af2157afdb3d8390e7a8649e64a3108753f90f1c59837f8bd9895780c1e95d12

Analysis

max time kernel
417s
max time network
415s
platform
windows10-2004_x64
resource
win10v2004-20240226-ja
resource tags

arch:x64arch:x86image:win10v2004-20240226-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
06/03/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CTFarmSetup-Dl0r1S07Eu.exe
Size

5.7MB
MD5

fbe57e7ad749b7446da15a3009c1dbda
SHA1

5fe1d65462acd362681c611ce0f832c0a74a6e70
SHA256

af2157afdb3d8390e7a8649e64a3108753f90f1c59837f8bd9895780c1e95d12
SHA512

555f40f23aa5151d5a2ef3c0edf0d57f5e56fe50b0cc0884f0fb900044223e649252061394de53a60e1db0267abf98929931d4ad8c4243ae10e40fc118ba6bc3
SSDEEP

98304:IsaZ+xj0ghxlL8nVU18k0xlVxCtq5xv00dre4+7PDsIEU+B9KpNGwPUlUQb0+YUE:Ir+xj0ghxlwWGVxCE5vr+7ZEUU9aNGp4

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTFarm = "C:\\Program Files\\CTFarm\\CTFarm.exe /tray"	CTFarmSetup-Dl0r1S07Eu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CTFarmSetup-Dl0r1S07Eu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\CTFarm\CTFarmUpdater.exe	CTFarmSetup-Dl0r1S07Eu.exe
File created	C:\Program Files\CTFarm\sciter.dll	CTFarmSetup-Dl0r1S07Eu.exe
File created	C:\Program Files\CTFarm\CTFarmHWMon.sys	CTFarmSetup-Dl0r1S07Eu.exe
File created	C:\Program Files\CTFarm\Uninstall.exe	CTFarmSetup-Dl0r1S07Eu.exe
File created	C:\Program Files\CTFarm\CTFarm.exe	CTFarmSetup-Dl0r1S07Eu.exe
File created	C:\Program Files\CTFarm\CTFarmService.exe	CTFarmSetup-Dl0r1S07Eu.exe

Executes dropped EXE 5 IoCs

pid	Process
1952	CTFarmService.exe
2488	CTFarmService.exe
3164	CTFarmUpdater.exe
1452	CTFarm.exe
3788	CTFarm.exe

Loads dropped DLL 6 IoCs

pid	Process
264	CTFarmSetup-Dl0r1S07Eu.exe
264	CTFarmSetup-Dl0r1S07Eu.exe
264	CTFarmSetup-Dl0r1S07Eu.exe
264	CTFarmSetup-Dl0r1S07Eu.exe
1452	CTFarm.exe
3788	CTFarm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1452	CTFarm.exe
Token: SeLockMemoryPrivilege	3788	CTFarm.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1452	CTFarm.exe
1452	CTFarm.exe
3788	CTFarm.exe
3788	CTFarm.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1452	CTFarm.exe
3788	CTFarm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1452	CTFarm.exe
3788	CTFarm.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 1952	264	CTFarmSetup-Dl0r1S07Eu.exe	93
PID 264 wrote to memory of 1952	264	CTFarmSetup-Dl0r1S07Eu.exe	93
PID 264 wrote to memory of 3164	264	CTFarmSetup-Dl0r1S07Eu.exe	96
PID 264 wrote to memory of 3164	264	CTFarmSetup-Dl0r1S07Eu.exe	96
PID 264 wrote to memory of 3164	264	CTFarmSetup-Dl0r1S07Eu.exe	96
PID 264 wrote to memory of 1452	264	CTFarmSetup-Dl0r1S07Eu.exe	102
PID 264 wrote to memory of 1452	264	CTFarmSetup-Dl0r1S07Eu.exe	102

C:\Users\Admin\AppData\Local\Temp\CTFarmSetup-Dl0r1S07Eu.exe
"C:\Users\Admin\AppData\Local\Temp\CTFarmSetup-Dl0r1S07Eu.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264
- C:\Program Files\CTFarm\CTFarmService.exe
  "C:\Program Files\CTFarm\CTFarmService.exe" install
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Program Files\CTFarm\CTFarmUpdater.exe
  "C:\Program Files\CTFarm\CTFarmUpdater.exe" /install
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Program Files\CTFarm\CTFarm.exe
  "C:\Program Files\CTFarm\CTFarm.exe" /first_launch
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1452

C:\Program Files\CTFarm\CTFarmService.exe
"C:\Program Files\CTFarm\CTFarmService.exe"
1⤵
- Executes dropped EXE
PID:2488

C:\Program Files\CTFarm\CTFarm.exe
"C:\Program Files\CTFarm\CTFarm.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CTFarm\CTFarm.exe

Filesize
1.1MB

MD5
a4bc34026e06c5a582b992f20a7508cd

SHA1
af331a3ac56c88f220e26f1596d17bd6cef5b328

SHA256
96df47f390e273f03ec9d18eed724689559d2b244033ebec2a657d1b5d34ff41

SHA512
2232d8a206ba26ba5b2a082ceff5c5ec1a2dcaabe52ba8fbe08115654db627b6955fb6a93c07aafcf97a70990614785995dacc681a747b2fca61ca27db6d26d8

Download Submit
C:\Program Files\CTFarm\CTFarmService.exe

Filesize
384KB

MD5
585b7905252960e8d42e77f967bf1896

SHA1
8dfec72fcd8831b7e903eac4d0f0ec90b2dd659a

SHA256
d5499e62f9fd8a391a40506d5b61c5db1112b74d2bc730d277d4f6d5d583b660

SHA512
0c9e94e4ad99a667264664fb50e22da2a2330e16c3eec27a899c879ed789ddd7b7f68ce2285b1044f42f1e95d3fddfc18fec8b07a22d4b87232d8d2420808dbb

Download Submit
C:\Program Files\CTFarm\CTFarmUpdater.exe

Filesize
2.4MB

MD5
297e98b83754d01a27afc3c544da0c99

SHA1
786596cae9a84ee46e585f5964edcb74c84a2348

SHA256
dee9ed2b2398634e7bc3e4389502a590e84e07a7752a64e157db1dbb1d68234c

SHA512
3386bd83f4c901c33ebe91e8551de812be38d335f35ddc627e1769df7735c4c15fd91a5ab4a8d1fa206817c28a09b6c7b70830a6121e8399c668a10340c5f037

Download Submit
C:\Program Files\CTFarm\sciter.dll

Filesize
1.3MB

MD5
08aff5b6d36ca823e696a30e0b93401f

SHA1
02aad91af49b94a204cc772401e8d0fd7e16a66c

SHA256
4ec6ac54141f8498ffd48f849518dd9a315b7f5b55942fef7c0d4ada46c84429

SHA512
363571ecf82552c3ae0304f1ab0e2e45916ae7d890dc41f00a2eb9a3d5b2ccf1a2e4fdf965ddd33eaf52f4cbc61ba54821cc462b539dcd17abd82356cfb3e75d

Download Submit
C:\Program Files\CTFarm\sciter.dll

Filesize
435KB

MD5
1736c08d3c266bbaceeb14ee6badc1d1

SHA1
0890ec3a38b75f93d67ff7a1778ed461c87cb1e0

SHA256
8c632f0fda9d746e18c7e5327620a3cd918903f972cead9a5aaf85cb81d70f2a

SHA512
c918a8c4309b1402658b7413b1035df722bf82ed9ef2b06ca7ea79d859f9a70c560ff4ac5a2c6ffca8c158e297ec66ddee5b39d3c890e07b59f456224f4d7e60

Download Submit
C:\Program Files\CTFarm\sciter.dll

Filesize
8.3MB

MD5
6961d5db2a9797108e6e33bea6a82118

SHA1
83abdb392bcc34db70697340d8bada2d888a64a3

SHA256
45aee2005b54a39b45073483ed7906eed5495ef42d85c19083ddf5a25fa12e7d

SHA512
64f3130e668467282e978d7fb29dc07dd3c55c4708869168132e9383988f822d677f8b80eec2bc1b4de868008cb485aeb28bacffb5997a10f1931a64da3e0dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\StartMenu.dll

Filesize
7KB

MD5
6b7073967487c24d08e88c208a1626fa

SHA1
f75f9dd095558b3c03b1647fe23c0869634bd9cc

SHA256
c91c61861cf22d1e9cd14dbba163573b2bd3d03dc72fcb1512879e4f3ab3b276

SHA512
31e1962b761bb0304905287f8ef33bf244b05ce1490723b98134dff0cc55956295d979086c350457fa5f6618868e431f1fc2d34afb4437ada15839ae4836f6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\UserMgr.dll

Filesize
24KB

MD5
c5add6be93b13965cb474227f6dfe299

SHA1
c8f0ffc6ee182d2b54fad661a8522932825b2e52

SHA256
b12568139bdd8621aa9ca3e2dd29bbfa110068c21a9f89289372192517122502

SHA512
e49eb6c20e442143c01c9ab20be9b4fbca84a25333a8a9ce6c28d63f5419e659898225994a6e319c3f5be2c2d880b93fb2e078d2c1861be813702226c888a27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\UserMgr.dll

Filesize
14KB

MD5
e878829aff6cef7ebd750ae65356c1e1

SHA1
9f82f6f63227e5de04e90d40e39c66c881b412a6

SHA256
c1b2bfdb73777481c605973b724be6d043a92d498eac947b42ddaa879f262992

SHA512
41ea21726792c039b9014aac94862f5ef16a2207fd0e0e3b47b6509afa9e7a6829737705b3c5b29ab5033abae84dbb37eadc1d2ba0cc5b8b51cac6a2c6ff3213

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz85DA.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\AppData\Roaming\ctfarm.json

Filesize
218B

MD5
3d362fd72df9b9498ac20511892af533

SHA1
496b30a45dfb7b0867afa02ebc3d0134cde5d0da

SHA256
8d36fc6fe9744d3edcfbc0123e6112bd7873678024606c1ce7059428371ed835

SHA512
6d4fb523842068cd6dc22c3c23d2dcc2d91fb1f2924d03be8fa872e42050ac38acb8aa5e482ef951d6b734aafcaa3f04ed1b876f06df62846fe3228bf885b95a

Download Submit
C:\Users\Admin\AppData\Roaming\ctfarm.json

Filesize
507B

MD5
2c8e2c7d42df1146de6ad02592a45272

SHA1
034036805f5a7007d07fd8a075f5673afbe01340

SHA256
1adc31270020a904cd2f1cbbe5fe40b793ded02bd546c433aae2b06640185388

SHA512
39e8d31ab7a94f15e466f4bcc70c8694dee38c3f8635662a1991f88290cb3a706d8bf5618ef50ba7748fa9ecada51324c13f5dd1b2a29c726e6f4b40221d7fcd

Download Submit
memory/1452-80-0x0000016038B30000-0x0000016038B50000-memory.dmp

Filesize
128KB

Download
memory/3788-97-0x000001C65E1E0000-0x000001C65E200000-memory.dmp

Filesize
128KB

Download
memory/3788-98-0x000001C65F8C0000-0x000001C65F8E0000-memory.dmp

Filesize
128KB

Download
memory/3788-99-0x000001C65E1E0000-0x000001C65E200000-memory.dmp

Filesize
128KB

Download
memory/3788-100-0x000001C65F8C0000-0x000001C65F8E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads