Overview

overview

10

Static

static

10

563c95c99a...12.exe

windows7-x64

9

563c95c99a...12.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    563c95c99aaaca8d0d1b81756b562cf8a64b8145d2b5ee4c44caf26e3bea9012.exe

  • Size

    195KB

  • MD5

    a37d27fe505f9f527fbcaf6207213210

  • SHA1

    dc11c1112541cda2ee4fb7c99d3cdda375a971bd

  • SHA256

    563c95c99aaaca8d0d1b81756b562cf8a64b8145d2b5ee4c44caf26e3bea9012

  • SHA512

    7823abefc2b46aa052c1bb07e8a46d6e0488fd3f58f146efc6abf012da61e4f65add6dfc58e177b083da5bd12ded77fc8def15693afb8513b992bdd90a6dee4f

  • SSDEEP

    6144:fIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOW:qKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 9 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\563c95c99aaaca8d0d1b81756b562cf8a64b8145d2b5ee4c44caf26e3bea9012.exe
    "C:\Users\Admin\AppData\Local\Temp\563c95c99aaaca8d0d1b81756b562cf8a64b8145d2b5ee4c44caf26e3bea9012.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    1164b8feae36cd0a9259c04ac11036ac

    SHA1

    cac6b169290d8a9938c9c74a3460819261e30faa

    SHA256

    719112bb9d754480a2cc338965a99169b01f30c5216ad3cc161b7d3134d1f089

    SHA512

    b192fa1e17f282892428a55de4b5d6d0f00f9b4068cb66a93921df3aab04f18b200fec6226ca0ca301cf73e91a13da2c4a9d0b33d0255b74cbbb5e0bdeeae2b7

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    195KB

    MD5

    3b325115141dc95be9cc26cac48ba153

    SHA1

    f88283b83bf7b10a1713f5445fc9ddbc63119550

    SHA256

    f9b9cc6d2792df4bc0b62fcb4c676509521c31c17700839f3a19ba10a7fe01f2

    SHA512

    6d8537646017e87badcaf2cf974286c0dc2815028bd0e5962401b3a0fdf18b6864e568c27d444b45010663d7c540e78902fd4308386c22ed8c62e00cf8a7e407

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    26ccd9ecb13366043268326db102950c

    SHA1

    9896ef7a26dee23fb005e7799c413e079ab93cc7

    SHA256

    3de0b2d314e4d48c3ef45266585e88ab204ebecaa990498e970a5d08bb86a00e

    SHA512

    37d70b7df0a5ef091ad82dd1daae21ff858b8671854c73aa08c793252fd60032ec69a045f1b215ec69c6a8150b5724d92c792f1c3300a2e910e7566338b0356c

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    db766ee694dec3b5b5759e858c053415

    SHA1

    cd5fa060b2582c746b37ae97c730ced87fd24f5a

    SHA256

    be7628235df3d72a97a506e9021632a197991f8458a46a999971b87bc704feb5

    SHA512

    c201ae6b9b3c8a78132e306488318218d53b207d52fe472541c8b60142d21b8c203af20e00b4a34cb7ec08302b7a285a288b709f0a654163e19413370634ed26

    Download Submit

  • memory/1564-24-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1564-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1700-33-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1700-41-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1700-38-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3040-18-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3040-22-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3040-23-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3040-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download