Overview

overview

8

Static

static

3

bc4ef06e40...02.exe

windows7-x64

7

bc4ef06e40...02.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc4ef06e40a3d73ce35f361d3a2e365f8eb88f5fc5b07d653bf20ff1b5c34202.exe

  • Size

    127KB

  • MD5

    13cee777aadedf3a6b3a7fc83455f9be

  • SHA1

    5bfb0649aa20b5e7ed2c1a76b606968afd33384a

  • SHA256

    bc4ef06e40a3d73ce35f361d3a2e365f8eb88f5fc5b07d653bf20ff1b5c34202

  • SHA512

    3e283bc98fa71091c721276971d2928916a443a9f3a9a83e6925e267b37239a07482095f29192bea392e5d478904ce5e449a03cd00c6c99ce52d667531a6fa7d

  • SSDEEP

    3072:vOjjuAt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPp:vzu9OKofHfHTXQLzgvnzHPowYbvrjD/s

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc4ef06e40a3d73ce35f361d3a2e365f8eb88f5fc5b07d653bf20ff1b5c34202.exe
    "C:\Users\Admin\AppData\Local\Temp\bc4ef06e40a3d73ce35f361d3a2e365f8eb88f5fc5b07d653bf20ff1b5c34202.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 796
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    127KB

    MD5

    7bf4c6d0e73bf081785f0e02287bf7ea

    SHA1

    1476f6a756ae10e5bb18e9c6ace6bd297d8de1dd

    SHA256

    38cef714b2df0856f7c3858eb79c00e76d798be1bf131582b411a2f137cc1321

    SHA512

    655f1ac42c053f1908d9db1276f5e95d44138e4ac9ead5d283027f3d0fe2b20024d62b6de4c8b032611454c566dabb486cc16a3c9ad2bdf7c77375e55199fff8

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    d8cf517dc91ae756df68da66b79e78c9

    SHA1

    f14c49b65e63b06f7019e47136f13450f12c826a

    SHA256

    035a78468d1ab3fe799ab61a00eca7da413dcde71b2ac8cde2a98552cc8a222e

    SHA512

    b0f24f0bd058a3a7fcf6b5e6833f19a8c6c692fbbdcd58df45ae20d8251d31ebe74e1e742d532f28a326651e68fbed93779e422c13a9f7f66c3614820514d8ea

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    1d64f5f34dd6c74f19b4a8d864a8ff6e

    SHA1

    f215b57a003871446d7b917896178806705b1887

    SHA256

    33999769e13ef96d37a741f49f4f01b046f318e0c8fb6748435393e83eeda145

    SHA512

    c7b0427dd05ae36d23398806c322ba280e80531539634c59440ee4d3562a441c6f403ec7a5561257e579720a8dea0bde08a5f9118ee0782769f9dc592bf8a872

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    521d78e518fdf2adb82547a281af2c5a

    SHA1

    f809c6a183ec8af96b1cb9b767a5cbb7222c0ba2

    SHA256

    4da30c795f4f4ba8cbab1d91178b8d7a9aada63cd7ca6f6255ec1c3335d20e47

    SHA512

    09ae485661945192189cbda73f97f0141c218711bdeb6ad7974241458e94be2bd8999b6f5ada34b52ffe4815307571e4a9de85288cc1ecb8bd121058fd71847e

    Download Submit

  • memory/1736-37-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1736-25-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1736-18-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1736-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1736-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2052-36-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2052-40-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2052-46-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2180-26-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2180-47-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download