Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:39

General

  • Target

    61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe

  • Size

    70KB

  • MD5

    207c326e20f5f8c5d5fba3c4e57d1b7b

  • SHA1

    5f98ad6fb4408c3dd71d8c6795a762adaabe6364

  • SHA256

    61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb

  • SHA512

    d4fb12ef887dfab386cf7b10d6240348b8a1ef970be1df88ee566695f1f3babf51b924e0146869d14c14bb93ef2b276b8b475c7e9e57ad9748ab976be6966b82

  • SSDEEP

    1536:Gq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9b1YTjipvF2a:Gq5ud9qHFO8Kf3rIIb1YvQd2a

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 18 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe
    "C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    3507f16f17047d57a8bb8b83330b86d8

    SHA1

    5610bf405dbec5b98b20d202fcfae7b55b65a207

    SHA256

    6305bb90f5055a66f30bab1e9ce94e0be9944089e8e339ffa6d21b6e7263fcfc

    SHA512

    bad0effa2b7409bb85ad107c422406bfa1ce816d27bc2f663e88941ce63c2d3ecc8b61e3eb80ac605949d67fbadbe1cbb08bc795022bdc39efd6961561c6f25f

  • C:\Windows\SysWOW64\grcopy.dll

    Filesize

    70KB

    MD5

    3659e54ee91ddc86b44bc1bf52bebe51

    SHA1

    e7a94a06c931c7c6f5e20d99758002ad81404f2b

    SHA256

    c5219c4d6bec2b10e9b8f586838b706dc85f29877bfaaae4f74bd94b89faf57e

    SHA512

    6de18df7ae89b62f1e24b6260e10f4515434d63b1362a9bcef7f33842aa52a4499fc71f6ad1500881d005a8256362f69e3b38d9d24d16559c2458c9de3ff6bf6

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    ae2be29a7b2060242edd864d1e60d8da

    SHA1

    a6fe7bb7d97bc81f5a86cd093406abfd87c839d0

    SHA256

    96eef8cbee44882d7abe85a318e7d1c5cafc3f5db417727732ba9051b08dbd7b

    SHA512

    44c00c5596dc3455b993d82a4d491fc566a834a9f197eb26730b71c527125c94cb644ddf186de9a1d02f1932d13c278029b808501d19bba3fe4585439cb88904

  • C:\Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    bb493278408dfd74589f4032804adf5a

    SHA1

    b522d5f7109fcdc212ffa393d6cc5c2d9c09b8d6

    SHA256

    99c8b1401a44c4fc60b0d424811afbe10718f26d512e00dfe1a1ba85fbc39a9a

    SHA512

    7d2460228c2b6c872c644e923c6c26e3304322fd096d9126e3e7f56bd92564397c9b1573dfdc6479c348df5fb68656bf44fa1c1d769fc032a3ece98bf5d38d6d

  • memory/2696-26-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4760-21-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4760-18-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4760-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4760-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-38-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4944-35-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4944-37-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-28-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-39-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-41-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-43-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4944-51-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB