Overview

overview

8

Static

static

3

6b31cab8a4...36.exe

windows7-x64

7

6b31cab8a4...36.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe

  • Size

    118KB

  • MD5

    03dbbcfe6e37ed37ddd6842032238980

  • SHA1

    09a9780d93144bf5ad207e3fd31415b9a46feea7

  • SHA256

    6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36

  • SHA512

    086e7ca4a69fee572c178c340d38c3b42119389fc44a0ec807ddf1209c769ad5e7b393b584ba3b2ec43cf2c26905fa382fcc222a3455b26604fe0111dacd4d43

  • SSDEEP

    3072:nOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:nIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 55 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
    "C:\Users\Admin\AppData\Local\Temp\6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    77b1ea7ab10ee4d3129ccf35d3d0a882

    SHA1

    e12b3940877f5d6e0a60deb6a16d626246f034e8

    SHA256

    570a073604bcfef58ac59cf9daab699afbbe95cb05221bae9b3b95b8f2adf247

    SHA512

    ea418ec3e424ccec435bca3bde0154afb106435b7e34de00c4f9de9cc9dd9c5ab4a3777019e1805d20eabde7083d411c944434b07442bb6f5837e8a0c1b1abad

    Download Submit
  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    40ce0c98aa565d246174fc404558ea91

    SHA1

    6bdf6fd3c769e9ec86104801efb14b75a84778da

    SHA256

    fd09cdef2ec971c8a0383fb6f749edaf324aa5f220fc592f87c905ee1fa4c42e

    SHA512

    5f6ecabd5445a50628d71e081c7fb64e5b86b5c80e7df6ee0969706944c402c9deb196a2cfa22db90e859a534b7b4ca2325609f19417d31dfc64435c5c2003ed

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    4e2b674f7039b51c3a0661b47bf26da8

    SHA1

    86983a9e3dcd8291b08df750059d8ac74f4bf8cc

    SHA256

    c3acd49b06d1c94431d024e1ebdb4a4338b5747832aaf26f9c6fe41b613dabca

    SHA512

    6ef21cb7206ab9733435b2d4fb89a340501efe468dbe09b8c756408fc3ac4b7a7fa6aba520d52a7dcb4145f9c97c9ac83fe33986d90def5ba8455a8b1df3e30b

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    f7aa07f9a9e514f1ff818a629a3d7915

    SHA1

    de3cea9baa0e7d5052538d376c86c79b78bf6cbe

    SHA256

    4f7a7465e7b02cd622ae792ceb18e6df60ec1f9ea7ad4d37a5645dec047934c7

    SHA512

    725b6589a42ed38014433cb5e1748c70626cf86a45a3c551cbc4795da02fa83596fe16faaa83d212599f2bbdecbb449f4bd98fc07844d9ae9ae3eadc2559bdeb

    Download Submit
  • memory/2180-26-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2180-27-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2180-0-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2180-18-0x00000000002D0000-0x00000000002D9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2180-16-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2268-32-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2660-34-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2660-41-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2660-43-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download