Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 19:12

General

  • Target

    1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe

  • Size

    120KB

  • MD5

    80d5bd632ae012d76536279fd467d87e

  • SHA1

    d2007ae0a2232adb673ec872546b334018258d8d

  • SHA256

    1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2

  • SHA512

    2a568fc7a6572b24fd8a1af288e3efcac60fffcb6ac6508da1c1eef3b639d0232da7f0e843b9a551154b87be53870907db0b5e7d2d65ff87149fdd7a080c5d02

  • SSDEEP

    3072:WOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:WIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 12 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
    "C:\Users\Admin\AppData\Local\Temp\1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      9cfbe2c5be0f4934f0f6879490287c5f

      SHA1

      0440c40ee24a1b107ec4a2d72335c9b07d4bf34c

      SHA256

      717908395edf1a3591eb49ddd1eeaf9371c69f3c83e04fd37027f566535b8e92

      SHA512

      b3509ebbb8175f6902d1624b09cf52c740e4efb180b2e8b5c5c2d42891bae026ef4c51cb7db81bd88971ed09a343b8d8ca8a4c0051a41601da6ebf3cd8222a0b

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      120KB

      MD5

      bd4e86bf268f3b5954e8f2c4e2b81589

      SHA1

      8f278812f8ae7564686794060e835df63de4911e

      SHA256

      edcedb73fd4d64c90265e00e3fa9288032d6f7ed3cae365c3f79cf8bad7af102

      SHA512

      7bc5c0b86b0c6d89450406e55c600f9465385976fe01bbd1cd2635e0c5e622987698afe38aa603f2cfde98ccc46792b00ddc64c000c3fed3b21bf4f396b1273a

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      83fe128e6ef5640497264c4f0c8ca4f1

      SHA1

      7ef9094c1b9de6028d61bc0445e14da2cc3c51bf

      SHA256

      611050d620c4871911b375be2c73e586c9f9238f20839a6a55db56b09f5afcce

      SHA512

      16a117e9407f54548dc453c966c98653107c356e86f3512508f7933c6b4af4082ad05fccb1c5cddda07e488bec815edc27d5144e203075adb494aee3b072d326

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      fc9079609b603a6bda429303ef5fd2ef

      SHA1

      eeb4044667aec68ed201b009770d4a90e80be591

      SHA256

      42159ae828d85d22d08f291ea3d05e3e68c5fe14550a0627f8d44bf4859ec5dc

      SHA512

      adea73a580aaa7c263f0ba5e1f6e781a86be1646a08192f49f23a787f7e7bb5aeea67da5d4a6cda4949bba269f1af9282226052793d6c3292e4fab34abea6bd6

    • memory/1792-28-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/1792-38-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/1792-41-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2116-0-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2116-31-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2116-30-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2116-12-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2756-21-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2756-27-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB