Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe
Resource
win10v2004-20240802-en
General
-
Target
11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe
-
Size
110KB
-
MD5
e7e282dfdc0b93708357ad673c3c74b4
-
SHA1
b4ae44b5cfcb7e6d6540d240f4f98b5015bd48a6
-
SHA256
11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905
-
SHA512
2f230fe0aac63eb21f63653a8c2374200edd76115d6de513b8865f993f3758fdf8f997e068bdf796d606bb71cef704071bae91d8595ca6abb0d2a5ba68847a78
-
SSDEEP
3072:ZWrKR8W9Mj6yhPyKfXtAGsKG3ERrjjNB3+IQObfjbV5HfD:GjYKlAhUBVB3pQObfj/7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 116 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe File created C:\Windows\CTS.exe CTS.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 220 11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe Token: SeDebugPrivilege 116 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 220 wrote to memory of 116 220 11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe 83 PID 220 wrote to memory of 116 220 11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe 83 PID 220 wrote to memory of 116 220 11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe"C:\Users\Admin\AppData\Local\Temp\11701ef7dfc1defed3932a22fc3fc80cd78057fd944c54126ab29f1867ae4905.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD561376cf40ed4ddfe145abd5788c0ddc5
SHA17b1581f4cacd51d4ce4fc780a5556a5576b9d190
SHA2562c018540f273d041c7aa76ca59e07cca568d0c3c6c2ef67067ee7eef2e2a4ac3
SHA51296f509aeeb7d4da73b785f98163e0f738c422188d13858d26e8ea82d4a9e689f2af3100191fc464dd782efb6fceec32b94254775d930719706425eb8f0cca3a9
-
Filesize
110KB
MD51b283af8b5ecd1e03961f63679a1235f
SHA166de4361c45e887a60b122deadf6b69f0c7c0ebb
SHA25699dc3e3442517a326e7b5e66288ecdbe410b6f3aac7c1d60c6c5394c8ccf2d81
SHA512ed496934c18c67e444285d11c5aa5a74c53d20323e914e981fe29644026335f7e2675906c436b45efc6fa1f636f1b7b3d4561b19557ce42a00e7315f4c43363b
-
Filesize
86KB
MD50f736d30fbdaebed364c4cd9f084e500
SHA1d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566