Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b92d868b07...eN.exe

windows7-x64

7

b92d868b07...eN.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b92d868b07d2535f0ad499c88fe6570f9ba62c99e825448f0ba983090affe53eN.exe

  • Size

    254KB

  • MD5

    4a54d92d2e0befeb3a1d5f8cbc8c76f0

  • SHA1

    38fb158286a5309d16ee03fcf2fcd92f18b4ccb1

  • SHA256

    b92d868b07d2535f0ad499c88fe6570f9ba62c99e825448f0ba983090affe53e

  • SHA512

    6ae979b0579f4086c63048a4ffd3cd7aa086d71e9faea6160c273406f3455762deca116a555300928ff516dddd775ff6be1ddcbb988dd199e6fc8b55dff05be0

  • SSDEEP

    6144:GjYKlAhUBVB3pQOS+J6WoRDPiLtlkxw91jppE5gpPkI:GjYRm7QOS+JbaKlbjcgpPkI

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b92d868b07d2535f0ad499c88fe6570f9ba62c99e825448f0ba983090affe53eN.exe
    "C:\Users\Admin\AppData\Local\Temp\b92d868b07d2535f0ad499c88fe6570f9ba62c99e825448f0ba983090affe53eN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\qinAzGp0nrBt9Jx.exe
      C:\Users\Admin\AppData\Local\Temp\qinAzGp0nrBt9Jx.exe
      2⤵
      • Executes dropped EXE
      PID:1352
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\CTS.exe
    Filesize

    86KB

    MD5

    0f736d30fbdaebed364c4cd9f084e500

    SHA1

    d7e96b736463af4b3edacd5cc5525cb70c593334

    SHA256

    431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34

    SHA512

    570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

    Download Submit

  • \Users\Admin\AppData\Local\Temp\qinAzGp0nrBt9Jx.exe
    Filesize

    168KB

    MD5

    17275206102d1cf6f17346fd73300030

    SHA1

    bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

    SHA256

    dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

    SHA512

    ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

    Download Submit