Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:41
Static task
static1
Behavioral task
behavioral1
Sample
36890fe9a88e28810ae84c3aab8741a631ab2e1d7b5c32afc9b63490dcff0dc0.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
36890fe9a88e28810ae84c3aab8741a631ab2e1d7b5c32afc9b63490dcff0dc0.dll
Resource
win10v2004-20240426-en
General
-
Target
36890fe9a88e28810ae84c3aab8741a631ab2e1d7b5c32afc9b63490dcff0dc0.dll
-
Size
8KB
-
MD5
090e76e5c46511e09cb75b54411ecd30
-
SHA1
8d88930de24acd7886d31604be68e35700cad54e
-
SHA256
36890fe9a88e28810ae84c3aab8741a631ab2e1d7b5c32afc9b63490dcff0dc0
-
SHA512
740e6fd115244af5e711d75f3950a55c77a0a93c1f8c0c0dfbf43b96f5fd6025000a68e892466d89abc2b255b0f2305f2b2bc03353f129d96632bc563ee9d914
-
SSDEEP
192:Oh4SFyvWohE5xf6YUBSL63SUJqtMblWN:OO+ohE2B13NJqtM
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\satornas.dll rundll32.exe File created C:\Windows\SysWOW64\satornas.dll rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2176 wrote to memory of 1308 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1308 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1308 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1308 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1308 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1308 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1308 2176 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36890fe9a88e28810ae84c3aab8741a631ab2e1d7b5c32afc9b63490dcff0dc0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36890fe9a88e28810ae84c3aab8741a631ab2e1d7b5c32afc9b63490dcff0dc0.dll,#12⤵
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1308-0-0x0000000010000000-0x000000001000D000-memory.dmpFilesize
52KB