Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 22:55

General

  • Target

    f7964e9d9cf014ad703bde48ea99b2f1913d095b8d87a193fdce3b96ef240629N.exe

  • Size

    226KB

  • MD5

    198096fac6db211ebbe7cc655431e390

  • SHA1

    18f5b3927e1a21a569e6cccafaf176637f9b9cd1

  • SHA256

    f7964e9d9cf014ad703bde48ea99b2f1913d095b8d87a193fdce3b96ef240629

  • SHA512

    4fb5f83a7cf38d9aa20ea2b0bc9302fc324dc9435d952306449263abdb05c883b35af4e307ddcdb71cf6f31ba6f915deb6d9935320430b2231dcbf2e52a92b10

  • SSDEEP

    6144:zIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtZ0:WKofHfHTXQLzgvnzHPowYbvrjD/L7QPS

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7964e9d9cf014ad703bde48ea99b2f1913d095b8d87a193fdce3b96ef240629N.exe
    "C:\Users\Admin\AppData\Local\Temp\f7964e9d9cf014ad703bde48ea99b2f1913d095b8d87a193fdce3b96ef240629N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    fe18baf5db650ff54316f2cbce4f0e28

    SHA1

    62202f08a5418cc84eb2932e42c6f2003b423edb

    SHA256

    3f7ef988fdd82b600e271da4153815430a0b8e0e1943b3734843a7e472bffc2d

    SHA512

    11639a7c2e74d0506164d9ed6806f817450f94c2d744cd4d07a01302e64aba8a4b9dd8aff7a36f45aa32e614872103a51ce1d9d7bc8cd76b231975fa35e27a66

  • C:\Windows\SysWOW64\smnss.exe

    Filesize

    226KB

    MD5

    73701f4ec7aa71723ef69c873d988f88

    SHA1

    8b71358149cf4616139a6b16223dd9591869e1d2

    SHA256

    c9c45c1f71b2ebae4943bcbf5e5c11de35560223930b32de0fba58601c2a6f93

    SHA512

    c5767b0d66d36d9960872b3f5804b3ea3e0d285001881787c69c717d1dbb8d3c722df1b1c718fce966eb0a2104cf7075f6fc39e034f584a71a0826ab1dd84a31

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    4dd70c6ad3149f2d078c40f741f62006

    SHA1

    12f676cd8dc609be1080b2158948bf5c829bfd81

    SHA256

    8ea651839d42c2c78bc29f964c19597b1cad4fea6ab0ce440316afef25f3de9e

    SHA512

    f7e3f0cddaae98311f51fef1e35d953e4e65fd2b10a98ed6815f1ac5b5338222e6603180bfdfbcb4e747e0d51122ba698b8eb81870e46b9aa5d7756368ee371b

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    eb1b20b5354d55f55c8186bc9517c898

    SHA1

    a891b4938de16ef1613bd01b8dbfaaa5ee2d80e3

    SHA256

    257d0b0036f002e210517b400645fc7f0caef252a3126170afc098643ee1d6df

    SHA512

    ba6130247747794dd587562c62a0dbd8d5aa332fd9e1ab6d3c8a449b9411c96cda9126000dcde8b4040c35c4002554677761edb168052297d102071a6529e406

  • memory/2780-35-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2780-42-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2780-43-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2932-0-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2932-18-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

  • memory/2932-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2932-26-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2932-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/3044-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/3044-31-0x00000000003C0000-0x00000000003F2000-memory.dmp

    Filesize

    200KB