af2157afdb3d8390e7a8649e64a3108753f90f1c59837f8bd9895780c1e95d12

Analysis

max time kernel
1799s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CTFarmSetup-Di90Yzbi2o.exe
Size

5.7MB
MD5

fbe57e7ad749b7446da15a3009c1dbda
SHA1

5fe1d65462acd362681c611ce0f832c0a74a6e70
SHA256

af2157afdb3d8390e7a8649e64a3108753f90f1c59837f8bd9895780c1e95d12
SHA512

555f40f23aa5151d5a2ef3c0edf0d57f5e56fe50b0cc0884f0fb900044223e649252061394de53a60e1db0267abf98929931d4ad8c4243ae10e40fc118ba6bc3
SSDEEP

98304:IsaZ+xj0ghxlL8nVU18k0xlVxCtq5xv00dre4+7PDsIEU+B9KpNGwPUlUQb0+YUE:Ir+xj0ghxlwWGVxCE5vr+7ZEUU9aNGp4

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTFarm = "C:\\Program Files\\CTFarm\\CTFarm.exe /tray"	CTFarmSetup-Di90Yzbi2o.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	CTFarmSetup-Di90Yzbi2o.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\CTFarm\Uninstall.exe	CTFarmSetup-Di90Yzbi2o.exe
File created	C:\Program Files\CTFarm\CTFarm.exe	CTFarmSetup-Di90Yzbi2o.exe
File created	C:\Program Files\CTFarm\CTFarmService.exe	CTFarmSetup-Di90Yzbi2o.exe
File created	C:\Program Files\CTFarm\CTFarmUpdater.exe	CTFarmSetup-Di90Yzbi2o.exe
File created	C:\Program Files\CTFarm\sciter.dll	CTFarmSetup-Di90Yzbi2o.exe
File created	C:\Program Files\CTFarm\CTFarmHWMon.sys	CTFarmSetup-Di90Yzbi2o.exe

Executes dropped EXE 6 IoCs

pid	Process
992	CTFarmService.exe
3144	CTFarmService.exe
1936	CTFarmUpdater.exe
3752	CTFarm.exe
864	CTFarm.exe
2480	CTFarm.exe

Loads dropped DLL 7 IoCs

pid	Process
4896	CTFarmSetup-Di90Yzbi2o.exe
4896	CTFarmSetup-Di90Yzbi2o.exe
4896	CTFarmSetup-Di90Yzbi2o.exe
4896	CTFarmSetup-Di90Yzbi2o.exe
3752	CTFarm.exe
864	CTFarm.exe
2480	CTFarm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3752	CTFarm.exe
Token: SeLockMemoryPrivilege	2480	CTFarm.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4896	CTFarmSetup-Di90Yzbi2o.exe
3752	CTFarm.exe
3752	CTFarm.exe
2480	CTFarm.exe
2480	CTFarm.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3752	CTFarm.exe
2480	CTFarm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3752	CTFarm.exe
2480	CTFarm.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 992	4896	CTFarmSetup-Di90Yzbi2o.exe	93
PID 4896 wrote to memory of 992	4896	CTFarmSetup-Di90Yzbi2o.exe	93
PID 4896 wrote to memory of 1936	4896	CTFarmSetup-Di90Yzbi2o.exe	97
PID 4896 wrote to memory of 1936	4896	CTFarmSetup-Di90Yzbi2o.exe	97
PID 4896 wrote to memory of 1936	4896	CTFarmSetup-Di90Yzbi2o.exe	97
PID 4896 wrote to memory of 3752	4896	CTFarmSetup-Di90Yzbi2o.exe	99
PID 4896 wrote to memory of 3752	4896	CTFarmSetup-Di90Yzbi2o.exe	99

C:\Users\Admin\AppData\Local\Temp\CTFarmSetup-Di90Yzbi2o.exe
"C:\Users\Admin\AppData\Local\Temp\CTFarmSetup-Di90Yzbi2o.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files\CTFarm\CTFarmService.exe
  "C:\Program Files\CTFarm\CTFarmService.exe" install
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Program Files\CTFarm\CTFarmUpdater.exe
  "C:\Program Files\CTFarm\CTFarmUpdater.exe" /install
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Program Files\CTFarm\CTFarm.exe
  "C:\Program Files\CTFarm\CTFarm.exe" /first_launch
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3752

C:\Program Files\CTFarm\CTFarmService.exe
"C:\Program Files\CTFarm\CTFarmService.exe"
1⤵
- Executes dropped EXE
PID:3144

C:\Program Files\CTFarm\CTFarm.exe
"C:\Program Files\CTFarm\CTFarm.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864

C:\Program Files\CTFarm\CTFarm.exe
"C:\Program Files\CTFarm\CTFarm.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CTFarm\CTFarm.exe

Filesize
1.1MB

MD5
a4bc34026e06c5a582b992f20a7508cd

SHA1
af331a3ac56c88f220e26f1596d17bd6cef5b328

SHA256
96df47f390e273f03ec9d18eed724689559d2b244033ebec2a657d1b5d34ff41

SHA512
2232d8a206ba26ba5b2a082ceff5c5ec1a2dcaabe52ba8fbe08115654db627b6955fb6a93c07aafcf97a70990614785995dacc681a747b2fca61ca27db6d26d8

Download Submit
C:\Program Files\CTFarm\CTFarm.exe

Filesize
1.1MB

MD5
a4bc34026e06c5a582b992f20a7508cd

SHA1
af331a3ac56c88f220e26f1596d17bd6cef5b328

SHA256
96df47f390e273f03ec9d18eed724689559d2b244033ebec2a657d1b5d34ff41

SHA512
2232d8a206ba26ba5b2a082ceff5c5ec1a2dcaabe52ba8fbe08115654db627b6955fb6a93c07aafcf97a70990614785995dacc681a747b2fca61ca27db6d26d8

Download Submit
C:\Program Files\CTFarm\CTFarm.exe

Filesize
1.1MB

MD5
a4bc34026e06c5a582b992f20a7508cd

SHA1
af331a3ac56c88f220e26f1596d17bd6cef5b328

SHA256
96df47f390e273f03ec9d18eed724689559d2b244033ebec2a657d1b5d34ff41

SHA512
2232d8a206ba26ba5b2a082ceff5c5ec1a2dcaabe52ba8fbe08115654db627b6955fb6a93c07aafcf97a70990614785995dacc681a747b2fca61ca27db6d26d8

Download Submit
C:\Program Files\CTFarm\CTFarm.exe

Filesize
1.1MB

MD5
a4bc34026e06c5a582b992f20a7508cd

SHA1
af331a3ac56c88f220e26f1596d17bd6cef5b328

SHA256
96df47f390e273f03ec9d18eed724689559d2b244033ebec2a657d1b5d34ff41

SHA512
2232d8a206ba26ba5b2a082ceff5c5ec1a2dcaabe52ba8fbe08115654db627b6955fb6a93c07aafcf97a70990614785995dacc681a747b2fca61ca27db6d26d8

Download Submit
C:\Program Files\CTFarm\CTFarm.exe

Filesize
1.1MB

MD5
a4bc34026e06c5a582b992f20a7508cd

SHA1
af331a3ac56c88f220e26f1596d17bd6cef5b328

SHA256
96df47f390e273f03ec9d18eed724689559d2b244033ebec2a657d1b5d34ff41

SHA512
2232d8a206ba26ba5b2a082ceff5c5ec1a2dcaabe52ba8fbe08115654db627b6955fb6a93c07aafcf97a70990614785995dacc681a747b2fca61ca27db6d26d8

Download Submit
C:\Program Files\CTFarm\CTFarmService.exe

Filesize
384KB

MD5
585b7905252960e8d42e77f967bf1896

SHA1
8dfec72fcd8831b7e903eac4d0f0ec90b2dd659a

SHA256
d5499e62f9fd8a391a40506d5b61c5db1112b74d2bc730d277d4f6d5d583b660

SHA512
0c9e94e4ad99a667264664fb50e22da2a2330e16c3eec27a899c879ed789ddd7b7f68ce2285b1044f42f1e95d3fddfc18fec8b07a22d4b87232d8d2420808dbb

Download Submit
C:\Program Files\CTFarm\CTFarmService.exe

Filesize
384KB

MD5
585b7905252960e8d42e77f967bf1896

SHA1
8dfec72fcd8831b7e903eac4d0f0ec90b2dd659a

SHA256
d5499e62f9fd8a391a40506d5b61c5db1112b74d2bc730d277d4f6d5d583b660

SHA512
0c9e94e4ad99a667264664fb50e22da2a2330e16c3eec27a899c879ed789ddd7b7f68ce2285b1044f42f1e95d3fddfc18fec8b07a22d4b87232d8d2420808dbb

Download Submit
C:\Program Files\CTFarm\CTFarmService.exe

Filesize
384KB

MD5
585b7905252960e8d42e77f967bf1896

SHA1
8dfec72fcd8831b7e903eac4d0f0ec90b2dd659a

SHA256
d5499e62f9fd8a391a40506d5b61c5db1112b74d2bc730d277d4f6d5d583b660

SHA512
0c9e94e4ad99a667264664fb50e22da2a2330e16c3eec27a899c879ed789ddd7b7f68ce2285b1044f42f1e95d3fddfc18fec8b07a22d4b87232d8d2420808dbb

Download Submit
C:\Program Files\CTFarm\CTFarmUpdater.exe

Filesize
2.4MB

MD5
297e98b83754d01a27afc3c544da0c99

SHA1
786596cae9a84ee46e585f5964edcb74c84a2348

SHA256
dee9ed2b2398634e7bc3e4389502a590e84e07a7752a64e157db1dbb1d68234c

SHA512
3386bd83f4c901c33ebe91e8551de812be38d335f35ddc627e1769df7735c4c15fd91a5ab4a8d1fa206817c28a09b6c7b70830a6121e8399c668a10340c5f037

Download Submit
C:\Program Files\CTFarm\CTFarmUpdater.exe

Filesize
2.4MB

MD5
297e98b83754d01a27afc3c544da0c99

SHA1
786596cae9a84ee46e585f5964edcb74c84a2348

SHA256
dee9ed2b2398634e7bc3e4389502a590e84e07a7752a64e157db1dbb1d68234c

SHA512
3386bd83f4c901c33ebe91e8551de812be38d335f35ddc627e1769df7735c4c15fd91a5ab4a8d1fa206817c28a09b6c7b70830a6121e8399c668a10340c5f037

Download Submit
C:\Program Files\CTFarm\sciter.dll

Filesize
8.3MB

MD5
6961d5db2a9797108e6e33bea6a82118

SHA1
83abdb392bcc34db70697340d8bada2d888a64a3

SHA256
45aee2005b54a39b45073483ed7906eed5495ef42d85c19083ddf5a25fa12e7d

SHA512
64f3130e668467282e978d7fb29dc07dd3c55c4708869168132e9383988f822d677f8b80eec2bc1b4de868008cb485aeb28bacffb5997a10f1931a64da3e0dd1

Download Submit
C:\Program Files\CTFarm\sciter.dll

Filesize
8.3MB

MD5
6961d5db2a9797108e6e33bea6a82118

SHA1
83abdb392bcc34db70697340d8bada2d888a64a3

SHA256
45aee2005b54a39b45073483ed7906eed5495ef42d85c19083ddf5a25fa12e7d

SHA512
64f3130e668467282e978d7fb29dc07dd3c55c4708869168132e9383988f822d677f8b80eec2bc1b4de868008cb485aeb28bacffb5997a10f1931a64da3e0dd1

Download Submit
C:\Program Files\CTFarm\sciter.dll

Filesize
8.3MB

MD5
6961d5db2a9797108e6e33bea6a82118

SHA1
83abdb392bcc34db70697340d8bada2d888a64a3

SHA256
45aee2005b54a39b45073483ed7906eed5495ef42d85c19083ddf5a25fa12e7d

SHA512
64f3130e668467282e978d7fb29dc07dd3c55c4708869168132e9383988f822d677f8b80eec2bc1b4de868008cb485aeb28bacffb5997a10f1931a64da3e0dd1

Download Submit
C:\Program Files\CTFarm\sciter.dll

Filesize
8.3MB

MD5
6961d5db2a9797108e6e33bea6a82118

SHA1
83abdb392bcc34db70697340d8bada2d888a64a3

SHA256
45aee2005b54a39b45073483ed7906eed5495ef42d85c19083ddf5a25fa12e7d

SHA512
64f3130e668467282e978d7fb29dc07dd3c55c4708869168132e9383988f822d677f8b80eec2bc1b4de868008cb485aeb28bacffb5997a10f1931a64da3e0dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw71D5.tmp\StartMenu.dll

Filesize
7KB

MD5
6b7073967487c24d08e88c208a1626fa

SHA1
f75f9dd095558b3c03b1647fe23c0869634bd9cc

SHA256
c91c61861cf22d1e9cd14dbba163573b2bd3d03dc72fcb1512879e4f3ab3b276

SHA512
31e1962b761bb0304905287f8ef33bf244b05ce1490723b98134dff0cc55956295d979086c350457fa5f6618868e431f1fc2d34afb4437ada15839ae4836f6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw71D5.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw71D5.tmp\UserMgr.dll

Filesize
24KB

MD5
c5add6be93b13965cb474227f6dfe299

SHA1
c8f0ffc6ee182d2b54fad661a8522932825b2e52

SHA256
b12568139bdd8621aa9ca3e2dd29bbfa110068c21a9f89289372192517122502

SHA512
e49eb6c20e442143c01c9ab20be9b4fbca84a25333a8a9ce6c28d63f5419e659898225994a6e319c3f5be2c2d880b93fb2e078d2c1861be813702226c888a27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw71D5.tmp\UserMgr.dll

Filesize
24KB

MD5
c5add6be93b13965cb474227f6dfe299

SHA1
c8f0ffc6ee182d2b54fad661a8522932825b2e52

SHA256
b12568139bdd8621aa9ca3e2dd29bbfa110068c21a9f89289372192517122502

SHA512
e49eb6c20e442143c01c9ab20be9b4fbca84a25333a8a9ce6c28d63f5419e659898225994a6e319c3f5be2c2d880b93fb2e078d2c1861be813702226c888a27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw71D5.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\AppData\Roaming\ctfarm.json

Filesize
863B

MD5
040fd20781af2789a623dcb35448ec4c

SHA1
cdfe65dce4eba97f3feb920e19e0f61678a474a1

SHA256
fb656fb8f3959bf4cfc2bcb30442ea398789fca36b77826d4b4c8b571c45839d

SHA512
4450b3034714c01a25332b7ab0df99ff136db15da75e0ee71e7607b7159f3d6d140aed6963f04175d5d8b5437f66fd3e4f706d535470ae9deaad2bed760e4bc8

Download Submit
C:\Users\Admin\AppData\Roaming\ctfarm.json

Filesize
218B

MD5
2553ff9e42d3f1c30345137d91ed5ea0

SHA1
2448651df9cab1e4fc25868fda67634c5bbb53d6

SHA256
6861733ffad9eee0219284a307ec3b67c095e3fbb5cea2aa2e1f134c90dd591e

SHA512
f8e1ca4a5d57d3ef2f58237b2e966908cbcd6e84569ffa775c2f4482f68664438a879d6ef213a2bd2fb1bcf2026d5dfdd5084bf5e7cb881e925e5c472c4d6486

Download Submit
C:\Users\Admin\AppData\Roaming\ctfarm.json

Filesize
511B

MD5
ad2f4218c2d4d839957c968cdedde1b8

SHA1
e3f9686f389c4f0cdf8d60e0113690ed696778b7

SHA256
c679d265abe0670f5f2924c188a33dfdbc113aa69c7a213cbc9e6ee6ca728297

SHA512
1033e839f2bb1a09206d35af81d2f268ee848ef42f0be17728dc3fc6a4f7a7c54a28f0c21de35f0da4fa83968ea9d487d278d8050ba0611a5cb4b26ecb238710

Download Submit
C:\Users\Admin\AppData\Roaming\ctfarm.json

Filesize
511B

MD5
ad2f4218c2d4d839957c968cdedde1b8

SHA1
e3f9686f389c4f0cdf8d60e0113690ed696778b7

SHA256
c679d265abe0670f5f2924c188a33dfdbc113aa69c7a213cbc9e6ee6ca728297

SHA512
1033e839f2bb1a09206d35af81d2f268ee848ef42f0be17728dc3fc6a4f7a7c54a28f0c21de35f0da4fa83968ea9d487d278d8050ba0611a5cb4b26ecb238710

Download Submit
memory/2480-99-0x000001CC56670000-0x000001CC56690000-memory.dmp

Filesize
128KB

Download
memory/2480-104-0x000001CC56670000-0x000001CC56690000-memory.dmp

Filesize
128KB

Download
memory/2480-113-0x000001CBC16C0000-0x000001CBC16E0000-memory.dmp

Filesize
128KB

Download
memory/2480-114-0x000001CBC16C0000-0x000001CBC16E0000-memory.dmp

Filesize
128KB

Download
memory/3752-82-0x0000022CDD410000-0x0000022CDD430000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads