Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:39

General

  • Target

    61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe

  • Size

    70KB

  • MD5

    207c326e20f5f8c5d5fba3c4e57d1b7b

  • SHA1

    5f98ad6fb4408c3dd71d8c6795a762adaabe6364

  • SHA256

    61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb

  • SHA512

    d4fb12ef887dfab386cf7b10d6240348b8a1ef970be1df88ee566695f1f3babf51b924e0146869d14c14bb93ef2b276b8b475c7e9e57ad9748ab976be6966b82

  • SSDEEP

    1536:Gq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9b1YTjipvF2a:Gq5ud9qHFO8Kf3rIIb1YvQd2a

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 18 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe
    "C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    dbcbd299bcd93cd1640a50753e807aea

    SHA1

    b140418ff4b1ebd7909e0e3df6747a87cb04b606

    SHA256

    14ec0acb50e47344c9b0861a2a3c0b6a0717573296b38175f34332e848a2c818

    SHA512

    ca79edf943cdf3be693ffada8ff09359ddc7d70abe7dd052b1e5332cc9c5500bc6c1e801b5001cc3b3c3e16581de21b6e4f626b187105f2c06f359ea620d76c3

  • C:\Windows\SysWOW64\smnss.exe

    Filesize

    70KB

    MD5

    9a615726dfe36cb23522e63e9de6eaf5

    SHA1

    82b2e4fbfe7cfdc11aa8a97f2849a28a3fb165f4

    SHA256

    cb0b27b3f95d1ec1162879ba309fccf8dc68db73cffb86075aa34c68acc874fb

    SHA512

    ce718b74c6cfc6d907cce517a1d5bd549743eb7e9e30d975dd93d22d4368b7b78fc6202ce3c720ea3eff642dad0c046620767afe9a619eb09022f9c6f595d7dc

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    a53b271b9ce609b8d4de6f318e2cf4b4

    SHA1

    f742446b8d793e2a7768e70a370c1df3b562e0ed

    SHA256

    a90f7dc54788a3e08e02a3f8b3a87c0f0bf7b043f77fdbf3768a481800f3e0d7

    SHA512

    7772801b25c3f6418c2535dc735402943c3f916aee98f943857705475a5490828736ee7fd9a07889c387b3caab4ff96138990994c32e7ca20fd982ea63d3c7d5

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    43902d0d06342afd39a12ec766bd0907

    SHA1

    9c09ebea35192433b51f79914df539811d857b09

    SHA256

    239733f11652f3db3638d19f588477fd9e0fb2598b0c4bb0da9e4145c6186153

    SHA512

    36757d33ce3d7c4b29139fe01e32ba08578d931e5892aec4c4532cb2fcd94443d6beb3740f72418b8bdc0d42212d86469b2e0f4ca41db99e96b81461625694f4

  • memory/1976-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1976-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1976-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

    Filesize

    36KB

  • memory/1976-31-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1976-30-0x00000000002B0000-0x00000000002B9000-memory.dmp

    Filesize

    36KB

  • memory/1976-25-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2520-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2860-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2860-40-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2860-42-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2860-41-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2860-43-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2860-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2860-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2860-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2860-55-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB