Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 22:29

General

  • Target

    0d77ea9dd53903455502f78e37fa3e90N.exe

  • Size

    195KB

  • MD5

    0d77ea9dd53903455502f78e37fa3e90

  • SHA1

    f019974d5aeab7192cc74a23be5135f037a12869

  • SHA256

    bd658021859a0ce79cd12669f0b7980065240c980132dc10992fcbd132d27e5f

  • SHA512

    16f86c3bc82a6232fa7ba349a1bf52179533aacdc60775ccc27ff142b02d06851b8d1577a2512a520bc45feca6a40130fb9339d00bc64d95241617b9df6fcb3c

  • SSDEEP

    6144:xIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOW:IKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d77ea9dd53903455502f78e37fa3e90N.exe
    "C:\Users\Admin\AppData\Local\Temp\0d77ea9dd53903455502f78e37fa3e90N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    6fd5de0fbc8f39d8b78b5f141b9e6dc7

    SHA1

    1c17dc2abee0b4eb26bc379936bf1efb271557d6

    SHA256

    af0d78949f586ac30811d3a773e9311937d3cd6f0b18689357f0aeb960a88ced

    SHA512

    f5761848dcc83b85bd4aa91a65c0704c4a0046645a9216b9a86c01443633ee4ec85585f9ac70d1e0ff08a8f690db72b0b78c28e5bd58d12b6d531824a559b092

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    64478dd8fb3e95b4bc8afe94e07bbb06

    SHA1

    78e0fd3fd3188dbfaab679eac732f64f309a8065

    SHA256

    5d70afc238ecbaee49914b94ad3b1bf377a3a7ef528085f932a32bb2ba6ff784

    SHA512

    dd47fa2c68fb3a7228dd776b8a5ae40bd0660c4cd84fe797338a05f8b84c46f43dd7834df77c52851289af413e44cc97085599f0b48b189baecbcfd3f28f72f0

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    a56ec310e11be5376fc7d3df0f29c831

    SHA1

    b6de8866ee6337fe5804ec431b9b453bbf2132b6

    SHA256

    b6cd65ae3bd91bcb60168f1aae11a2d8c34d3cff952d96d118bb35613ed21400

    SHA512

    61d1d29e958102643eaf3addc7112f31fb214cf046c3e68a3687fb5aa0de4c83adb53f761a86e3a6db05a9e53b731012711af2933afa5d0199458c6c4f562910

  • \Windows\SysWOW64\smnss.exe

    Filesize

    195KB

    MD5

    79a16f6d61f92cd046ffd0cb95cfc601

    SHA1

    9891ba971777c1356ab711b7923e3e1dd94574fd

    SHA256

    56b1037ced3e46cf0173e042d8099fd0b3a93b4db276ca6f2903de5baa4971ed

    SHA512

    479becfd26b2e58d7142f452e1258314db1d4522281f9d078d0c8afbc7857e1af1cdca1a80bcd77ea6b9e36d6248fc168af13b6bbd7f464a562205a2f1ec64e2

  • memory/2396-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2396-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2396-27-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

  • memory/2396-26-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2396-25-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2396-44-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

  • memory/2760-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2760-31-0x0000000000320000-0x0000000000359000-memory.dmp

    Filesize

    228KB

  • memory/2808-35-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2808-42-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2808-43-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2808-46-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB