Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 02:43

General

  • Target

    ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe

  • Size

    75KB

  • MD5

    8493064ce37fd991c631d08a8ee5049d

  • SHA1

    6bc1eb2326e0438afc5bcea8a87af350097eccd1

  • SHA256

    ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c

  • SHA512

    9a483b8bb60d6e1a02fef89aa49e75ba5318e9054f2aa909b5f9c0ae6c37e11ef8a8083734a2ad333bdfb5c096c901fbbf468fa12319f1b5f54aa5bb8f40c3b3

  • SSDEEP

    1536:ix1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:COjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
    "C:\Users\Admin\AppData\Local\Temp\ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3660
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1340
          4⤵
          • Program crash
          PID:376
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3660 -ip 3660
    1⤵
      PID:3600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      b345d6a0bd2365963bba348ecf6c95f9

      SHA1

      82cce03299b8e126e26ebaae44f6fced64b0ca45

      SHA256

      932cff14fc48a1b89c2193e85c349355bbe26d025b3b4345d2c43d2d1ec4dfbc

      SHA512

      a17ac09160a805bbe62aa1cc65f1072e6af085d8464936a9d8eed004c02c9a26f4c1c5472feb4de732f327b10e3fc43387aa9b4cb33d25bbc05eaa2d53bfc071

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      75KB

      MD5

      36d36ec7f0d4fec05bd4ac5901f37a49

      SHA1

      0847f213fee6a9ef0ad66b4a9c328d43cbc509d7

      SHA256

      bdf7d94e11155753a0d7b950cc5ceef15caed70051e63f04777e7d29336e784e

      SHA512

      0f3fc8c69570df00dbda2cf0586625c02bc205603bc8fb00793e3fe7660984325a12fd54137684df8048a2bc98a6b6f7658aedef09ec4e559b15224eca18739e

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      ecbddabc9fa4b347466b71d558fb44c1

      SHA1

      e2ce4882a469af47e33fc54e901faaa46682f887

      SHA256

      4ee6051985da8d6500738448285dc8ed71b9a036c1661603ed147b92d148c52f

      SHA512

      f4b9c44b965d0fc3be55b8535f2bb491941bc02ac8007e8e75341703a4b3d7b16b5fb9564b50cc479a64c9ec409adb6a4164691b17b935fa544913ec7a2c6709

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      3818bf530b3f454b5e19f9384648ea88

      SHA1

      6d1b2f37c869c87c9811a85081c2e05949066ca5

      SHA256

      13b954b7353b1595cad903af2ec4349434aa6179b5431a12a5ea585958af1e87

      SHA512

      b6f66ac7bf5e0c5f6451bea15ef07e0ead737ed03eeee544d78f06c616544aaeb9510d9d2979726a1516f5d7877badf432671c7fd002da5110019a92ccb231ac

    • memory/3660-36-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/3660-37-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/3660-39-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/5012-11-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/5012-24-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/5012-22-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/5104-27-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/5104-20-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB