Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2025, 20:51

General

  • Target

    0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe

  • Size

    127KB

  • MD5

    6679f2c397c691726b1fcf5a3dadfbfd

  • SHA1

    18b83af13938f7ceedaa467745a59a7cbb744e79

  • SHA256

    0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c

  • SHA512

    1b5c7b900764afa2632d82a628d0d2f176e517103a73dc9d98e96171dd99c070e024552d2bfc37fb6dff17a7f148f49cb82eb1b0d116dc8dab666283540a591c

  • SSDEEP

    3072:TOjWuyt0ZHqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPD:TIH9OKofHfHTXQLzgvnzHPowYbvrjD/+

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
    "C:\Users\Admin\AppData\Local\Temp\0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1432
          4⤵
          • Program crash
          PID:552
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3936 -ip 3936
    1⤵
      PID:3912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      f073d95314fd595c52ab77e54a420561

      SHA1

      4e5b4698980d7b721b0162424af9858cbcee0f25

      SHA256

      aed95aa87cd5e9e7c66c07085855da0d9db83fa617d5ebc314079bb254aeb6c4

      SHA512

      3ae389ead08efe3c5409f684e47cab93ae35a65b9b93120131450cdb4086f205a546a07eac7a0d0706314059cf7ea0b4a25960ac9f7de9a58c08e10543c535ec

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      127KB

      MD5

      1d46f758458aeb2b3360746094767f52

      SHA1

      d00be11f0dd9e9befcf515e70dd68b97e444f989

      SHA256

      270fa5ef113770d2bc99608a9b4578206f1cd2b837504dcd3c3ae93f91255ad9

      SHA512

      0273bfdb611d809ed11f8bf2e3f80e7d7981bd200ee47f0426315637cbdb18a2b39c61d64a847656ea234abd100d63b7697d5a60cb3a6aec36993d300dc9db3a

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      b80668cb14cbd57a4d2e19e915e9127b

      SHA1

      dd47eb90813032b3d87b36ea94fc355de9c1ba48

      SHA256

      ef48c5ac4859dabe0071bc5ce81741ef50af63f738e541218cc2c51143cc65dc

      SHA512

      b56dae13e14e482c208f8431aa9865b4c7375bcdae339b0c704c311547133aa89c0a530376e28d116b62e2d7f1a903d8af9c62b0d91a5d00ce7117149a08140a

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      cdeaff0be314782741667613c45956d0

      SHA1

      2c9f346428899a815bca76210c47a3c9b54813d1

      SHA256

      88b7f62a35300b1a8cb6c332e2f6df55bee3626ddcd36fcd3c8caa0888c8cb94

      SHA512

      f622a6f9da42b9a5211bbb9674675df5c4c1ef922084f42f73e209823c9f3b6ef1f3a023d8d895e66770b05ab472d410675bf54bc4bd862c3e924ada9471b00a

    • memory/3172-27-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3172-21-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3936-29-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/3936-36-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/3936-38-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/3936-39-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/4564-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/4564-23-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/4564-22-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/4564-12-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB