Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 01:17

General

  • Target

    805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe

  • Size

    352KB

  • MD5

    9d803a16241a6009ddd3c593d8c06bde

  • SHA1

    3231386f0d741c36cc2f83f6b383540045648824

  • SHA256

    805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45

  • SHA512

    e652d56441bece92df2a85fd8644ecff2b30ff7ba5554f4f4e651331a793fa2829ba80cf414fa77e91e1a5a130755bc1f964217c653885559c5ce729cbad2d30

  • SSDEEP

    6144:RIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:oKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 9 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe
    "C:\Users\Admin\AppData\Local\Temp\805211cc2830d787e6dcf1845bf5c7da421a25cd7cf93197aaa470166b9d2b45.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    d052bdc785db2a237e1846d83ce91bb2

    SHA1

    614a35a4aaff086cffaf1b71cb90099cb7ad2f2d

    SHA256

    d1a27a142ca33698930615e952e05ec59758e4ff3b4554b58030e3ca67536c29

    SHA512

    1972c8bf832dcb47442c8a4a0894118cb77c75b57cc284cb03acf51608acaf095a60390f02c4633d052e4beb4ee52300f58628352ea9ed1b72eb2a46c9558cd2

  • C:\Windows\SysWOW64\grcopy.dll

    Filesize

    352KB

    MD5

    26003b39f2444155a1c600cfed561852

    SHA1

    4ed00aebf157c08625485a86cdfb255cfedcbaa0

    SHA256

    b7553eb9d947b00f80b8495146fff67e3369d5bd50581d8ca621308c1c022ba3

    SHA512

    3ed58b694dee9d582101cec94076ad90618449af1e37fa6caf08e57f9da7d9b34f77db3252aa820c04b0435936bf84bf9c7da5e438b21597602fca17b0fcfe89

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    3c7f05ae70e8f86e05feea95a4e641bb

    SHA1

    e4b179d31bbc3b511996291b925fbb90ce3d7660

    SHA256

    7d365697723123ff9907c182f97b20c27190fb22655bc9a6fadd3b8d650c749a

    SHA512

    0b71ba33d73576631e48ed455295cf747780e1d6853d9438348b8bfb686b055b97b3ad3b7ae98705ca7def00a4195c8c76f120dac4e5a2b97d8d80f1f1aefdc2

  • C:\Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    b8003b6ba27605bcb31e9a4c9cf2b087

    SHA1

    3a6270fe684908d41d81df6d5019d6cd77adafcf

    SHA256

    f20e4fa05edd83700ea855619d331f76a45296616a8240046526803574c71b54

    SHA512

    079406ce88d0f7da9986b25a702b126aa1207e7eed350f952d3664e90bb17752007349f03930ba2a33b8af7ed4bd724f3171e91b3f05d6bcad3bf47414dd2019

  • memory/116-23-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/116-21-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/116-0-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/116-18-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1168-30-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1168-37-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1168-40-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/4428-24-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4428-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB