Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe
Resource
win10v2004-20240412-en
General
-
Target
5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe
-
Size
118KB
-
MD5
312d3cbe6a9271ccd3f83347fc32ff35
-
SHA1
92e05ad1ab458a1bda12446fbfc940cbf9f8f3a7
-
SHA256
5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495
-
SHA512
1f0c9197ea52ddedf3423b48022ed634775e2eb54499dd796b59fa8d2aed0dbdcc1afa162b72c54ba7b8201beed877948d230cf9bb6348e6cb725e98cb149048
-
SSDEEP
3072:IOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:IIs9OKofHfHTXQLzgvnzHPowYbvrjD/m
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
resource yara_rule behavioral2/memory/2608-0-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/files/0x000300000001e970-10.dat UPX behavioral2/files/0x00070000000233f1-15.dat UPX behavioral2/memory/2608-18-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/files/0x0005000000022f28-22.dat UPX behavioral2/memory/2608-21-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/4728-26-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/2608-24-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/memory/764-29-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/memory/764-36-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/764-38-0x0000000000400000-0x000000000041F000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000300000001e970-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 4728 ctfmen.exe 764 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 2608 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe 764 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\grcopy.dll 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File created C:\Windows\SysWOW64\shervans.dll 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File created C:\Windows\SysWOW64\smnss.exe 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe File created C:\Windows\SysWOW64\satornas.dll 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2072 764 WerFault.exe 97 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 764 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2608 wrote to memory of 4728 2608 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe 96 PID 2608 wrote to memory of 4728 2608 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe 96 PID 2608 wrote to memory of 4728 2608 5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe 96 PID 4728 wrote to memory of 764 4728 ctfmen.exe 97 PID 4728 wrote to memory of 764 4728 ctfmen.exe 97 PID 4728 wrote to memory of 764 4728 ctfmen.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe"C:\Users\Admin\AppData\Local\Temp\5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 13444⤵
- Program crash
PID:2072
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 764 -ip 7641⤵PID:5080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50f344e53dd1504a0165042ce64dd17a4
SHA122b1dfeca7101f95c02ea59cd0b0888e80f163ec
SHA2562c94dff8a1bef360f8148d65864d3f8f05bcbc1891fab8a6bf86e368ce19255c
SHA5121c403b25a953b1ef80594073d0f7d376e45b9807ec2cd9e3166077124ac132cea9bda30e7727540004feb0f8a45d29c9ccbc2144fe2f97708d2d59f7c742e63c
-
Filesize
118KB
MD5baa298ddcaeef421807d136d4c0f05de
SHA133805736190797c570619f5ffeb8275764b62226
SHA256afbc8f718daed990f707da871643f22da83f8393df286da8b371fe4ec1593164
SHA5122903bc87cd60408df511de3e8ad1e1a73f377dd43bc21c38d0a87a18c02add1284647557e5fd76a911ed066200163c883f1b2425b0cfd3e52edfab3494bac59b
-
Filesize
183B
MD5939d805515a45a51b42f9390aa30700a
SHA1ab83e0f464739f45faf50027eeb0bf48048f255e
SHA256a306f34843d07250cb88c55de76236b747b199fb83d3b8bf7b2c849205d92396
SHA5120fd5d1f4a8e5b6bdfad6232f27e900751ec9acb117cca5a7dcf4a8cb332cbc9c746a7b19cd1af781046b879c069343d74df85a7062db37befbb566ee8829ccca
-
Filesize
8KB
MD5c37b941472df09a8667efb9fb9791fa0
SHA1841a8e8bf6a625967ef1ee45df86633fc819a109
SHA256b17bd2eb58f3dedc43a5a68287945ce8f1a166c3cf38fc5b5c9213ec4d6efe58
SHA5123f98abfef2c09db76efd31e8767a5b1196e2e66e98b7c4fb45b64fbc4ecea181f5aea9cdb7121e5ba1b20ecc94980aa0abac6ce175b67e7f3022c06aeabb0782