Overview

overview

10

Static

static

10

5c0ccfa3f2...68.exe

windows7-x64

9

5c0ccfa3f2...68.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    137s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 22:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5c0ccfa3f2549f3bf8a89f297cde37fbca4435fc92a871e2c11c8459432a6368.exe

  • Size

    41KB

  • MD5

    257bad0e1a2942e80648ce87030800a6

  • SHA1

    8c8ef6b9a89d71c485ce248a9f0c187d65132f31

  • SHA256

    5c0ccfa3f2549f3bf8a89f297cde37fbca4435fc92a871e2c11c8459432a6368

  • SHA512

    04d6390ad0df528432bdb9c987bed5daf1f538960fc4c95232318d38a2d35d1e0800c3b07f311b0761b2d7aba873082033125ca4063ac469c7c1cc11fe8d5086

  • SSDEEP

    768:KeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09Cy:Kq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSz

Score
9/10
persistence

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 11 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c0ccfa3f2549f3bf8a89f297cde37fbca4435fc92a871e2c11c8459432a6368.exe
    "C:\Users\Admin\AppData\Local\Temp\5c0ccfa3f2549f3bf8a89f297cde37fbca4435fc92a871e2c11c8459432a6368.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:332
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1336
          4⤵
          • Program crash
          PID:2720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3120 -ip 3120
    1⤵
      PID:3888
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1260

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\ctfmen.exe
              Filesize

              4KB

              MD5

              90a94e2147ce0c3cdabfe234a0542772

              SHA1

              c3bb5f7c669336ff6b0afc909f24fc6878deb764

              SHA256

              8823ecc6b003f926f25329eb625d779b15d20bb3562128d4a99a8d2db58ceaeb

              SHA512

              e6327e4b9252ea807bf7fa2a59b254d561a091e7df371ecee5cb0d81a09bcb464defe1bd149efa08f4f3aed9036a83fa623efa5e3d53eab57dbed6ab7ae9907d

              Download Submit

            • C:\Windows\SysWOW64\grcopy.dll
              Filesize

              41KB

              MD5

              ea13baf61b85189f4898f6ae82758486

              SHA1

              0cb3f10059c9616139ceb9a91bab7e8f10590baf

              SHA256

              4e34c00d0b7a79d7052b5ce65029bebb63cd0fb3fc05ccb69cd7c574607a16fd

              SHA512

              525f241d81306fe0350684b04bbb7766fb3c05f9a7fecfdee5214dd3be158aaf099416809d3f291bac7aed960c6a9480ab0f5f8067f2cfce2ba8794259040889

              Download Submit

            • C:\Windows\SysWOW64\satornas.dll
              Filesize

              183B

              MD5

              e1418038507ce283bb2d01d07b37eeb8

              SHA1

              2bf5b661562c0496e19ba459e2c01f3eafcb77fb

              SHA256

              62529a287b8dc50dd8e64afeed5d4c8e7276f712ca8478b565c3efdcc4fd43a7

              SHA512

              9b9e002ef6dd2e404bee9957ac27fb2bb1cb8afe7f6d62593b09c3377d0f2fa7eb88bef7b24f77c995e64beffff0285c131dd64b5795d5cf61ae18d4fb2d04f5

              Download Submit

            • C:\Windows\SysWOW64\shervans.dll
              Filesize

              8KB

              MD5

              0d374edc46f4276412bec8db32907190

              SHA1

              a90a9487df91ee813e24f2c4dbf898152d22f883

              SHA256

              29ab2ab0034fcc1b22b44308cc4dcd75ed68f1b1b7437a74e3c5d9a377eb886d

              SHA512

              44d3813c371879841351aee986048f5f94f1dc5af96efb584a8ddfc2ed625bfb438e7fb12c15e4ea8ce55cd0b2bf66e7f68ad3a92168b8d3067407fbaf1636fc

              Download Submit

            • memory/332-0-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

              Download

            • memory/332-12-0x0000000010000000-0x000000001000D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/332-21-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

              Download

            • memory/332-24-0x0000000010000000-0x000000001000D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/3120-29-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

              Download

            • memory/3120-36-0x0000000010000000-0x000000001000D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/3120-37-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

              Download

            • memory/4492-23-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download