Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Resource
win10v2004-20241007-en
General
-
Target
ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
-
Size
75KB
-
MD5
8493064ce37fd991c631d08a8ee5049d
-
SHA1
6bc1eb2326e0438afc5bcea8a87af350097eccd1
-
SHA256
ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c
-
SHA512
9a483b8bb60d6e1a02fef89aa49e75ba5318e9054f2aa909b5f9c0ae6c37e11ef8a8083734a2ad333bdfb5c096c901fbbf468fa12319f1b5f54aa5bb8f40c3b3
-
SSDEEP
1536:ix1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:COjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023ba7-9.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 5104 ctfmen.exe 3660 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 5012 ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe 3660 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File created C:\Windows\SysWOW64\shervans.dll ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File opened for modification C:\Windows\SysWOW64\shervans.dll ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File created C:\Windows\SysWOW64\smnss.exe ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File created C:\Windows\SysWOW64\satornas.dll ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File created C:\Windows\SysWOW64\grcopy.dll ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File opened for modification C:\Windows\SysWOW64\satornas.dll ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 376 3660 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3660 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5012 wrote to memory of 5104 5012 ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe 90 PID 5012 wrote to memory of 5104 5012 ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe 90 PID 5012 wrote to memory of 5104 5012 ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe 90 PID 5104 wrote to memory of 3660 5104 ctfmen.exe 91 PID 5104 wrote to memory of 3660 5104 ctfmen.exe 91 PID 5104 wrote to memory of 3660 5104 ctfmen.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe"C:\Users\Admin\AppData\Local\Temp\ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 13404⤵
- Program crash
PID:376
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3660 -ip 36601⤵PID:3600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b345d6a0bd2365963bba348ecf6c95f9
SHA182cce03299b8e126e26ebaae44f6fced64b0ca45
SHA256932cff14fc48a1b89c2193e85c349355bbe26d025b3b4345d2c43d2d1ec4dfbc
SHA512a17ac09160a805bbe62aa1cc65f1072e6af085d8464936a9d8eed004c02c9a26f4c1c5472feb4de732f327b10e3fc43387aa9b4cb33d25bbc05eaa2d53bfc071
-
Filesize
75KB
MD536d36ec7f0d4fec05bd4ac5901f37a49
SHA10847f213fee6a9ef0ad66b4a9c328d43cbc509d7
SHA256bdf7d94e11155753a0d7b950cc5ceef15caed70051e63f04777e7d29336e784e
SHA5120f3fc8c69570df00dbda2cf0586625c02bc205603bc8fb00793e3fe7660984325a12fd54137684df8048a2bc98a6b6f7658aedef09ec4e559b15224eca18739e
-
Filesize
183B
MD5ecbddabc9fa4b347466b71d558fb44c1
SHA1e2ce4882a469af47e33fc54e901faaa46682f887
SHA2564ee6051985da8d6500738448285dc8ed71b9a036c1661603ed147b92d148c52f
SHA512f4b9c44b965d0fc3be55b8535f2bb491941bc02ac8007e8e75341703a4b3d7b16b5fb9564b50cc479a64c9ec409adb6a4164691b17b935fa544913ec7a2c6709
-
Filesize
8KB
MD53818bf530b3f454b5e19f9384648ea88
SHA16d1b2f37c869c87c9811a85081c2e05949066ca5
SHA25613b954b7353b1595cad903af2ec4349434aa6179b5431a12a5ea585958af1e87
SHA512b6f66ac7bf5e0c5f6451bea15ef07e0ead737ed03eeee544d78f06c616544aaeb9510d9d2979726a1516f5d7877badf432671c7fd002da5110019a92ccb231ac