Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 22:29

General

  • Target

    0d77ea9dd53903455502f78e37fa3e90N.exe

  • Size

    195KB

  • MD5

    0d77ea9dd53903455502f78e37fa3e90

  • SHA1

    f019974d5aeab7192cc74a23be5135f037a12869

  • SHA256

    bd658021859a0ce79cd12669f0b7980065240c980132dc10992fcbd132d27e5f

  • SHA512

    16f86c3bc82a6232fa7ba349a1bf52179533aacdc60775ccc27ff142b02d06851b8d1577a2512a520bc45feca6a40130fb9339d00bc64d95241617b9df6fcb3c

  • SSDEEP

    6144:xIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOW:IKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d77ea9dd53903455502f78e37fa3e90N.exe
    "C:\Users\Admin\AppData\Local\Temp\0d77ea9dd53903455502f78e37fa3e90N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    32dec6837c96ddb5b343fb9cfce69789

    SHA1

    c7c6f2181f936beb9fdadfd9bc2d3f7ab6725c4f

    SHA256

    d9a66dda95620d7bb67f8bc70a1f5a487fe63461e548dcd1aca6e60b1d5bdb0b

    SHA512

    7f168ef5958132be35a4f11e32578e227cccf4fce2a2381f8c2d53260972f10322a16f35f764d1937941b0fb0bdf4845218687ba3d30b6dc465b4899f970ca76

  • C:\Windows\SysWOW64\grcopy.dll

    Filesize

    195KB

    MD5

    ed2876b7f896088e17a156821a535fbe

    SHA1

    1a04e5787835682b7b95b8610042350d652e6c2c

    SHA256

    cfaeba0689c00f90844287a4452ef663144756d1a33164f741358040768cb6e7

    SHA512

    c711fac328260ac22aad3256456e6838a3f24529743eb77122694a1dae6e7bf4931edadd83af1b19078fa56bfb7fc76d9eccb42a7337bf2289a21adeb961e5cc

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    2626c9d7f2235722b5ae03e7f53b2af1

    SHA1

    9d7d406f3566d70c188d6a43498ad7c8a2b6bfdb

    SHA256

    d5d51b2da44d041d69debe491de27dcf4c21888c2647a27fedab913d4fcacaf5

    SHA512

    78046a37daccda7ab33bb75ea873672122f90f4bced51d7d64989d6bd633dbf499bd205e0f9d7a5126ebac0d74c21a94666b41cf1519dc0479fe224ec48420a6

  • C:\Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    2ca4d51b5043e1d5edcb4a8892281bf2

    SHA1

    5665d12dd4541431eff6b2ff5bbc482f220e2c58

    SHA256

    82bbab96e4ec5ab11d43d5a069babea6e256400ee1c2cb6f8982e3e420c891b1

    SHA512

    b1fd792af1e8f93d489a01bcac01f014443d3b49d055702cdac1d2a80099872d1f51fc14eb04d047ae737061c6b1b01fba3d5560d1ae62b5efb372d182dfd51e

  • memory/1172-13-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1172-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1172-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1172-23-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1308-38-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1308-31-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1308-41-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/4608-25-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4608-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB