Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 18:53

General

  • Target

    11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe

  • Size

    110KB

  • MD5

    e7e282dfdc0b93708357ad673c3c74b4

  • SHA1

    b4ae44b5cfcb7e6d6540d240f4f98b5015bd48a6

  • SHA256

    11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905

  • SHA512

    2f230fe0aac63eb21f63653a8c2374200edd76115d6de513b8865f993f3758fdf8f997e068bdf796d606bb71cef704071bae91d8595ca6abb0d2a5ba68847a78

  • SSDEEP

    3072:ZWrKR8W9Mj6yhPyKfXtAGsKG3ERrjjNB3+IQObfjbV5HfD:GjYKlAhUBVB3pQObfj/7

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe
    "C:\Users\Admin\AppData\Local\Temp\11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    408KB

    MD5

    61376cf40ed4ddfe145abd5788c0ddc5

    SHA1

    7b1581f4cacd51d4ce4fc780a5556a5576b9d190

    SHA256

    2c018540f273d041c7aa76ca59e07cca568d0c3c6c2ef67067ee7eef2e2a4ac3

    SHA512

    96f509aeeb7d4da73b785f98163e0f738c422188d13858d26e8ea82d4a9e689f2af3100191fc464dd782efb6fceec32b94254775d930719706425eb8f0cca3a9

  • C:\Users\Admin\AppData\Local\Temp\EHklj3cqO6JXsut.exe

    Filesize

    110KB

    MD5

    1b283af8b5ecd1e03961f63679a1235f

    SHA1

    66de4361c45e887a60b122deadf6b69f0c7c0ebb

    SHA256

    99dc3e3442517a326e7b5e66288ecdbe410b6f3aac7c1d60c6c5394c8ccf2d81

    SHA512

    ed496934c18c67e444285d11c5aa5a74c53d20323e914e981fe29644026335f7e2675906c436b45efc6fa1f636f1b7b3d4561b19557ce42a00e7315f4c43363b

  • C:\Windows\CTS.exe

    Filesize

    86KB

    MD5

    0f736d30fbdaebed364c4cd9f084e500

    SHA1

    d7e96b736463af4b3edacd5cc5525cb70c593334

    SHA256

    431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34

    SHA512

    570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566