Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2296a77891...9f.exe

windows7-x64

7

2296a77891...9f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe

  • Size

    2.4MB

  • MD5

    226f182d10ae6165ce779e45f9eecda7

  • SHA1

    f151622152a09bf4304200a0ad6bdd055364c6af

  • SHA256

    2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f

  • SHA512

    157f3d3fb8f2c8e6f52492211c02b1321b7a8f6585aa0ba4be1aad374f1177ff8b2530f10301bc3346888a33efd1f40746a1d09692be449af3cbebfe42f421e4

  • SSDEEP

    49152:WxuVOF3MeXMIs817dtZMk60gO5KIF5tFb8LoB4QsSt:ouVOJxXM9817yCLKO7yL44Qs4

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
    "C:\Users\Admin\AppData\Local\Temp\2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 828
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    860KB

    MD5

    ab0374cab3030c7d10ba3125d2b295a4

    SHA1

    128acf8819a411c54d996182672d72b513dccc8d

    SHA256

    c1764cc94534ba4e9224ee4cf56157a7fff69e8066aacb86dd9f4ba912c547ec

    SHA512

    c6da4ae5f8f33cbc32a3bb7390895c243f49896e689a98c5f834ab9a072ec99f9c74821aacbaea33ba46304ea250d27439dfadc1c1f41ca5bc81181ab5091d9c

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    1b288612f52dbdb6cebc12b34da03156

    SHA1

    d98c7665a101cfe273db15be3af73729362cf519

    SHA256

    6d90142a04e40c80654c88927ff61bf0546449836f6943b63d6195062728a945

    SHA512

    a4e1695459d074522bc544cf87efd58181403b1568e78809cbe442ae373de596c21b57307fec40e4b9c18e5841bc75c9463d3988c6074a232a19355cdf5251c8

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    1.6MB

    MD5

    3c936a33ff3ecceff098c4df06f2e0be

    SHA1

    2f9cec3bc8bf66abc7ba32f3b97dffdd703873a2

    SHA256

    eb00e0a46c10f5699b6a98eb2dfa75faece562293f5f8bb30ac0a16762d06851

    SHA512

    2ea8a8aacd72933d473541f2639d3fd27dbd35aa0163ae88a85053db432585620b04e1247cf069fb83e5a35346fde04f18950f98799aa49a01573d85008d2c8c

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    1.8MB

    MD5

    2050df12baa0bb0d3436659b15d85240

    SHA1

    9e86f37549babdc8a57a39a7bab71834492dfeac

    SHA256

    35991c6f56b02d72c56dabcf0d9b12c0c2ddd4cbe54f094311a971926078bfb3

    SHA512

    ae173545278c46740f38931bd2e3fbd606b89557e4bb11e914c3298e57f58ad75daf3f998d2ae2fa3ea4994a29d8e492d6037879829054acceb232f4b51c6b23

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    07a20dfa5408fbbd1554e5b689623a90

    SHA1

    ca10f63b37b167debae0223acae4d9d5dcdbaf66

    SHA256

    668a57f06dece26bd210414ea9f67edde21b657fcc913bdee33068dcb0d264e0

    SHA512

    b5bb97e5cbee80b0c7bf01bb046ccec4e6326c9cccf4215ee695241990137eeaf31ccbe4a68c7444f67be90143844f13233478ba5afe004cb4b3d0ada63efe64

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    59abcca6f07f63887cb40e1baf75f86c

    SHA1

    9702e17ebcef003ff49a37f4e32bced9e6894968

    SHA256

    13a6f2c5d7f51a72689718ceb6b5afd9a012c4feb44484c58dcfb5cce60b21e1

    SHA512

    a4f2ea80bfc3efba13f6dd915d75c931d2fc040f22975d28a4f95b7381af53d3a5dbab183762cc73037a44bb31a8cee0d17a10e2c3bb874d2c22bdebb6913df0

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    1.6MB

    MD5

    294a5470b475251a405110783cb174c7

    SHA1

    4f9624cb17e06fb0024de2ea0badb90d2703a3e0

    SHA256

    22a39df32ee31c30c11015dc8cf9f3fdab0741e439e46225f6b42cbdb05d9bd7

    SHA512

    22e5d56184fc860a1f3856b58507cbd6ea0af3f5291fd2c7d39d0c709c8921c376e852884a3ed95937025dac40fe2e94d7184f7822ab37654c2d02fd108f711b

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    1.7MB

    MD5

    0d07546abc4c104f64c8cd9e79f80116

    SHA1

    17371d2473e93942e59077a4fa2e04d2ec67c879

    SHA256

    1cd03eae4f1f1c66ef19b083c7249c26c109298613129abbc9e966f0e6b87a76

    SHA512

    d2534ac13bf6f69cdadd19c87db5436da33da7c3ddee273d64cc5d38283ae2e5b766076dad16a96cc86d6a75a730cd078de2ba9e5e336e75f1638240829d4406

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    2.4MB

    MD5

    f84c1abd04e7e1233a921e89be81c497

    SHA1

    fd0b1d6918b132e80041f70827f44b1ae23caa3c

    SHA256

    a893f75927a8262547791ed4e56112937102f5aa4e75f2050f6c0f0f198c108f

    SHA512

    8829a1dccd6e33c5c7445deb6a03e2079417465528500a9b324105cf16e1daddae4fac299b0c4ed8ec6c0e6b907a3cd40744a4f43b73d0ac5650f9f6be86517f

    Download Submit

  • memory/2008-13-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2008-34-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2008-24-0x0000000000400000-0x0000000000DD3000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2008-32-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2008-25-0x0000000000180000-0x0000000000189000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2008-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2008-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2616-35-0x0000000000400000-0x0000000000DD3000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2616-43-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2616-36-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2616-47-0x0000000000400000-0x0000000000DD3000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2616-51-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2664-33-0x00000000008C0000-0x0000000001293000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2664-30-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download