Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Resource
win10v2004-20240802-en
General
-
Target
318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
-
Size
2.3MB
-
MD5
6795e1d303b6ffa9b9fdaeaeac35bee7
-
SHA1
373734016d1261151b632f5ca17914eca92e2821
-
SHA256
318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb
-
SHA512
69bcfed71817c187aad2a2a9edc6f0912b1191182d8fdee048435c17f87d8d117904f6cb66bd5f810e2581fe93c0c21dfd250e107f8c9eafdd1c4d90c2511b4f
-
SSDEEP
49152:Bjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:BrkI9rSjA5aDo73pzF2bz3p9y4HgIoov
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023468-11.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3652 ctfmen.exe 2216 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 244 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe 2216 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\grcopy.dll 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File created C:\Windows\SysWOW64\smnss.exe 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File created C:\Windows\SysWOW64\satornas.dll 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File created C:\Windows\SysWOW64\shervans.dll 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File created C:\Windows\SysWOW64\grcopy.dll 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 244 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe 2216 smnss.exe 2216 smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1520 2216 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2216 smnss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 244 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe 2216 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 244 wrote to memory of 3652 244 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe 91 PID 244 wrote to memory of 3652 244 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe 91 PID 244 wrote to memory of 3652 244 318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe 91 PID 3652 wrote to memory of 2216 3652 ctfmen.exe 92 PID 3652 wrote to memory of 2216 3652 ctfmen.exe 92 PID 3652 wrote to memory of 2216 3652 ctfmen.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe"C:\Users\Admin\AppData\Local\Temp\318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 14884⤵
- Program crash
PID:1520
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2216 -ip 22161⤵PID:3968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD536cc381d3f2f3cb6897eb59d63dd2e52
SHA156efcffc2bd3be91521fbf710b6aed5d930bc5fb
SHA256f456701a43053da8679c37ed0e71115905729f5762708b33a24251ee224f084a
SHA512ed9fe604e435f57cb8d3d071ec957a0745179025c191043f70cdedad0c91ef17f046cbc4c967521586d3c84d2172ede4883db098e0f6f988c2b434aafba88661
-
Filesize
2.3MB
MD5df75593a6dd20170254655851fc91d4b
SHA1ce832ed043b09780314f407e3fa21262ebbeef1f
SHA256a68b1b44ada62da6ecae33ce919f5aaf9d9d93d6266924e6a646148cb76b9c7d
SHA5126dcc0ad6e3cc5a21b02dadf7a31990448cb4106bc5a9e6d8951294b681ebe95e5693bb2164bfee0e596ed4a8e1e6f885ef5fee9af862591e053093ab20af9e37
-
Filesize
183B
MD5fbdfa8234fb326b811a8cc618139f2fd
SHA179ea4bc9b8d2fac86649b22b1f4c774471c538b3
SHA256db281ed28711e879b187d826f7836d84a548e04051a9122d7f05dabb21f064ce
SHA512f961daa0bdb21b2a06c6b0501eaf66267b121adadd2b281e3ad637a59716bee14ab4a7552acea81685d33c23fc0b029f7d7f2ace922b2453d4ec4c5ad8be2f52
-
Filesize
8KB
MD5d7340b5785c02b177112e8d873a66ad1
SHA10a9803e5d2cb20e3c3daf041973fdc30aa9f1e07
SHA25695da1b46d9835dd24d4ccbc82f1d12e64f1963c2a66f421e57e5e5d70a7a254c
SHA5126cb403cd350dffc5758a0a8899a4522b85d3d6a57d3839b65cc11ba5c559b2ee44b97799c4a55ca2387985cbf7d6423a40d679e5c5a4b5323fda99dbddf5dd3d