Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/05/2024, 03:51
Static task
static1
Behavioral task
behavioral1
Sample
ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe
Resource
win10v2004-20240419-en
General
-
Target
ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe
-
Size
75KB
-
MD5
1fe48d9f38359fd9789c9ce33e04527f
-
SHA1
0e66ee220a59c21777879c6f6142cd42dbb0f607
-
SHA256
ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164
-
SHA512
960c0a4e72e16ec4cbbb6a160f733b3d77c2365174736d86521181052ca85eb0dd4ec040eb3c9de5ef9aabe3d2e311be2f3ea6ea4371730fe8a5369b720d2e56
-
SSDEEP
1536:1x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3B:fOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPp
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral1/files/0x003900000001340c-9.dat UPX behavioral1/memory/2220-15-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/files/0x000c00000001315b-16.dat UPX behavioral1/memory/2220-17-0x0000000000340000-0x0000000000349000-memory.dmp UPX behavioral1/memory/2220-26-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2604-29-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral1/memory/2340-39-0x0000000010000000-0x000000001000D000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x003900000001340c-9.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2604 ctfmen.exe 2340 smnss.exe -
Loads dropped DLL 6 IoCs
pid Process 2220 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe 2220 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe 2220 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe 2604 ctfmen.exe 2604 ctfmen.exe 2340 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\shervans.dll ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File created C:\Windows\SysWOW64\grcopy.dll ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File opened for modification C:\Windows\SysWOW64\shervans.dll ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File created C:\Windows\SysWOW64\smnss.exe ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File opened for modification C:\Windows\SysWOW64\satornas.dll ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\satornas.dll ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe File created C:\Windows\SysWOW64\ctfmen.exe ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm smnss.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2452 2340 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2340 smnss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2604 2220 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe 28 PID 2220 wrote to memory of 2604 2220 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe 28 PID 2220 wrote to memory of 2604 2220 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe 28 PID 2220 wrote to memory of 2604 2220 ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe 28 PID 2604 wrote to memory of 2340 2604 ctfmen.exe 29 PID 2604 wrote to memory of 2340 2604 ctfmen.exe 29 PID 2604 wrote to memory of 2340 2604 ctfmen.exe 29 PID 2604 wrote to memory of 2340 2604 ctfmen.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe"C:\Users\Admin\AppData\Local\Temp\ce74cee8c8e1e1b47747018d918d6eb055292e1b7a6bbaa1e3523620e70af164.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 7364⤵
- Program crash
PID:2452
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5954037ec9966dbd19b983d192625bb9c
SHA1dafc65e3364eb9177f60af1b5494125b38a41081
SHA25680b55b668ad66b5e57245a26b7e1d7b5562e1a10c341b2690e56e5886a66c177
SHA512d83b736e3df5e3a1aad9b018a1a5e0c79735ecd5d26465fb13d9fbb4bf4a785d9999e24b6bfb2b94ca54589185d06e56363df5e02920eaa506c3baaba3f1d0d6
-
Filesize
4KB
MD56397803e5609969dd58ac37f6035af5f
SHA1cc1970702e0d45c5331b7da8a4210e702b922fa3
SHA256cc6118cc55b9ee09df1473a2e087ccf296b2e570ae5f5439acd225d671613181
SHA5126f5f703d8651090cd251349114c6e6ac231edd36ebcd4a8a77847cbe6ebbed831c8ed76aaadc9831203aa9e0c088aa7b0e1928b3e2995314bc82d9609e965326
-
Filesize
8KB
MD55968826850a45a40ad4cb66efae78727
SHA12b0ac8de4a97617d3249e980a6ff82c44c5dfdb3
SHA256a376b26e1d7a7d06665cc0a6635e64ebb7aa6c4d9f889e172c1c734b5fc8447a
SHA5124c9bad3ba5a819e3f222437eb02a920f8ae7cfe173c82c796dbd647cc49de0efdaf8b21542a9a0d16fc8aedfa877cb02642aeb8914c28eccffa876475f3d9c03
-
Filesize
75KB
MD5083a003875dfbe9fb60f42f3aff17bf8
SHA103e936951fb4b8c4fa10b246387fef661fa6b297
SHA256b2731a3536a078e916906df33a621df17c2b50500d4046ab50e809cc63d1b98a
SHA5120ff9458c44f1301eeea9c3fca8ff53955ed468f0423df2a936410703352ad1802269071e196d433c4dfb49549636dde2d67550ca44e273a22e2c897bdbfafde1