Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
91ab8f3f8f9d99ad59f99299e1cf858e.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
91ab8f3f8f9d99ad59f99299e1cf858e.exe
Resource
win10v2004-20240508-en
General
-
Target
91ab8f3f8f9d99ad59f99299e1cf858e.exe
-
Size
7.3MB
-
MD5
91ab8f3f8f9d99ad59f99299e1cf858e
-
SHA1
bd33293c34ec4d98a746268053213a37d483ec47
-
SHA256
f7c675eff00556242cfff8bc446fe407211a689d487252490c005567d1fde390
-
SHA512
ee4ce887180b7aa9186fc8359c8e6cd7ca490cdab401f16b72f9e1c1664a21536c95a0c59658c36bd674fddc20e0ca96f1e277f54118d7a4fae31fe4c855a82d
-
SSDEEP
196608:zvFsitNvy4TuJfkPd1+RL+MEp1sjw/2Qw:TF1KW5PTKLw1sjwDw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2488 B7wnIR4tiF5evtB.exe 640 CTS.exe -
Loads dropped DLL 2 IoCs
pid Process 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 91ab8f3f8f9d99ad59f99299e1cf858e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 91ab8f3f8f9d99ad59f99299e1cf858e.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe Token: SeDebugPrivilege 640 CTS.exe Token: SeDebugPrivilege 2488 B7wnIR4tiF5evtB.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2488 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 28 PID 3016 wrote to memory of 2488 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 28 PID 3016 wrote to memory of 2488 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 28 PID 3016 wrote to memory of 2488 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 28 PID 3016 wrote to memory of 640 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 29 PID 3016 wrote to memory of 640 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 29 PID 3016 wrote to memory of 640 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 29 PID 3016 wrote to memory of 640 3016 91ab8f3f8f9d99ad59f99299e1cf858e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\91ab8f3f8f9d99ad59f99299e1cf858e.exe"C:\Users\Admin\AppData\Local\Temp\91ab8f3f8f9d99ad59f99299e1cf858e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\B7wnIR4tiF5evtB.exeC:\Users\Admin\AppData\Local\Temp\B7wnIR4tiF5evtB.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
809B
MD58b6737800745d3b99886d013b3392ac3
SHA1bb94da3f294922d9e8d31879f2d145586a182e19
SHA25686f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df
-
Filesize
4KB
MD5b0933812adef57292b419d2b5254a7d5
SHA139a8a0a36e56228db0b9b308b83823be84a432ee
SHA256f3905990329465db7cbdb1a389592deff7eeaa8af3c4da1728095fc0c3c3e9bf
SHA5120bb22ada0a1be3f8682cf4161a33eabdc54c785261e560ee53625d5d4d36af273c414150983a8023f0e929ed9369993a59a04e75eddc19d0ebf2257c45bd1764
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
Filesize
7.3MB
MD5dd6b75a77601d62ac66df1b0a51a7de3
SHA1699fc35deccb0cd6e341420903fc993535c2c98f
SHA2562f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15
SHA51243bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86