Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 01:41
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Resource
win7-20240221-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
-
Size
118KB
-
MD5
39d1c54933870ae853f5acefb496079f
-
SHA1
42d9c6ec9144478c28e4b38339ec0ce37946bb63
-
SHA256
abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d
-
SHA512
474a73edbe7af4a4ca39afca0b35227d1ff87c625fac6d61b64b92889b3bafa4ac8f477a24639cb9e21e517b368a8d91dcb2b4002c33ba82102e472e6a619353
-
SSDEEP
3072:COjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:CIs9OKofHfHTXQLzgvnzHPowYbvrjD/m
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 12 IoCs
resource yara_rule behavioral2/memory/2208-0-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/files/0x000a000000023b72-10.dat UPX behavioral2/files/0x000a000000023b73-15.dat UPX behavioral2/memory/2208-18-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/files/0x000c000000023b5e-20.dat UPX behavioral2/memory/2208-24-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/2208-22-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/memory/1480-25-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/1480-29-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/3032-32-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral2/memory/3032-38-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/3032-40-0x0000000000400000-0x000000000041F000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023b72-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 1480 ctfmen.exe 3032 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 2208 abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe 3032 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File created C:\Windows\SysWOW64\shervans.dll abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File opened for modification C:\Windows\SysWOW64\shervans.dll abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\grcopy.dll abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File created C:\Windows\SysWOW64\smnss.exe abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File created C:\Windows\SysWOW64\satornas.dll abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File opened for modification C:\Windows\SysWOW64\satornas.dll abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2844 3032 WerFault.exe 95 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3032 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1480 2208 abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe 94 PID 2208 wrote to memory of 1480 2208 abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe 94 PID 2208 wrote to memory of 1480 2208 abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe 94 PID 1480 wrote to memory of 3032 1480 ctfmen.exe 95 PID 1480 wrote to memory of 3032 1480 ctfmen.exe 95 PID 1480 wrote to memory of 3032 1480 ctfmen.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe"C:\Users\Admin\AppData\Local\Temp\abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 15004⤵
- Program crash
PID:2844
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3032 -ip 30321⤵PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD524d402f7b9b300cf4f4910a3bf1d334c
SHA190357a07b7b425a24d78f81aae5fbded86c6752a
SHA2568c800540187e01b77be1c2e2a6f774c932ace86eefe24ddb96845fbed60fa8c9
SHA5123fd827e8771f6b03cc658b3946b4a8db97c09226569d81a5eb6d2db7c7d8f1d439b728f935b67e4ba5d3b60f15543bdb3df086b52a6bdd7d1092bc156e438da7
-
Filesize
118KB
MD51a3fec4d081a44669eba7105d76d28bf
SHA1c4ab380300a89c3474afd29229690625bfa3c868
SHA25668bb1ebc43cfc18e3f4956dad5c7d6bc796db2242e892356774e083d77ad9aae
SHA5127f4bccf6f60b5d1a058febcaea508b3f5fe51ae3a3bc4858733fff1c76b7b7637a7b531229256781ce448fdf171d9d5fb356cb378f1d417300e4432ee39e2b00
-
Filesize
183B
MD58e43073d1f95d5b8f1c36a1d7388e74b
SHA16bd26cc6a415c41265925378b867813c13dd4c08
SHA256661239b13b065b0834aa273acb49c4bcc346d2e8942398ddd7fb10d5f91572fd
SHA512b93b2db028a6f0063d4bdf2194889cdff8377711babd3db48b1947f0b54ecfdbf9adf483e70d67883af754a48aeb8f6cc356a8dc9eb372fca5a2609a42372d6e
-
Filesize
8KB
MD5dd4528ffb55ee60432037444258f67ee
SHA1eaf59f2f4df4df55305d35988783f10d7f5a073c
SHA25605a262a036bb1f4e6c43a8e338a30ce428ef7dffc08b508d784395148d34b5bd
SHA512b5f65756741ef96d12a7124cd87b7d441ec1de9ed60647d70f75ee9ec3ee67ee708b518b13c5f10049faed38c940350a04585dac4fa5f8e843131fd42876e1eb