Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 20:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe
Resource
win7-20240704-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe
-
Size
120KB
-
MD5
d3d850adefd3eabe87262ac075de21bc
-
SHA1
0ebd169e0f476b28c03d6d58534c894de159733e
-
SHA256
3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46
-
SHA512
52a26fc785dcc68ee6b2380b9ce0459e6543cd38d6b0f819d3ed4f0b9308b93d7d2fd99446a1019eda5345329b506154f7a6acff3da4927086175a4c82386373
-
SSDEEP
3072:hOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:hIs9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000700000002345a-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 1096 ctfmen.exe 4680 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 2104 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe 4680 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\smnss.exe 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\shervans.dll 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File created C:\Windows\SysWOW64\grcopy.dll 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File created C:\Windows\SysWOW64\satornas.dll 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\BlockAdd.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4816 4680 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4680 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1096 2104 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe 87 PID 2104 wrote to memory of 1096 2104 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe 87 PID 2104 wrote to memory of 1096 2104 3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe 87 PID 1096 wrote to memory of 4680 1096 ctfmen.exe 88 PID 1096 wrote to memory of 4680 1096 ctfmen.exe 88 PID 1096 wrote to memory of 4680 1096 ctfmen.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe"C:\Users\Admin\AppData\Local\Temp\3aff63669473d35daee11521ece2cd6f7d0bbc61b580b8f0d302cdfe2f162d46.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 15804⤵
- Program crash
PID:4816
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4680 -ip 46801⤵PID:1372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5cc2369662859f2b0e7638ade7feba274
SHA1bb10ab72a61a30f25a9565463556871c9fb263d2
SHA256fecef202b351d2a25f0589dccd7746fe9a3d3b904f247c2394e43042e3fc0d82
SHA5120b00c8bd723a7e9e45a31d2f62e5abd70de1a903baaf8edb84971d2595ba3e93892aaf497510c98e171f703be087df1eb469b76d74bc5bae99d505217ebbc5df
-
Filesize
120KB
MD578767ae7660b60644012f079eea88523
SHA12e308b5ab6eaa02d97be29da53df9152f07bb514
SHA2565e23e83ce3e4f5cec888c2b32205c00bbdc4b3ed541198161a6264e4f85c94ae
SHA512e47ed4b5291eb5fffd15f3739806d9ef272bd60d2db86fe4674113302632c13486f341e37a495f26d31d4b09ed138d7a67a2069573f9fa9ceec44fd6ce1e56af
-
Filesize
183B
MD50bc6a4266d04dd40e958588a02313d8c
SHA1c6ae605d517db85b83648fb23d2ab23a0add095d
SHA256a2029a4fb7f965be6bd528426329c4ea0ec479da9ccf70ba33228fc7c358b978
SHA512468abf2733d5edcde0143a55660bc204cb2a5889eaa3129b286e8274c24a048b870b438ce92d50adb2b2c3a64038bc23bb0412f1da2ef063888261f708eb5bdd
-
Filesize
8KB
MD527bda94f189822060f5d276fe7a54338
SHA166e35f4212d3627b66dbf95f1d52da7c1f702baa
SHA256aa745347981dd65b4638a943108e510d1af46ec314a24d527e1d99327648ca72
SHA5125bc37dd69c0e5639174697bb7c59fd8f275727fcb760740df98996794c2b76db867497bcd2198052b9c20e42a07d938fb7b71a76b06c1529722d92418767341c