Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 22:57

General

  • Target

    855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe

  • Size

    75KB

  • MD5

    82384dba305026b64af4209ef1bd439d

  • SHA1

    81ff94b87a3a45788b89d41cd031867599606fd4

  • SHA256

    855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb

  • SHA512

    157a94699dcbf1644cd0dee7c64e6502c22660282d4f49c417157b0ed655c1df91206d9c513ff84aa4f7cae98d0a61ad930cd02a8b6503a80f4deafed8674659

  • SSDEEP

    1536:lx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:vOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 6 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe
    "C:\Users\Admin\AppData\Local\Temp\855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      0af9f9c6293b9714c101db35f45ad191

      SHA1

      bf40d0538003825f62cd7fec3a1f858295492c38

      SHA256

      97cba2f1b17f488f869feacfdf2977bc8515fa2ad9e7660e117b14a2a0354806

      SHA512

      a45e8f749d78e092e4fd7fc341a9277abb01d4255355943b36a61d139f539b2c6abaa4566f7049cdb0bee3ae17e43cf468b85049ecb459705ca6d92ce39db7f7

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      75KB

      MD5

      23a148713e3ba1e0b5eb7b43d514677d

      SHA1

      45e37de9c5f978a6832858129c42b51536910fb4

      SHA256

      a9e1eeaaede86c3a707d90fa12743c7d0dab093409caf27f0c17efb8db6e028c

      SHA512

      4263f86f0ac2db2db58c98b65bcbf79217c383f6c64cf35ba7fe2235b7900ed3851dfe54df4a5eaa0a61109dca37e49d9d46b15c11a72bbd73d5a883553b9eef

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      ddffca50ea4268f116e0286a20330a6f

      SHA1

      e4de30f39cc54ec42bec9d662d27740ade2b6d98

      SHA256

      94cc938cfe0736564d65307f3478c2e91fe22113550460dcdb6045ceceff7d5e

      SHA512

      d958e88b3ba503aabee217720e14a06aca1b132013353ba01d79b33c5953d86bc3bd751e205555fb89ca6d10454dd03e4e186939b5de9846e290bb0f26adef70

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      c3b9b2d7196fd340d38f3a91d5f4022f

      SHA1

      1200040b97c75e67780fdf706d8a37805de164a0

      SHA256

      9940327aff3f75a654174a985e8049168cdd5c00433aad43ef07a877572d8e61

      SHA512

      41ee9dff94a022dba78e6f05319751faed26da27af34bea28cad3959b59756d9c09255032361e86327dd4d189124b2e7910e2b7d70559de5201452a74a5e7767

    • memory/1720-49-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-45-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-61-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-59-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-34-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/1720-35-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-39-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-41-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-43-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-57-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-47-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-55-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-51-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1720-53-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/2664-11-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2664-25-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2664-20-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/3448-22-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB