Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 22:14

General

  • Target

    5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe

  • Size

    118KB

  • MD5

    312d3cbe6a9271ccd3f83347fc32ff35

  • SHA1

    92e05ad1ab458a1bda12446fbfc940cbf9f8f3a7

  • SHA256

    5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495

  • SHA512

    1f0c9197ea52ddedf3423b48022ed634775e2eb54499dd796b59fa8d2aed0dbdcc1afa162b72c54ba7b8201beed877948d230cf9bb6348e6cb725e98cb149048

  • SSDEEP

    3072:IOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:IIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 11 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe
    "C:\Users\Admin\AppData\Local\Temp\5f0197caf08aa8065be325363429381bac4efd55a045b42d4e11022ddee13495.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1344
          4⤵
          • Program crash
          PID:2072
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 764 -ip 764
    1⤵
      PID:5080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      0f344e53dd1504a0165042ce64dd17a4

      SHA1

      22b1dfeca7101f95c02ea59cd0b0888e80f163ec

      SHA256

      2c94dff8a1bef360f8148d65864d3f8f05bcbc1891fab8a6bf86e368ce19255c

      SHA512

      1c403b25a953b1ef80594073d0f7d376e45b9807ec2cd9e3166077124ac132cea9bda30e7727540004feb0f8a45d29c9ccbc2144fe2f97708d2d59f7c742e63c

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      118KB

      MD5

      baa298ddcaeef421807d136d4c0f05de

      SHA1

      33805736190797c570619f5ffeb8275764b62226

      SHA256

      afbc8f718daed990f707da871643f22da83f8393df286da8b371fe4ec1593164

      SHA512

      2903bc87cd60408df511de3e8ad1e1a73f377dd43bc21c38d0a87a18c02add1284647557e5fd76a911ed066200163c883f1b2425b0cfd3e52edfab3494bac59b

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      939d805515a45a51b42f9390aa30700a

      SHA1

      ab83e0f464739f45faf50027eeb0bf48048f255e

      SHA256

      a306f34843d07250cb88c55de76236b747b199fb83d3b8bf7b2c849205d92396

      SHA512

      0fd5d1f4a8e5b6bdfad6232f27e900751ec9acb117cca5a7dcf4a8cb332cbc9c746a7b19cd1af781046b879c069343d74df85a7062db37befbb566ee8829ccca

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      c37b941472df09a8667efb9fb9791fa0

      SHA1

      841a8e8bf6a625967ef1ee45df86633fc819a109

      SHA256

      b17bd2eb58f3dedc43a5a68287945ce8f1a166c3cf38fc5b5c9213ec4d6efe58

      SHA512

      3f98abfef2c09db76efd31e8767a5b1196e2e66e98b7c4fb45b64fbc4ecea181f5aea9cdb7121e5ba1b20ecc94980aa0abac6ce175b67e7f3022c06aeabb0782

    • memory/764-29-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/764-36-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/764-38-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2608-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2608-18-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2608-21-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2608-24-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/4728-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB