Overview

overview

10

Static

static

10

54022eb40d...50.exe

windows7-x64

9

54022eb40d...50.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50.exe

  • Size

    352KB

  • MD5

    7f63fe3c9fd099c050fffdf789c892b6

  • SHA1

    97f4eb58f1a2d00bad0c72b4959a56f293d05114

  • SHA256

    54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50

  • SHA512

    dd66ef062b72b3565635bf49e371e6838dae468e3e125c68ea5a47b63325371a23d3b9685d3842620ee7bfa6fb691a5b991211039bf7a3b3f8da5466f4fdbd2d

  • SSDEEP

    6144:kIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:lKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 11 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50.exe
    "C:\Users\Admin\AppData\Local\Temp\54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    963c654f4880b01f9aeee281d70e038d

    SHA1

    96affdd6cfed54cda159b0ef464aab8c7c5a76b5

    SHA256

    022b922459d2da1545077bc796eb3435406d466ed2243f65c2a0ef0faff13a3a

    SHA512

    c60346a005cca2051da2d2618ce0aef7ad018edeb09957f4c803305252b5206fdda4455fb6c8089e25e87d874a9ecd594d81215fa65b750605cbf86241fb97a4

    Download Submit
  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    0a6f234d4c83e56e4769315a213013a4

    SHA1

    ce9a08ec2f2e52c6d1a4173cee8f6958c42a89dd

    SHA256

    05601c70fedc5faaa2e7a6623aa285ee1b0194db5037074d70f35acbd8d986c6

    SHA512

    a3c62fb8aad83f5f16632f799b0abdd8cba821bf2f411b01658afb84b24fd1cb241782862bc57c978a5b3581f559d1bf981147b0572abba161eb3aca81a6d6c2

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    58415b2156a216b614ce2688c29dd348

    SHA1

    5bb9f406dbde3725eb8a3358458d7b611930f0bc

    SHA256

    0f4c15b8f5d27e6e4849b3f2c544ac27470f7179b6c4cd6aa01c15906878ea6e

    SHA512

    a6ef5322e70a237507f0848b2140c176ce7c2e2681adb8168a38f56999ff70f86e93ff8902acb6d549d0931a201945b98f743093d493bf0832cf7c29b19dd963

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    Filesize

    352KB

    MD5

    d02968f25fff8888592326b2d5a23d79

    SHA1

    401dbc4acf99284f42a082c186f32a9729f09461

    SHA256

    f8898842519053a960828ec6daea1f2889b5b0615ec605fc5b2ea56781fdc04c

    SHA512

    19280fda6e4bbdee61aa94ed3869e9c191b1e4dd623da86dcc0d67c813d65b7f906021ff24a2c1a104a69a0c35c83c212903f7dd80eff6cce97c6fc3d524a77b

    Download Submit
  • memory/2132-26-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2132-25-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2132-1-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2132-18-0x0000000000340000-0x0000000000349000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2132-16-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2772-35-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2772-42-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2772-45-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/3048-29-0x0000000000320000-0x0000000000380000-memory.dmp
    Filesize

    384KB

    Download
  • memory/3048-34-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download