Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 22:48

General

  • Target

    751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe

  • Size

    27KB

  • MD5

    997cfd640be6243a2add974d9bf9e105

  • SHA1

    471275f0c3420076a77be13f17fb408f75409ce2

  • SHA256

    751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d

  • SHA512

    67099eebd89075b80cd3482c7a29d9b1726a90816da1bfea1ecd1c08915a2f3e9d8ddd142aac1bff73f9aed2a59a59c0bb0968f773578138bf7bafc561fe51d6

  • SSDEEP

    768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCML:N5VzcfA/6LrVpL74gfh16nL

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
    "C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    348KB

    MD5

    5241fbb9220de2bcf42685588d354f26

    SHA1

    dc4740a48574145c36d5991e921acb9b2e0a2637

    SHA256

    ad34fde584648ac3aa0dc8eed04f411a32d84259f18c0b9aee674e357b5c5ff6

    SHA512

    73afbeef5ff808e785f86638a8a86317c78ee5dcd468bb58a114994ed33f50d8dd157b101c981ee5dae34af484c5b19798ee56c525d622dd81f4bc2adc4508f5

  • C:\Users\Admin\AppData\Local\Temp\gHgBzPh0eByNtSJ.exe

    Filesize

    27KB

    MD5

    ecebeb70429934f2590075be53ba3f85

    SHA1

    b16c2314356fb0ea99746fb107daa47d7722326b

    SHA256

    44ac090115cc5204d2a90aa00e8f9fd28498028bd068c18084433c8e765a9b0e

    SHA512

    87b659b00edc681e3480c51a609bc15ba6a97f1e407c637b291034eec0bb4328dcac2eb317791aaee3a1aa6c4a443fb5a7fc6bc3259649599838683b2cbb413a

  • C:\Windows\CTS.exe

    Filesize

    27KB

    MD5

    a6749b968461644db5cc0ecceffb224a

    SHA1

    2795aa37b8586986a34437081351cdd791749a90

    SHA256

    720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

    SHA512

    2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

  • memory/3516-0-0x0000000000700000-0x0000000000718000-memory.dmp

    Filesize

    96KB

  • memory/3516-6-0x0000000000700000-0x0000000000718000-memory.dmp

    Filesize

    96KB

  • memory/4296-8-0x0000000000550000-0x0000000000568000-memory.dmp

    Filesize

    96KB

  • memory/4296-31-0x0000000000550000-0x0000000000568000-memory.dmp

    Filesize

    96KB