Overview

overview

8

Static

static

3

7905a8616d...2e.exe

windows7-x64

7

7905a8616d...2e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 18:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7905a8616dc6ebcc1ea1770d3064d9a7347e47fa3d74e3f1a1d14f5cc8c5212e.exe

  • Size

    75KB

  • MD5

    84d518fa776be0277e054fe0d9531750

  • SHA1

    663646b0d4355402202c86da2b9c477b82cec492

  • SHA256

    7905a8616dc6ebcc1ea1770d3064d9a7347e47fa3d74e3f1a1d14f5cc8c5212e

  • SHA512

    55331075151605661d0e126f53a692f40398139ba6c2cc73bd104ecedba990beabb410a3b79faf13c6619928326008c3aea64aa42ede698b0a86ba75dba69c08

  • SSDEEP

    1536:5x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3g:jOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP4

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7905a8616dc6ebcc1ea1770d3064d9a7347e47fa3d74e3f1a1d14f5cc8c5212e.exe
    "C:\Users\Admin\AppData\Local\Temp\7905a8616dc6ebcc1ea1770d3064d9a7347e47fa3d74e3f1a1d14f5cc8c5212e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 792
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2512

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe
          Filesize

          4KB

          MD5

          54352209415741d6da32a5d1c19dded4

          SHA1

          cce74be2942f3334c2d729d34732a63f7dc28b49

          SHA256

          e51e1d1b23f85a44067e28d759ad9c86ab66816e7db4c9f86ceacae430aaa1e4

          SHA512

          e2a5d7d246a3fe4db68edee953fdc68086e5a94eacdb2ea043b7d55938eb363d0280a4ede77f6795413928f177f9f9e9c34126f9bac6c5bb73650b43b202807f

          Download Submit

        • C:\Windows\SysWOW64\ctfmen.exe
          Filesize

          4KB

          MD5

          54352209415741d6da32a5d1c19dded4

          SHA1

          cce74be2942f3334c2d729d34732a63f7dc28b49

          SHA256

          e51e1d1b23f85a44067e28d759ad9c86ab66816e7db4c9f86ceacae430aaa1e4

          SHA512

          e2a5d7d246a3fe4db68edee953fdc68086e5a94eacdb2ea043b7d55938eb363d0280a4ede77f6795413928f177f9f9e9c34126f9bac6c5bb73650b43b202807f

          Download Submit

        • C:\Windows\SysWOW64\grcopy.dll
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • C:\Windows\SysWOW64\satornas.dll
          Filesize

          183B

          MD5

          61f8d74cf6c1d57aba6e2c6b0c3566de

          SHA1

          3c489ce2bd6b5881ba608cb5cb29d8294a2f3e4a

          SHA256

          0a58a2c2dc94a3edd693a0d8e16fa2f56792c68a275c044f9a2ea87eff6d0d69

          SHA512

          012d432cd60848c7b91b316a17470423b0492a0fba896e3d3a346f941d090b881b6182f71880e2e3d1c4b3d102cb58f3b518a79ed12cf65af656c357319dd3b6

          Download Submit

        • C:\Windows\SysWOW64\shervans.dll
          Filesize

          8KB

          MD5

          18fcb4f7de9bb6051cb37219e45ef3ff

          SHA1

          a650dd79d0c33def3884d518ef9c3c3015b0f70b

          SHA256

          b7e0c1e024f9a4a2d1759d79fbfd6da195ec159007c28089f3479db40aefce57

          SHA512

          eba3e3cf32f5495df8c3824accdd082c6b835c728a8b3904228ac9d85197cb2cacc1f769db8d8bc7c7ccd586494b6fdd8df2eca3df2adc9a703e5f5e39dce173

          Download Submit

        • C:\Windows\SysWOW64\smnss.exe
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • C:\Windows\SysWOW64\smnss.exe
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • \Windows\SysWOW64\ctfmen.exe
          Filesize

          4KB

          MD5

          54352209415741d6da32a5d1c19dded4

          SHA1

          cce74be2942f3334c2d729d34732a63f7dc28b49

          SHA256

          e51e1d1b23f85a44067e28d759ad9c86ab66816e7db4c9f86ceacae430aaa1e4

          SHA512

          e2a5d7d246a3fe4db68edee953fdc68086e5a94eacdb2ea043b7d55938eb363d0280a4ede77f6795413928f177f9f9e9c34126f9bac6c5bb73650b43b202807f

          Download Submit

        • \Windows\SysWOW64\ctfmen.exe
          Filesize

          4KB

          MD5

          54352209415741d6da32a5d1c19dded4

          SHA1

          cce74be2942f3334c2d729d34732a63f7dc28b49

          SHA256

          e51e1d1b23f85a44067e28d759ad9c86ab66816e7db4c9f86ceacae430aaa1e4

          SHA512

          e2a5d7d246a3fe4db68edee953fdc68086e5a94eacdb2ea043b7d55938eb363d0280a4ede77f6795413928f177f9f9e9c34126f9bac6c5bb73650b43b202807f

          Download Submit

        • \Windows\SysWOW64\shervans.dll
          Filesize

          8KB

          MD5

          18fcb4f7de9bb6051cb37219e45ef3ff

          SHA1

          a650dd79d0c33def3884d518ef9c3c3015b0f70b

          SHA256

          b7e0c1e024f9a4a2d1759d79fbfd6da195ec159007c28089f3479db40aefce57

          SHA512

          eba3e3cf32f5495df8c3824accdd082c6b835c728a8b3904228ac9d85197cb2cacc1f769db8d8bc7c7ccd586494b6fdd8df2eca3df2adc9a703e5f5e39dce173

          Download Submit

        • \Windows\SysWOW64\shervans.dll
          Filesize

          8KB

          MD5

          18fcb4f7de9bb6051cb37219e45ef3ff

          SHA1

          a650dd79d0c33def3884d518ef9c3c3015b0f70b

          SHA256

          b7e0c1e024f9a4a2d1759d79fbfd6da195ec159007c28089f3479db40aefce57

          SHA512

          eba3e3cf32f5495df8c3824accdd082c6b835c728a8b3904228ac9d85197cb2cacc1f769db8d8bc7c7ccd586494b6fdd8df2eca3df2adc9a703e5f5e39dce173

          Download Submit

        • \Windows\SysWOW64\smnss.exe
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • \Windows\SysWOW64\smnss.exe
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • \Windows\SysWOW64\smnss.exe
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • \Windows\SysWOW64\smnss.exe
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • \Windows\SysWOW64\smnss.exe
          Filesize

          75KB

          MD5

          562639b6ba1a6f9012a405e5eb2587c5

          SHA1

          3e1842ff12b96f0698c88c60818798a42c9e7422

          SHA256

          586a129adca444fcee6eee3b265d059aed9b2356fff846bd23a93b4ca401dfda

          SHA512

          b54709016a9327bcccf06d5fd0b218cbe49aeb3207b0059ad3d72edcf54bc95649a3f6a3f5d4d83de054118814cf17b691a78d3205a01a91ce5b02ce5133d151

          Download Submit

        • memory/1940-25-0x00000000002D0000-0x00000000002D9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1940-35-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1940-24-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1940-17-0x00000000002D0000-0x00000000002D9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1940-15-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2580-29-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-38-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2772-42-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download