmp

    Filesize

    96KB