Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

NEAS.54cfe...10.exe

windows7-x64

7

NEAS.54cfe...10.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    200s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2023, 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.54cfe95e8879c2634882f0727dc6fe10.exe

  • Size

    118KB

  • MD5

    54cfe95e8879c2634882f0727dc6fe10

  • SHA1

    a94e97f322fa435c4ce08896491143d50720e43f

  • SHA256

    cea69bdbc50beb7c92c811acd3ec8134186e629ace3317c96c548e1de1b2125d

  • SHA512

    51b24609a402f045e36137d9618527fcf2384aa3ea1d64ae8ade36a87e609243d8aed1de8000ca8faec00a8ff2e40f99e08af472c4d72977e6e0c396541f0f5e

  • SSDEEP

    3072:+OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:+Is9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.54cfe95e8879c2634882f0727dc6fe10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.54cfe95e8879c2634882f0727dc6fe10.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    a11b0c36efc51a7ebca697078231d0de

    SHA1

    cd5e24ed6c899ede1e2a80f5bdd1682c3673033a

    SHA256

    38bba995e102ba2495af764da5cc82ca7a1b337ba4c16555747ad71eb2072ebe

    SHA512

    2f77ad4388c5f39588494b4d52fe6f1a8ed47f5cf053e5329b1e19b10a09d0f320c52fda5ca06e338c8fc9509c50fe95ac49aea987923ae3f1ab2844ef7515cd

    Download Submit

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    a11b0c36efc51a7ebca697078231d0de

    SHA1

    cd5e24ed6c899ede1e2a80f5bdd1682c3673033a

    SHA256

    38bba995e102ba2495af764da5cc82ca7a1b337ba4c16555747ad71eb2072ebe

    SHA512

    2f77ad4388c5f39588494b4d52fe6f1a8ed47f5cf053e5329b1e19b10a09d0f320c52fda5ca06e338c8fc9509c50fe95ac49aea987923ae3f1ab2844ef7515cd

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    118KB

    MD5

    1c69258bd0fedcd0e5c62fec579d5921

    SHA1

    6f2adfd91e477db342fb1e9faf8bea5cc850223c

    SHA256

    8e2eacf559110a5a23157dcf933c195a81570208adca861482d239b80ff641de

    SHA512

    fdecca53794654f3a1ec84cbbc5ef8015343d1d54175188526e88e96e2269bbd6796b7c43511b597f3710b3f4c6ff751c066071adb5999d59cb4bf0f49ba904f

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    118KB

    MD5

    1c69258bd0fedcd0e5c62fec579d5921

    SHA1

    6f2adfd91e477db342fb1e9faf8bea5cc850223c

    SHA256

    8e2eacf559110a5a23157dcf933c195a81570208adca861482d239b80ff641de

    SHA512

    fdecca53794654f3a1ec84cbbc5ef8015343d1d54175188526e88e96e2269bbd6796b7c43511b597f3710b3f4c6ff751c066071adb5999d59cb4bf0f49ba904f

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    a4a91d551e2b991b946715c11b538514

    SHA1

    9e5147362a9b30590bce49981e2d522199d3fac0

    SHA256

    52f0e337653b71f6e130b1f106a72ebf7a3454033c5a850b731d68f73666bf24

    SHA512

    0162e409c04f395077ec0d5eafe8bcaa374afc8abd80d3b980d55545f1619fbed6ec4f22760936681f125dc881dcfe81ebc9a0986797080616ee9844783c9d40

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    a43c165816493fcbb09266dac2c786e8

    SHA1

    c718c65b1eddd96f21498dd3b401cc7693835889

    SHA256

    5b997a712b429a2769c8f5bfc42b06cdf10e55d07146e1c7a83883bdce608e39

    SHA512

    4b7dfb2b3f242b26f11975630282191a0681be54e45441a30045262cf3eef6ecf42ba2aa6a08e6986b3ca248860b3de90026d045473be14ebf4ce21d5bec902f

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    a43c165816493fcbb09266dac2c786e8

    SHA1

    c718c65b1eddd96f21498dd3b401cc7693835889

    SHA256

    5b997a712b429a2769c8f5bfc42b06cdf10e55d07146e1c7a83883bdce608e39

    SHA512

    4b7dfb2b3f242b26f11975630282191a0681be54e45441a30045262cf3eef6ecf42ba2aa6a08e6986b3ca248860b3de90026d045473be14ebf4ce21d5bec902f

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    a43c165816493fcbb09266dac2c786e8

    SHA1

    c718c65b1eddd96f21498dd3b401cc7693835889

    SHA256

    5b997a712b429a2769c8f5bfc42b06cdf10e55d07146e1c7a83883bdce608e39

    SHA512

    4b7dfb2b3f242b26f11975630282191a0681be54e45441a30045262cf3eef6ecf42ba2aa6a08e6986b3ca248860b3de90026d045473be14ebf4ce21d5bec902f

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    1c69258bd0fedcd0e5c62fec579d5921

    SHA1

    6f2adfd91e477db342fb1e9faf8bea5cc850223c

    SHA256

    8e2eacf559110a5a23157dcf933c195a81570208adca861482d239b80ff641de

    SHA512

    fdecca53794654f3a1ec84cbbc5ef8015343d1d54175188526e88e96e2269bbd6796b7c43511b597f3710b3f4c6ff751c066071adb5999d59cb4bf0f49ba904f

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    1c69258bd0fedcd0e5c62fec579d5921

    SHA1

    6f2adfd91e477db342fb1e9faf8bea5cc850223c

    SHA256

    8e2eacf559110a5a23157dcf933c195a81570208adca861482d239b80ff641de

    SHA512

    fdecca53794654f3a1ec84cbbc5ef8015343d1d54175188526e88e96e2269bbd6796b7c43511b597f3710b3f4c6ff751c066071adb5999d59cb4bf0f49ba904f

    Download Submit

  • memory/2732-20-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2732-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2732-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2732-14-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2732-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2888-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2888-37-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2888-39-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4180-27-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download