Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe
Resource
win10v2004-20240419-en
General
-
Target
805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe
-
Size
352KB
-
MD5
9d803a16241a6009ddd3c593d8c06bde
-
SHA1
3231386f0d741c36cc2f83f6b383540045648824
-
SHA256
805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45
-
SHA512
e652d56441bece92df2a85fd8644ecff2b30ff7ba5554f4f4e651331a793fa2829ba80cf414fa77e91e1a5a130755bc1f964217c653885559c5ce729cbad2d30
-
SSDEEP
6144:RIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:oKofHfHTXQLzgvnzHPowYbvrjD/L7QPs
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
resource yara_rule behavioral1/files/0x002e000000014698-10.dat UPX behavioral1/memory/2744-16-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2744-18-0x0000000000340000-0x0000000000349000-memory.dmp UPX behavioral1/files/0x000c00000001445e-17.dat UPX behavioral1/memory/2556-26-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral1/memory/2744-27-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/files/0x0007000000014aec-30.dat UPX behavioral1/memory/2744-28-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral1/memory/2608-35-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral1/memory/2608-42-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2608-45-0x0000000000400000-0x0000000000460000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x002e000000014698-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2556 ctfmen.exe 2608 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2744 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe 2744 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe 2744 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe 2556 ctfmen.exe 2556 ctfmen.exe 2608 smnss.exe 2008 WerFault.exe 2008 WerFault.exe 2008 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\grcopy.dll 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File created C:\Windows\SysWOW64\smnss.exe 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File created C:\Windows\SysWOW64\shervans.dll 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File created C:\Windows\SysWOW64\satornas.dll 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe File created C:\Windows\SysWOW64\grcopy.dll 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2008 2608 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2608 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2556 2744 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe 28 PID 2744 wrote to memory of 2556 2744 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe 28 PID 2744 wrote to memory of 2556 2744 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe 28 PID 2744 wrote to memory of 2556 2744 805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe 28 PID 2556 wrote to memory of 2608 2556 ctfmen.exe 29 PID 2556 wrote to memory of 2608 2556 ctfmen.exe 29 PID 2556 wrote to memory of 2608 2556 ctfmen.exe 29 PID 2556 wrote to memory of 2608 2556 ctfmen.exe 29 PID 2608 wrote to memory of 2008 2608 smnss.exe 32 PID 2608 wrote to memory of 2008 2608 smnss.exe 32 PID 2608 wrote to memory of 2008 2608 smnss.exe 32 PID 2608 wrote to memory of 2008 2608 smnss.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe"C:\Users\Admin\AppData\Local\Temp\805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 10164⤵
- Loads dropped DLL
- Program crash
PID:2008
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD58c67ad807042da392016c94f7db67188
SHA165c1e6eaf6e35b31bffb892aaedb6c4f536ac5f2
SHA2568b94907e90006723c9690427294342c981652a8bd6024be333acb92eb5f6c4b1
SHA512a1c1c8b06accd43cb2c76fe79ff775b5530705394d901c2eb38e58a222116e5b8efcfc39b40b586e4211c13738628c284ec9a6e18c545827fe7e884db08e28a5
-
Filesize
352KB
MD5699665e745b31a8111e7216a9802130d
SHA126a23c6c27ec86f6761eff11b0e6eefc9368d5e8
SHA2561d32a24b14fb4d82559fe8c0e1754bb81d619525897bd8d1fc31275357f96881
SHA51280af476d9470daf722387438f8b7a4c558bcda4a4d54de6ba50b6ad55fd80ef0419120e4362c93c2b41584fe6cfdf0efa413de4e9aa8380440e037044a87673b
-
Filesize
4KB
MD53cac9e93aaf34a366eeab1dcf7b36296
SHA1b611c942ea5137e156890e23b63723f810678a4a
SHA25662df693a355eb2db747ba85f463c06df6c6f3c058bc89c07f06503ed42dc3671
SHA512149dac2ee79c07f78a41c13978e65883dcd43b393ddffd7b7586d03d39a93845b24de9dc35136759babd06fa6e5499981308d9e082d94b850325f00a758a5e71
-
Filesize
8KB
MD5487a6032a345393001a4afd5ad3aa875
SHA14d378118802b7f24c9634b9b0c8f8fbe4462f6d2
SHA256caef47cf219c07023db30a661b42aed6e5ffa047b64ed8979120a1c43f0d82ae
SHA512b02abdf407fca3abb72173ed69851bd074f250c62bceaaf4adc17369ac03037246191c5121e62882661e3242a4f36d024f629c8478ea274c787e331ffdfa7fa5