Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 22:26
Static task
static1
Behavioral task
behavioral1
Sample
8e4dc9331958fe14d7cdc81df302b3c0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e4dc9331958fe14d7cdc81df302b3c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
8e4dc9331958fe14d7cdc81df302b3c0N.exe
-
Size
2.3MB
-
MD5
8e4dc9331958fe14d7cdc81df302b3c0
-
SHA1
168b6dcf39b9ffe04c67ad993577cdc83c5974b4
-
SHA256
7e81025ca0acfaaa31d9f4bf49bab1dcfc67a767f80edb4dc83b995397def1d4
-
SHA512
573adc4c9f800449dbb7b7ea4d2ec153388828232814482ef2ecd8664e82026128a81b1c45a49b5f5876b04cbced17e2d940c26dc61ecabc5a2c755d63a759bf
-
SSDEEP
49152:d8F4GBYEFMfVrt0HdZyZUKIKp9/bIA3e63wDknToN58zkfwHuVfcu5ZJFKsnfKUn:d8F4GBY3dR0HHyZ9p9DIAvADkQ8gfwOj
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000016890-11.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2392 ctfmen.exe 2944 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 2392 ctfmen.exe 2392 ctfmen.exe 2944 smnss.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 8e4dc9331958fe14d7cdc81df302b3c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8e4dc9331958fe14d7cdc81df302b3c0N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 8e4dc9331958fe14d7cdc81df302b3c0N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 8e4dc9331958fe14d7cdc81df302b3c0N.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\shervans.dll 8e4dc9331958fe14d7cdc81df302b3c0N.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 8e4dc9331958fe14d7cdc81df302b3c0N.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 8e4dc9331958fe14d7cdc81df302b3c0N.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 8e4dc9331958fe14d7cdc81df302b3c0N.exe File created C:\Windows\SysWOW64\smnss.exe 8e4dc9331958fe14d7cdc81df302b3c0N.exe File created C:\Windows\SysWOW64\satornas.dll 8e4dc9331958fe14d7cdc81df302b3c0N.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 8e4dc9331958fe14d7cdc81df302b3c0N.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\grcopy.dll 8e4dc9331958fe14d7cdc81df302b3c0N.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 8e4dc9331958fe14d7cdc81df302b3c0N.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 2944 smnss.exe 2944 smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2708 2944 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e4dc9331958fe14d7cdc81df302b3c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 8e4dc9331958fe14d7cdc81df302b3c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 8e4dc9331958fe14d7cdc81df302b3c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 8e4dc9331958fe14d7cdc81df302b3c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 8e4dc9331958fe14d7cdc81df302b3c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 8e4dc9331958fe14d7cdc81df302b3c0N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2944 smnss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 2944 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2392 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 28 PID 2136 wrote to memory of 2392 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 28 PID 2136 wrote to memory of 2392 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 28 PID 2136 wrote to memory of 2392 2136 8e4dc9331958fe14d7cdc81df302b3c0N.exe 28 PID 2392 wrote to memory of 2944 2392 ctfmen.exe 29 PID 2392 wrote to memory of 2944 2392 ctfmen.exe 29 PID 2392 wrote to memory of 2944 2392 ctfmen.exe 29 PID 2392 wrote to memory of 2944 2392 ctfmen.exe 29 PID 2944 wrote to memory of 2708 2944 smnss.exe 30 PID 2944 wrote to memory of 2708 2944 smnss.exe 30 PID 2944 wrote to memory of 2708 2944 smnss.exe 30 PID 2944 wrote to memory of 2708 2944 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e4dc9331958fe14d7cdc81df302b3c0N.exe"C:\Users\Admin\AppData\Local\Temp\8e4dc9331958fe14d7cdc81df302b3c0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 9084⤵
- Loads dropped DLL
- Program crash
PID:2708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD528e10f54dc7fa1f3626caafcb9f5148f
SHA1fdf10d6301c6962dbf88b2fe520ae6559d38c3d4
SHA256bf4da2eff89ca32d665cdfe66638e65465bc759904a07591a448e1ef815ce38b
SHA5120f76e7bca025434626f7efd9813ae96241a18d8f9c57bcc7aef355fabd35d01c51ed613f0e7a8fa9c372a809c08291c470def0e5e83c46d49dedfd1d12105ecd
-
Filesize
4KB
MD5e0516023ab708c0d8b467d1a8f5bba03
SHA1c3ff63e86349cbd338c641afa9890f5f81561286
SHA2563e7189ffe5f2f60f96790e182193bdf3e33676c34160e42738c06193def5fb12
SHA5126dbac9927c68770e3f26181d5da6fe675322a7a80357b5beefbf95f9be6c71fc3168e106a9c62f11b140b860c9063710e4e83218bd86cf840f64f5be5ee7f6a2
-
Filesize
8KB
MD5a11876e1916c21ae536bad8cb222ce3f
SHA1397bd9c5f03fc78280b9cc7c2a755ac53a292d75
SHA256cc2107ab049461182374065ec81a12acbf003ac34b0a9e95f42dcf3cac499361
SHA5122692255db3a806c35d133cf3bab58d84da3c4dacb4f1603dd7bdcc022761f861731c22296b43785d1c100a68909d0d11631b00fa565b87185d9ee79299572a57
-
Filesize
2.3MB
MD56987bf24387434755b0208788384c158
SHA1ef14e44c1e804681a26bf9e8fd32710ca2384333
SHA256b1d317d3bf8db9abd24713f4d6bce273c76e27cc9b85a1093b7e29b27b96359a
SHA512c5548242160460279af22c4ce8484b4faf25aaaf4400042cc740c47bcb48ff39b38cf85232dba2a5b7088fa0a59ea021bc2daaf7e3ee679e4f7f233a466589ef