Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 15:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe
Resource
win7-20240220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe
-
Size
75KB
-
MD5
c6ff1ce00a5e6484de89d9d090ba0da0
-
SHA1
52a67cb5a09fc9a2fd9116b760c4a1feeb5d48cd
-
SHA256
b976782c527a56edc4a8aa79c9ec2cdf3159d0336926643e78f6a1c45dbe7040
-
SHA512
c3daffbc7edd623acf6d8b09c55695d880ed401b23dc263fad2e2cdc6f92593c8d4ae5e30d119a733a64156559bd8e38f0c3f8c4d11ab4070ea6beac282412bf
-
SSDEEP
1536:1x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:fOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0030000000014f57-9.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2520 ctfmen.exe 2528 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2552 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe 2552 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe 2552 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe 2520 ctfmen.exe 2520 ctfmen.exe 2528 smnss.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File opened for modification C:\Windows\SysWOW64\shervans.dll virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File created C:\Windows\SysWOW64\smnss.exe virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File created C:\Windows\SysWOW64\satornas.dll virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File opened for modification C:\Windows\SysWOW64\satornas.dll virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File created C:\Windows\SysWOW64\shervans.dll virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe File created C:\Windows\SysWOW64\grcopy.dll virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2112 2528 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2528 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2520 2552 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe 28 PID 2552 wrote to memory of 2520 2552 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe 28 PID 2552 wrote to memory of 2520 2552 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe 28 PID 2552 wrote to memory of 2520 2552 virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe 28 PID 2520 wrote to memory of 2528 2520 ctfmen.exe 29 PID 2520 wrote to memory of 2528 2520 ctfmen.exe 29 PID 2520 wrote to memory of 2528 2520 ctfmen.exe 29 PID 2520 wrote to memory of 2528 2520 ctfmen.exe 29 PID 2528 wrote to memory of 2112 2528 smnss.exe 30 PID 2528 wrote to memory of 2112 2528 smnss.exe 30 PID 2528 wrote to memory of 2112 2528 smnss.exe 30 PID 2528 wrote to memory of 2112 2528 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_c6ff1ce00a5e6484de89d9d090ba0da0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 7684⤵
- Loads dropped DLL
- Program crash
PID:2112
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5386eba42ff4ef8c6bf5235b3ce14e364
SHA1387497bee4afd0c4879fd30da4a5426b2d38131d
SHA25667bf3eebf9e46f688bc223ebc6ef78d561ce83ff71eb647cb77430ab6e621145
SHA512c2f57f36fac1150a8ce0e4792195dfb0d3cd207fb1e28997784e215599bfdb3fd23aa022847c31c55ad525ef7744538fe546c8ccdec48fb3e12f499f3480d80f
-
Filesize
75KB
MD5b95bcdecce0e7c3a765cc48dc1d375f8
SHA165e7c2b2c8a03199039067dda1fc06d214f6fa1e
SHA2565c33a9bf8a9a7b1829c0b44249012fcfed7283cd6dfabe197b0f1c93c0e72176
SHA51275bbe97e1f4611878de65597071a1f1d59407689bc6c17aee7656e61578f4e97d107fd8b8c12b1b38ac08e1c9507a001f53d833944704219a5f057beaf781031
-
Filesize
4KB
MD5f0d35a90e22915c80ce32e680794e9d9
SHA145151e26001a7825879ba1b35b54793b5fa80a3d
SHA256ca16902ae47b91e516033cc241fd5f5996f8cc91612c46769f1340a24707e0ba
SHA51212b70327cc8e9b542a3e02adfb379f070a4a925301908d270d13d3bb08c47e81f2dfe03cc20cd265157a1f4d35c6ea96d4ffa7c085fb5993538d939c8889e8c0
-
Filesize
8KB
MD509c245fde9cb1536e15a258ad8772e53
SHA17e952fd598c2bd65be1e6bf447b44ab12c1d8438
SHA2562f9d867fb7adc207445b3c64497d2bd6173a0e656a77c947ab7b4ae1d815eb0b
SHA512da5104bbf09012f84c4abeef67027b576b08e189dd261ea78b12c35348f46363753f5348f36e552f4272cda24b5f81d6ac9e89782d936bca2d8e44c9e303aeb6