Overview

overview

8

Static

static

3

1e9b54990b...ba.exe

windows7-x64

7

1e9b54990b...ba.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e9b54990ba261cfb72a10be3edcdb7f44e4edb4c323ade91357d813f99d1aba.exe

  • Size

    127KB

  • MD5

    e402995b09c2c475a274ee11c8e52f87

  • SHA1

    5a8d8fa6628f8fa1356825a79f8b619dce178934

  • SHA256

    1e9b54990ba261cfb72a10be3edcdb7f44e4edb4c323ade91357d813f99d1aba

  • SHA512

    ef480d1cbd84ff43f668b283623930c852820041093431751ed0a001223694cef982bdb256f725a6a821a3384f6550cb35080f745524e9ee3ce895de2ee62f3d

  • SSDEEP

    3072:vOjguyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPr:vSs9OKofHfHTXQLzgvnzHPowYbvrjD/2

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e9b54990ba261cfb72a10be3edcdb7f44e4edb4c323ade91357d813f99d1aba.exe
    "C:\Users\Admin\AppData\Local\Temp\1e9b54990ba261cfb72a10be3edcdb7f44e4edb4c323ade91357d813f99d1aba.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 836
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    06e65e69dc4c8990ab0620ff0729bb15

    SHA1

    855dac320285a8c9d4a0b7b5c92cfb1503b6af99

    SHA256

    d23eef2c49cf683d44f99c12bf45549b7366fbeebe1dff6348548c9dbd0ecc0c

    SHA512

    caa64e603c45e9b2a446f8acd709c9c083c672a4a1bf93e099f3765ed023f4de42ddae8c8b4b9b73c879b921e11e18ba28d262df8ad3b23887d3a94c1fd08e23

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    127KB

    MD5

    adace7168f6a1c00735b93c70413e8e2

    SHA1

    082da9c12090e0023ec0dddc7e832b8e29dfc868

    SHA256

    98a3496512419f65e7440e25582cf1ffdf6c463566edb184d719230c6220abe3

    SHA512

    c6628b079164cbb5d33cb0a3cb027135d488ccb559fd8bd5322ba04eb4e56e6dd42fb260b81793cde9cd0ceaf7c39c5c1aab4a5a45a5c55be49a496f7e23901a

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    75b18876396c4f990d207a9ecb9a1af2

    SHA1

    45aa6d836138efe88c631818d044321cdf91efbc

    SHA256

    1b907cd1c7a7f584b7bcd93d12ab5cc44dce474b97787d59c1fbf6055576f9ed

    SHA512

    45e91d545dea0fa3c3671bc9068839f88cbb413028192bc1943a61f50db51262ccc7da7f2d2f2fa8a8d5465f290c38444ba4ab5cd1a99039cf183367f07402b3

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    30ce74e02d9cd9f9b1cec817cd9de603

    SHA1

    d8978067bb9e71ab334338d620d9f0a364e6358c

    SHA256

    c373945f1d74a5f361b2c9145f02b4a2cf7430502d490d102b557528f0b73bb5

    SHA512

    4a75a0ad4099505acd1af33e6bfcc170692a85d8fb78898a700a33ad63568ce20f8c7710e8dddb6ca2d9a9469957e4da9a7b684794f79f2ae3d4a0c72bdf0c0f

    Download Submit

  • memory/2292-25-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2292-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2292-18-0x0000000000350000-0x0000000000359000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2292-31-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2292-28-0x0000000000350000-0x0000000000359000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2292-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2548-34-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2548-40-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2548-46-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2588-30-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download