Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2024, 02:19

General

  • Target

    bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe

  • Size

    195KB

  • MD5

    28adad392a7893b3353722630c9d3d6d

  • SHA1

    685951f18dc6ac11fa98474585d1cef32d535602

  • SHA256

    bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94

  • SHA512

    48ea8b190dd57100f8282001f2f821093a346c2b354c2fd9144189ed7f3f13af8843b1b4a8cb61c7ea8237af3556a75a39c3eabaf4a58df81d774dd5a34c07cf

  • SSDEEP

    6144:/Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOW:KKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
    "C:\Users\Admin\AppData\Local\Temp\bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    92adf4de95fa4c16191e7d02243bb014

    SHA1

    5967e0b3e3f28c6432b3aadf56db214cfa1e171c

    SHA256

    26a6f15ae6078f1a646946b79772d680a73dc0861bb594d84f479ac24585ee98

    SHA512

    d3c7d3b276c0aa38449c1c1367761432c6e09fc0a152812e7759948bb4a5eb14a11c7df3e3c23edd840e41b015e82f592fd14a16af46717d75a4d0adbbf1f5ee

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    971bf6cdeb3daa85bbb0e0a38951066a

    SHA1

    c0a4e9f7a036c8f06ffaacb23b718e1ae4f6e3fd

    SHA256

    19e199a6707f7296b17899e98674fcaf1395552597c40d4a6ecef1cfb9233af3

    SHA512

    0377457710f7480e9e9a189bea33fc837cdb4a3bc6f76aa76ac1cf565e471730ba910b572f185ad6728a673d18dea7647d87bddf4a988cceae00259bda313bfc

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    20f349922e1884e0f66a80dd5ecb0935

    SHA1

    1bbdbb2e3a87e0771759ccc12d446d8f05e922be

    SHA256

    1d1ef69ea915143a6e8f90e234f7178181206a4779b38508c4667655a2fb38f8

    SHA512

    89f68bb1d87d76c970be7a943e19b9de8bcd6f6b5e31825f7735b59643f0284c8aebd727fc4834f24f209daac341e31c613b926b61cc319228e5ffb99be0544d

  • \Windows\SysWOW64\smnss.exe

    Filesize

    195KB

    MD5

    0fce4633a76dc7b86ad8265b9fc451e5

    SHA1

    ef1c2caddae27de78635d55cfe2f07d5663d2ba7

    SHA256

    02703704a07b62d5cf8537d2d0381ac3e587d2344f0ab9a2419b246cd300c0df

    SHA512

    4e68792177a51c19724fe158eb13dae4a7a0ee09de5a88fe3ad8d999ec6aa9a0e4a71690a3170ad47ed83a617cd15d804610c25f63d912c415b72024531de52b

  • memory/852-47-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/852-43-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/852-36-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1828-25-0x00000000006D0000-0x00000000006D9000-memory.dmp

    Filesize

    36KB

  • memory/1828-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1828-26-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1828-27-0x00000000006D0000-0x00000000006D9000-memory.dmp

    Filesize

    36KB

  • memory/1828-28-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1828-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2352-34-0x0000000000320000-0x0000000000359000-memory.dmp

    Filesize

    228KB

  • memory/2352-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2352-45-0x0000000000320000-0x0000000000359000-memory.dmp

    Filesize

    228KB