Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8168cfffcb...cb.exe

windows7-x64

7

8168cfffcb...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe

  • Size

    2.3MB

  • MD5

    f3c617fd5d59a2acdc8d69c84d65d76e

  • SHA1

    965c7dc9b4a773e03c8d33257182ca0aaae1e48b

  • SHA256

    8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb

  • SHA512

    3d8242ec6ea531b12a6110c7664c393d97548fa88d6b5c818d138137bc99bb93848e438294ea97a9f752560d68117636240c2364db5eb43f40fc87e90fbd9fb5

  • SSDEEP

    49152:ujvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:urkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score
7/10
discoverypersistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
    "C:\Users\Admin\AppData\Local\Temp\8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1028
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    7d905292a8b97f39fbd115daa7aae5bf

    SHA1

    2bac476154a5010ff9db918d7369ce995a514280

    SHA256

    c4c397c54b016f5dbfcef281976c840820b852d8f7ccf51a81774933d405ca6f

    SHA512

    182ef5bd5ffba9264a2ac59cbe1fe094e3de178aac6252cb41987cdbe0ebdc3fdd60eed7c6bb41c2bfc413bf9615a7aad7b73e3520e179dca17ebf374183e05f

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    657b9e36496ed81af0c9c1280a663966

    SHA1

    11092529b046098307bec84cc9f472029d2181a9

    SHA256

    267e216418b5a3cb5bfb99c1c3785cad5498c6f8f2caf56d442c3e6bed32ef8d

    SHA512

    df1f6acba2fdbd7f4b8e1fd456a37d5f8cbede1df5a520adb4564313c62cf2964df106a2381cb6078b45cc44aeb246675daa514822f7565ab71cc47431d8cba4

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    2a67f87074187016e5bb9ea5181447ff

    SHA1

    55cefebec4e3ec00845973ae34f0dc23a242c898

    SHA256

    9753d874718f1c9a23caa7fd18bf51d13ff143ca5508f27b26e084b3704231b1

    SHA512

    b150809051eb489a89a46b59b76d5c75e22134d1bfc1a0627bd755ecaa46eab113f2225ba36a902d04625abb7c0f3b7b34137a954e44c846bd0c40eb68cce1f1

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    2.3MB

    MD5

    5aba464bbcfb6278010d9ab7eb259fac

    SHA1

    d49f805cbd106fd4a02e12bccd0bd659d9d29edc

    SHA256

    02e44c28a98d3a4a5c20cbec29d8d92c9695041c2b7d75c71cece1ac6d8d6066

    SHA512

    8b0e3be04ab176feb5efa5bb2f649ea4e958807989a0d8c22077948e00709207a170a6c4b8a47eb35a4e8664532846472d6bdf93970ad113eba19dd068464701

    Download Submit

  • memory/2568-36-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2568-52-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2568-47-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2568-45-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2568-46-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2568-44-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2568-42-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2640-20-0x0000000000170000-0x0000000000179000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2640-34-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2640-28-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2640-25-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2640-26-0x0000000000170000-0x0000000000179000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2640-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2640-13-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2640-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2904-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download