Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

3cd28ca17d...83.exe

windows7-x64

7

3cd28ca17d...83.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cd28ca17d10f9d22bc30a4855be4846018b700808792eace49525dc2b255883.exe

  • Size

    118KB

  • MD5

    ef7c4292ab220916f2afa6c1651b1ff4

  • SHA1

    d080cc9d52e841647066d8e8e844b6a8a4311a53

  • SHA256

    3cd28ca17d10f9d22bc30a4855be4846018b700808792eace49525dc2b255883

  • SHA512

    47fb980ea783fbbf54d2a72f9eaf2479babc3fd7be97694a3d99c825d59905a891f06976e3ab4695540870676c43e442fa53f4b15513cb27db687d4e5d93b2cf

  • SSDEEP

    3072:WOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPE:WIs9OKofHfHTXQLzgvnzHPowYbvrjD/V

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cd28ca17d10f9d22bc30a4855be4846018b700808792eace49525dc2b255883.exe
    "C:\Users\Admin\AppData\Local\Temp\3cd28ca17d10f9d22bc30a4855be4846018b700808792eace49525dc2b255883.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 792
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    edb4fab88865556aa1f3d5cab5c1b996

    SHA1

    8fc9cace359802493c54a1dd6b9a78147b7d3b57

    SHA256

    af25f3e8766319b27d648fdc29304e1a1875dd355c4c180b9b12de30769425ec

    SHA512

    33b861c00264f826c87202874f5d21cacb8e91259b99fc26376cb829224a5c06e73ef455bdc1f8052bb8450ab5b4f56ce1912db6aa5c3100e711fe8f20882fb0

    Download Submit

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    edb4fab88865556aa1f3d5cab5c1b996

    SHA1

    8fc9cace359802493c54a1dd6b9a78147b7d3b57

    SHA256

    af25f3e8766319b27d648fdc29304e1a1875dd355c4c180b9b12de30769425ec

    SHA512

    33b861c00264f826c87202874f5d21cacb8e91259b99fc26376cb829224a5c06e73ef455bdc1f8052bb8450ab5b4f56ce1912db6aa5c3100e711fe8f20882fb0

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    b5a5b7fc463d433dc392f7428b708bb0

    SHA1

    17596277903ae29fddd613f1b68a9e963a6f316e

    SHA256

    ce30afc8d243e7291a6371648b08e4ddee6f2b6dcc1427446d10da9a91c23161

    SHA512

    0e13ce974fc8b607629c72b706a8681e672c0595368455aebdb0e4ea2ed9919a98359418d396ea86b58dc8a25ac62d479bd8e385b08071c7cdb4b1e344771009

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    b71b8aff8e42ffb9265e3a5337e38956

    SHA1

    dcd2e63c47f05ebba05efb4cb6b991af5719aa56

    SHA256

    5902dae4962ed2268d45c51bbed588609c629ad6da13ea8cd67c8906a8cec57c

    SHA512

    4187e96a7e38bbb03266c051a73a28f0041dd2c7fb5c10c43833b6526947334bae6178078b3c495a8b2fab432cdbe32b7d685fc5f1ea1a6785ccfcf80b1c1e62

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    edb4fab88865556aa1f3d5cab5c1b996

    SHA1

    8fc9cace359802493c54a1dd6b9a78147b7d3b57

    SHA256

    af25f3e8766319b27d648fdc29304e1a1875dd355c4c180b9b12de30769425ec

    SHA512

    33b861c00264f826c87202874f5d21cacb8e91259b99fc26376cb829224a5c06e73ef455bdc1f8052bb8450ab5b4f56ce1912db6aa5c3100e711fe8f20882fb0

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    edb4fab88865556aa1f3d5cab5c1b996

    SHA1

    8fc9cace359802493c54a1dd6b9a78147b7d3b57

    SHA256

    af25f3e8766319b27d648fdc29304e1a1875dd355c4c180b9b12de30769425ec

    SHA512

    33b861c00264f826c87202874f5d21cacb8e91259b99fc26376cb829224a5c06e73ef455bdc1f8052bb8450ab5b4f56ce1912db6aa5c3100e711fe8f20882fb0

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    b71b8aff8e42ffb9265e3a5337e38956

    SHA1

    dcd2e63c47f05ebba05efb4cb6b991af5719aa56

    SHA256

    5902dae4962ed2268d45c51bbed588609c629ad6da13ea8cd67c8906a8cec57c

    SHA512

    4187e96a7e38bbb03266c051a73a28f0041dd2c7fb5c10c43833b6526947334bae6178078b3c495a8b2fab432cdbe32b7d685fc5f1ea1a6785ccfcf80b1c1e62

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    b71b8aff8e42ffb9265e3a5337e38956

    SHA1

    dcd2e63c47f05ebba05efb4cb6b991af5719aa56

    SHA256

    5902dae4962ed2268d45c51bbed588609c629ad6da13ea8cd67c8906a8cec57c

    SHA512

    4187e96a7e38bbb03266c051a73a28f0041dd2c7fb5c10c43833b6526947334bae6178078b3c495a8b2fab432cdbe32b7d685fc5f1ea1a6785ccfcf80b1c1e62

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    fd5c740fdd1e7fcf67fe31f5717d9aad

    SHA1

    e5526d9ff07ab1020e03fcb68640177772409e44

    SHA256

    f18821c93cda8522c0156426a27eb615e693a2fb8c0433e8b2636773eb554d52

    SHA512

    39659bab3db74aaf9adf4517735c55f4779d5c2edbcc2b97a63aaeb46ca9cb66568ccb9e6527848c80597353b0c36f355c5b5b1150a372f47b08972c1848454f

    Download Submit

  • memory/2252-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2252-26-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2252-46-0x00000000002B0000-0x00000000002B9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2252-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2252-27-0x00000000002B0000-0x00000000002B9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2252-25-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2800-31-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3012-39-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3012-44-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3012-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3012-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download