Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:08

General

  • Target

    3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe

  • Size

    119KB

  • MD5

    8df3c43e9ae0714a620a4f22c8169810

  • SHA1

    47dcddf24b66f2299c846342d186bccf58d87b79

  • SHA256

    3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436ad

  • SHA512

    c840b325018eef8c32018d3121824db480b6bd8a601630b12697d1a891f041c95acbfc3f2fb2e82e4c0e3ecf098b9ee6fe192fe5c7b561d17ed32be45adff3f8

  • SSDEEP

    3072:zOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:zIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe
    "C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 828
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    30384658d847da3590d43332ab9c90cc

    SHA1

    afe4e21ed3baeefff3cef52f32254465110bdd9e

    SHA256

    cd68b719f738ab817579ef32a3afa869b14799650130980b27123a45be5c0788

    SHA512

    7fa5c9c240ce74865be6b118acce8b67b3221d140c9031dbc40335230dcea453c246e208513169413fd23ed2568795ef382772f35abe97e1be8e9e49d79ceede

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    7821db314a373a73422d7429b61dd23b

    SHA1

    9b690b7218236605e45acd8c59dcba2d1945cd18

    SHA256

    2823942569dd8b045285dd6b5ce19e27667d612370dacfd83839b0304f6c89e4

    SHA512

    c4447686b3ac86a1b0a14f35fc677b9029da1232b46f2503653206bc3e003921efcb5332011617095da239312e96927633b3658a64cd2a2ac7fcb8ca8400ad11

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    58fbe2526566b1769b8f0c3705d0423a

    SHA1

    c3be619130af63082100c902314e8c58d04725cd

    SHA256

    b4c66eba0be4fc7a7f6134d098ec826058f5aaf4ca86531759afb0da26e33965

    SHA512

    9c43449e7fea27971c5f28cf5ade64a79533c17c2e5211c79fb39daf0ddf995642e768e01d9547bb7c32458039592e236afe9b58c20dcc6bc548c3c4989ea3a7

  • \Windows\SysWOW64\smnss.exe

    Filesize

    119KB

    MD5

    6fc66f655fa04ac8fe3df70aca71c3ec

    SHA1

    b1a678f943e52fbce6bf6f08d7d27264516eb077

    SHA256

    b7611397b66a72c04c834bec49d1665a36d8a73a6d18e73c6dc8c44cac5e6816

    SHA512

    82f44504a2ad338b37c223a8e1169f5e35f22ec08f3b5778bee914b8b65845cd730f8532686782112e356b9626aa1829250f4bce5ef0808a9f03cbc182f23957

  • memory/1908-33-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1908-29-0x0000000000320000-0x0000000000340000-memory.dmp

    Filesize

    128KB

  • memory/2296-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2296-26-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2296-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

    Filesize

    36KB

  • memory/2296-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2296-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2964-34-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2964-40-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2964-45-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2964-46-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB