Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2024, 00:33
Static task
static1
Behavioral task
behavioral1
Sample
92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe
Resource
win10v2004-20240412-en
General
-
Target
92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe
-
Size
147KB
-
MD5
56d2523afd8158dc25ad1f8cf6a4247f
-
SHA1
3a23101dfa485cacfe9b3507bebca127b5ded85f
-
SHA256
92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8
-
SHA512
2b0cc5e739abc64368e039e45b77cab411991ff5b2895e3e5f2b87ed056b306a143f077a5ec29f9b76623b21733ad4a1d8b13e5c6dfd883ae65bc43d9caaa088
-
SSDEEP
3072:LOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPP1:LIs9OKofHfHTXQLzgvnzHPowYbvrjD/C
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
resource yara_rule behavioral2/memory/3536-0-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/files/0x000b0000000233f4-10.dat UPX behavioral2/files/0x000900000002342a-15.dat UPX behavioral2/memory/3536-18-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/files/0x001c00000001e97e-20.dat UPX behavioral2/memory/2304-26-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/3536-21-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/3536-24-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/memory/1768-30-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/memory/1768-36-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/1768-38-0x0000000000400000-0x000000000041F000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000b0000000233f4-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2304 ctfmen.exe 1768 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 3536 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe 1768 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\ctfmen.exe 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File created C:\Windows\SysWOW64\shervans.dll 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File created C:\Windows\SysWOW64\grcopy.dll 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File created C:\Windows\SysWOW64\satornas.dll 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File created C:\Windows\SysWOW64\smnss.exe 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2040 1768 WerFault.exe 93 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1768 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3536 wrote to memory of 2304 3536 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe 92 PID 3536 wrote to memory of 2304 3536 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe 92 PID 3536 wrote to memory of 2304 3536 92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe 92 PID 2304 wrote to memory of 1768 2304 ctfmen.exe 93 PID 2304 wrote to memory of 1768 2304 ctfmen.exe 93 PID 2304 wrote to memory of 1768 2304 ctfmen.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe"C:\Users\Admin\AppData\Local\Temp\92aa5c5b742b0a3316f6875c819e4dbbf01c337c43aeff16f6dc09a0bbd778e8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 13364⤵
- Program crash
PID:2040
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1768 -ip 17681⤵PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5153757920e76d5e7a5639a47f59a26f7
SHA192b1560064a5179ff773c0d50d4b6a59411ff0d9
SHA2569b5990c7cf88f0bdbbe0ea346c88f8c7ca66a773c6785cba47276e94a4c0af61
SHA512855db3bd23c9afcc6d2b18f928962a2c1d75331d7c99ad922214b069c70917cc27fd4af18853747d75c4078166cb725853757967b6bc0ed1fafc05188e5b5f79
-
Filesize
147KB
MD517d9cca71ffaf56f8bfee48fc9abb44d
SHA1543c53255393a64436664e8843c5b4fbd93ce1fe
SHA2567a9419deea78deb22b3adc0ab3951bd51f9bfd4be79595d27c70588e0d0b6d87
SHA5121f3880bb734853a3af235a7c2894e16332341d606ff2f5596639ebb0f6da48f05f7bf364278fbc395caa3ea74b85a73ffbbddef89d222efd7e987c2dee3c6459
-
Filesize
183B
MD5ac38bbf2d9724c8af61ba3f88551a73f
SHA19a0798fc44981f7ff1621af8f9af78a09f404f24
SHA2568f8e6b9253f1fd64c8a505e2f1faf0355b2286e235290ec13a6ad3a2a8c17f40
SHA5128a95d3d1633ae0ebf92c8eff45cf81a865c1161176984f8fcec8e09c23b69537aad7e713580b6927327c82eb5120b745035c88ee899c3ea314b63c56987d94cd
-
Filesize
8KB
MD5fcdfd2701b6d6f2d2e59426b6bfda64e
SHA1dca7d31299da59d5266bc0dfc7286dd02ccc0716
SHA25698558adae220416b0e1c6387064009cbda641520b40c723d8c71463377b0b23a
SHA512599c66a2096c398fb5bbb6eb09e529da394537dfa6e99853c04e53a59dcc9a30a3dadb87b41847c0451c2b6d90a004de6d955a655617abc0647d1bf79b4b8934