Overview

overview

7

Static

static

3

8350d88b13...48.exe

windows7-x64

7

8350d88b13...48.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    131s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2024, 10:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8350d88b13b3e49ead53f6734a14f7c3956a952422acabb643e93bcb7e373848.exe

  • Size

    127KB

  • MD5

    f811d6765b8b1e8ddb14fe3ba2e6d25e

  • SHA1

    1e4f196de92759008ef46d16f883408e3d13ec07

  • SHA256

    8350d88b13b3e49ead53f6734a14f7c3956a952422acabb643e93bcb7e373848

  • SHA512

    73a10692ef879a0d14948d9d5e7ad5d23b74593ed9fa99652a63a01c3d248098e3ab66d6ef57bb51fed57285414226f3a0dc61bf0543d66beb652ad0db058fd0

  • SSDEEP

    3072:vOjRuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPz:vps9OKofHfHTXQLzgvnzHPowYbvrjD/O

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8350d88b13b3e49ead53f6734a14f7c3956a952422acabb643e93bcb7e373848.exe
    "C:\Users\Admin\AppData\Local\Temp\8350d88b13b3e49ead53f6734a14f7c3956a952422acabb643e93bcb7e373848.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1324
          4⤵
          • Program crash
          PID:2784
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1828 -ip 1828
    1⤵
      PID:4880

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\ctfmen.exe
            Filesize

            4KB

            MD5

            3cb3177c3b01ff8607aef1fb3f3d8f3b

            SHA1

            1fc957e178da6a59344172eb063df730c2e60cbd

            SHA256

            fc216dd359aeb83acbf26ca5d00dff47cf1b7199bc6835700b2bfece1333543e

            SHA512

            253365dcbfd6932c777fe4a143b3c8e06341ab5ae01b6461e683ba2180afca3eeaf0075e2206b817ccf8ab669f90db25499a84c81bcee04a3dd18eb9b6755849

            Download Submit

          • C:\Windows\SysWOW64\grcopy.dll
            Filesize

            127KB

            MD5

            dc99b76953f2aa855c376c43c80c5dee

            SHA1

            9ef24f1ba61098527a2abaf6a7b323771a7615b4

            SHA256

            b5f46ae2b6360e1c5727025450669b297c7191ee4df6420d767ce9c5bad21869

            SHA512

            fe55ab0e11fe35503188d07f197e1a266f9e7245d56a23e6bbe8fe6a9497f743f359e376fda24a8971c43e59f92eb082e48d925952701734ee250afbab66eeb8

            Download Submit

          • C:\Windows\SysWOW64\satornas.dll
            Filesize

            183B

            MD5

            c708b7a58c6c83050c95b56490b8a719

            SHA1

            080b80069837168af964bde098105ac13ffa3d41

            SHA256

            b91d9fb8aaaec1ec07de3d215b384bbc84004d93c8fd5d35cfacfcf1a1cd1ace

            SHA512

            d2ca59db01efbd73dc02a37241e22bfa77aef28d526f3ba2eb1bbee2d99695b31c4766ef0a72c11da13e28afc1e38ee60c4859ed10ca70e3c02e130001c82f97

            Download Submit

          • C:\Windows\SysWOW64\shervans.dll
            Filesize

            8KB

            MD5

            972ef8265b50e1990d861fd1277932e7

            SHA1

            323c416f0ca796d08c9f450f04df37fd292f02df

            SHA256

            ad397e8fead3db25ca1690def28b170f00376a46cc1a8e661e3d1a76e303fd42

            SHA512

            4ddb5e4673f6513303e17ba2a33d714516c492306a323fe2f1569d4b57baec8f466874b6bfc49b747fe51005df97b1b5200a957d621633581105dd8c21ee7794

            Download Submit

          • memory/1828-32-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/1828-36-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1828-38-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/3852-23-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4916-0-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4916-18-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/4916-21-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/4916-24-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download