Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b7eef5d97d...ea.exe

windows7-x64

9

b7eef5d97d...ea.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    139s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe

  • Size

    118KB

  • MD5

    0b49a269b9f3f3a7b542bc147c1e03ee

  • SHA1

    07f8977cb56940d209a01b0dd53ffa5acb67f5d3

  • SHA256

    b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea

  • SHA512

    f7dc59cd7716f9c2459b6b4697488dc51e485d46fd8a6a24aff4e2a1dece7b7167240bfcfd802a37da937068eaa41ef3b89c5def44e1d807ce6d89fdc9d8a1e2

  • SSDEEP

    3072:bOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPX:bIs9OKofHfHTXQLzgvnzHPowYbvrjD/M

Score
9/10
persistence

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 11 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
    "C:\Users\Admin\AppData\Local\Temp\b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:708
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 1336
          4⤵
          • Program crash
          PID:1532
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 708 -ip 708
    1⤵
      PID:1972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe
      Filesize

      4KB

      MD5

      9d355cf00de5dac80b05f22a874fe442

      SHA1

      075dcf9b4c6dcf789fe53f389b0226d4d72f6d24

      SHA256

      90bbf663d2da13930c27acb9fca8120c5b4442f403c127fefd0ae3db739a5e9c

      SHA512

      b56dc21fc8924f901488fb34a486fd16097a097ec2531261bed4b93647adaa50467c702d61c15dd710b7d73e03c6ffd0388dbdfde410955f8de7952fb801b9ab

      Download Submit

    • C:\Windows\SysWOW64\grcopy.dll
      Filesize

      118KB

      MD5

      8651db6b2afc73d339a675dc4cff5d4a

      SHA1

      1c283277f0ed3ede7894df5453349c92600d344f

      SHA256

      d4c0e8e831e7f1f1193626cec17c22a0318def62300b5347e61c9ad1d398967c

      SHA512

      fc412271097ff635affa4780c5bbcb4c944f52f14032d881b984903083fde96c621d28cef6bc71cdbc3989460c1a5b11c4e7e9cc1e13525189e0fe38485317fe

      Download Submit

    • C:\Windows\SysWOW64\satornas.dll
      Filesize

      183B

      MD5

      406ad9da61a4f96c18fab41159edff61

      SHA1

      dd0bdc65c0fda36517aca6ae395cd3e84ea7d43a

      SHA256

      fdfdc37a963a95fedddb624651c8ad96e1f57ffc9c14f06f84ba4f2e7300593c

      SHA512

      135c4021480ce23e7edc2c76aa3386958f10b0ee2a515d89a0e75b9e9eef4e65f370f4516952d777accdab71bc6177bd08cb01b2d35571824253cec5379ccbb0

      Download Submit

    • C:\Windows\SysWOW64\shervans.dll
      Filesize

      8KB

      MD5

      b83238efff2262ad24353edaacf108cf

      SHA1

      7c23d85e2a06a4cd780535bf9c80cff42d845744

      SHA256

      dd67f048c8e388bdea9cf02ead0b3cc3b373fded28084e8f7649dfafa64dfbd6

      SHA512

      9bb1774ad2ef88f648fc45f1cc40ba9420a8b9ad7b13e39b4c1d70394b274835094d985cf2829901819362e45e54b93f74b262f9cc9d34928239ae0d04aabc58

      Download Submit

    • memory/708-30-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/708-36-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/708-38-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1480-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2912-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2912-18-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2912-21-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2912-24-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download