Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    102s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 22:45

General

  • Target

    1c658cf720eb3d7cde0ba1d5e631f510N.exe

  • Size

    75KB

  • MD5

    1c658cf720eb3d7cde0ba1d5e631f510

  • SHA1

    dc5ac3d4f6d76d9c2fd1302363ff7c91780c9e4f

  • SHA256

    fdcbe2bcb080aab88ab953a637f13ee45489ddb9cf8d4858fc3116bd6722ba51

  • SHA512

    e7cb4a3cd30266b9948ce95f8664917dcc4ef4c2e6c2345d93e5445053bfc3a9ee7d685dd3c38a8a4647f9fead522c725f5e81b5ff72c625e98bf53c1c7b9666

  • SSDEEP

    1536:Ax1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:oOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c658cf720eb3d7cde0ba1d5e631f510N.exe
    "C:\Users\Admin\AppData\Local\Temp\1c658cf720eb3d7cde0ba1d5e631f510N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1480
          4⤵
          • Program crash
          PID:4296
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2912 -ip 2912
    1⤵
      PID:1256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      2ab39f999af0c84dc21f197068d8ea58

      SHA1

      938a8c6fb9ae99a143c0d0d909f2a546554d0781

      SHA256

      d45639d9aa4b19703f44344b367bf4eca098f6250d9f4be08934be5922e90c94

      SHA512

      e424f17afbc28247615ce23e811341114ab9ed416a06a276023cc8d2d18de69377864c30926094dd81d23b6b8ec063fab71f302d290e55b15805af4c61abb6bd

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      75KB

      MD5

      ea9953c57ae2c967464cb9311ed488a0

      SHA1

      b69f43fa9b37918c92eafbb68816a1538430dc68

      SHA256

      fad8c4f3d5b69e8e7d7fc4a3d3f71f718107c68f1de5b9197e577954487873cf

      SHA512

      48c310b496749b4e17d442a148e5b2897b7154e8591a6775677cee901c48d153b938401b037491ba69b2a7168627ad9fba4596d3bed52a441090d6aed92cb4c0

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      51dbe226daf2f9f1b0861d966abbcebd

      SHA1

      b8d8a697629fa6c59d91c069c97b52ff1bb5c92e

      SHA256

      a17abe61d4c59ffae91e2181504703fdcb53d5a7a7594109f4be60620b673385

      SHA512

      f0b10f15faa225e2c57147c8507a4868eef79036cff92ba18143df9e172ae2029e1336d5b864dd39c3cee1b22c80bf262c74b0650e7a5867f4b6bc91360d26eb

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      dc64f2ac9bb1e8b49937f2df1ec2e77d

      SHA1

      b2825930353f5080a19752d663c683ec48c37488

      SHA256

      932f8f9e76c9a8fb1addbe4ad35d7c4685f01a9dabc3855c2d1b830096e65bdd

      SHA512

      60c7700d6efab1f7a9a5d080be9eb432be585a8a1b4d52acdbc99d9df770f2c317c5fd7fd5a8ffbc56adf59d72b79ca17bca1f96b4488283fdcce18ca9bbcbe2

    • memory/816-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2488-17-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2488-22-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2488-20-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2912-35-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2912-36-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB