Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    116s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 22:45

General

  • Target

    1c658cf720eb3d7cde0ba1d5e631f510N.exe

  • Size

    75KB

  • MD5

    1c658cf720eb3d7cde0ba1d5e631f510

  • SHA1

    dc5ac3d4f6d76d9c2fd1302363ff7c91780c9e4f

  • SHA256

    fdcbe2bcb080aab88ab953a637f13ee45489ddb9cf8d4858fc3116bd6722ba51

  • SHA512

    e7cb4a3cd30266b9948ce95f8664917dcc4ef4c2e6c2345d93e5445053bfc3a9ee7d685dd3c38a8a4647f9fead522c725f5e81b5ff72c625e98bf53c1c7b9666

  • SSDEEP

    1536:Ax1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:oOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c658cf720eb3d7cde0ba1d5e631f510N.exe
    "C:\Users\Admin\AppData\Local\Temp\1c658cf720eb3d7cde0ba1d5e631f510N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 828
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    0b32ec0aeca45c0321bc6abef7e9532a

    SHA1

    9836a512b0ecee5538ea0460f662b9dc0e5e70b8

    SHA256

    957e5d8d457ffff13e075f1f54f05744fcf5d90588028e37f5ca6944ff9c1638

    SHA512

    d44d1b969ec1417f8b6ca768eae4fa6659a1e2b07fcb206a3e7997522430b2df5a9da965b96975561d76352f495d2e7fc53ead618ce072a3a377c3aeddd8c000

  • C:\Windows\SysWOW64\smnss.exe

    Filesize

    75KB

    MD5

    a2d448c1faa36fae890b1f95c57df1cd

    SHA1

    ac46bf4f5b9f2d20cd757bff21d9c2b83a580dc4

    SHA256

    a01011b58958b4f4f640bf081bbe21ce8691ac2f1913be396d7fcd81514ba355

    SHA512

    752edcd9b52fa05f26ea8602b963eff92fa9f9683e458781ebcdf9391a3559687da0562474c1a672cde504d023bbfb330eed0ccfac42e206aefe5029393e86c5

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    8df7ade1cdfc85b8e971caebbad7bdfa

    SHA1

    10994bc42293f7b6873a15e3d9240795a0d03f03

    SHA256

    87e50d6cdad7723049ed5e3ba729cc1b5cf7a34084ce701b4eebca438bade936

    SHA512

    fa596855a4456b53ce4ceca360a651fb2f82738196e4d98e578dc76ca9488e4f16b2de2e08d95d9ae5737aadf1bf041a338c2f965322f2512c96c5cae1960b08

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    614060d1694caa7e10c8f4a3c746912d

    SHA1

    2ba2b75c8f6846f150df4b588c18b069e2dc8ced

    SHA256

    752e11ec0c033db0cf3bc1928c84cfd60a2a5e73c81fce4359adf2c9138d818a

    SHA512

    c103573b43a753b9ab5ac1b115f80c9e14510d5fca7eec85e54a825f0340805f0dd7112349fc3d49ad654d8f879a8b124b87cd54648586dbf41e1491f35cb9e4

  • memory/2636-27-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2796-39-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2796-43-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/3032-15-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/3032-18-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

  • memory/3032-26-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/3032-24-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB