Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f7966dfb51...30.exe

windows7-x64

9

f7966dfb51...30.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7966dfb517e24ae29b2c8d15ac469650fb66383dc8bdc7660b234be17eadc30.exe

  • Size

    56KB

  • MD5

    1e2508e4ee2364ae848d7b6d8b09789b

  • SHA1

    b7c1f4d1c378df6108a03d04ff3e3605fa59a0a9

  • SHA256

    f7966dfb517e24ae29b2c8d15ac469650fb66383dc8bdc7660b234be17eadc30

  • SHA512

    acb03b04f88050683b3dc75bf9cdfc8aac944af4bc82a2e14f86a9784163313c4ec512ec4b9a5b98801352d0cc6fd74bc7d0cd54c15a1496ca1b96b61f9ae527

  • SSDEEP

    1536:Jq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9b:Jq5ud9qHFO8Kf3rIIb

Score
9/10
persistence

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 11 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7966dfb517e24ae29b2c8d15ac469650fb66383dc8bdc7660b234be17eadc30.exe
    "C:\Users\Admin\AppData\Local\Temp\f7966dfb517e24ae29b2c8d15ac469650fb66383dc8bdc7660b234be17eadc30.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1332
          4⤵
          • Program crash
          PID:708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4828 -ip 4828
    1⤵
      PID:4440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe
      Filesize

      4KB

      MD5

      ffd7793e386f946347a67e4b5436ec0d

      SHA1

      c54ff4daf42a2b8727ab80db4f4472a86ae77508

      SHA256

      a4bfd13e705e2029d62cbb2f8491754ae18a6f7aed2718ada74336f136f07177

      SHA512

      0a7423e37046c907d3ab139393b962607001a8f04c8959581f7095ead6751167cc66012e274cfe63d69ed3db35940efcd45560888700033295833c37546fa885

      Download Submit

    • C:\Windows\SysWOW64\grcopy.dll
      Filesize

      56KB

      MD5

      2eaac65002b26c35d90b7aa1f7d1893a

      SHA1

      c5c27a85581dc6874b9a39217e8881e22929a6ee

      SHA256

      8ba37747b4c438197015e3fac6e08b6d0bf996ba1f599d26640c235fe8e749a7

      SHA512

      b793b6d29a681f22fa7a4cfb5ffa7e7b71684079598b1ae249b5317a5540893d84a9e35789d68b2babd8d43b1452880c3a26f363bb0cece661399c577dfde8e1

      Download Submit

    • C:\Windows\SysWOW64\satornas.dll
      Filesize

      183B

      MD5

      4ae5319b03cd7050ef0b7150cc38e316

      SHA1

      04d4cdcc685a195caed9caa28c6e0ec01b8fee33

      SHA256

      7920bf2cd105a2b31def0fe3060fa5d4ecd0ed75ebabf4e80fe96680cf5bea95

      SHA512

      e066c12679469aa5907c9dd23a89d4b74908bbb463ae061aefefa3d06616b9260127fd6759a9c621e4e55f2749c45117e5bf509d5c0e8ff70268a88225c141c7

      Download Submit

    • C:\Windows\SysWOW64\shervans.dll
      Filesize

      8KB

      MD5

      a2410883f5f51cfbfe10a45280e093a5

      SHA1

      3baa04fbd6b308b9645c61eaf954f5f327e50d26

      SHA256

      eb4a05716564d4ed5f5c1f2c323fe8af21a633bb8d79e958b9d89b4a88a4715f

      SHA512

      115dfb65d62b10f8dfe591c0ec6d19e382ab8df76b41ee8d2c165a7459ef6f64352513f5c59f1e5a53af461e29fff198f9a2df2cc2b870a91e4cf8203562743a

      Download Submit

    • memory/3360-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4344-0-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4344-13-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4344-21-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4344-24-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4828-30-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4828-36-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4828-37-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download