Overview

overview

10

Static

static

10

54022eb40d...50.exe

windows7-x64

9

54022eb40d...50.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50.exe

  • Size

    352KB

  • MD5

    7f63fe3c9fd099c050fffdf789c892b6

  • SHA1

    97f4eb58f1a2d00bad0c72b4959a56f293d05114

  • SHA256

    54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50

  • SHA512

    dd66ef062b72b3565635bf49e371e6838dae468e3e125c68ea5a47b63325371a23d3b9685d3842620ee7bfa6fb691a5b991211039bf7a3b3f8da5466f4fdbd2d

  • SSDEEP

    6144:kIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:lKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 9 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50.exe
    "C:\Users\Admin\AppData\Local\Temp\54022eb40d93d1487d8c999cb7eaea31ad3fb3bf99423b58170b41ca61c9cb50.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    a87265b751cd5385d2c10279f7f5acdf

    SHA1

    5d65ead605a9ca7859d464a541dbc9a458ab1402

    SHA256

    d9a6a31bd75bb7eeb11ad47810e722a53e1c4f3e99ddd344529163155f02e1b2

    SHA512

    78319122c8b2f2f54d62ba31ca900933cbf349e17034b9432083dcc638b5aa65f72cb1abc58a474cd93279bda6d98b2e462b97c335a8bfc639a8396eb6ca7807

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    352KB

    MD5

    3662e0f9672357467968ebc1fa8e83b1

    SHA1

    ec55e9ab6497a7050d22afeb423361e396e556b3

    SHA256

    27904d889d9d151ab2faa7a81d7630a7f7639f81993c827730e880b4a1abf094

    SHA512

    ddfc3ecf40486b18097a6d0548c0e2bd6cbef06f6b68fe7c4d7f23fb7958fd25db5f06dd9727ad81dd3627e038562d44de16f1d65323bf52361e8c243110255c

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    4b52bd63bcc7887000b5a167d5f9ba6f

    SHA1

    0c614c4cea96938ef8ffdf2d88f709b2de344071

    SHA256

    6d60ba3892c763f098488797f70da3701ddcae4ee573ab49803292199ed157d6

    SHA512

    3f8cea521cf46d32beda932419b22711b99f57032545db0c4c9a2aab023f5995c0bc42acfcdfb191ed288e30bbc11b6a1d5496e0ae632b17aeada8189736d974

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    accf8afc1e93cb3928a38524f9f1a2d7

    SHA1

    5f4086fdb697dadd16b0f95c1bc7c2fa45c3e470

    SHA256

    a97b8564a72b164629c8bd49d35b24b099ce4acdd025765023b8291b122246fa

    SHA512

    107e6c6c3f3338f8737567e6630039687710065c0a574795b4a571eb9fe8ea1f059cbc3e730fde793aa5813314d3f799043202bfe9132dbd48e61143368d5810

    Download Submit
  • memory/544-25-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3176-0-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/3176-18-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/3176-23-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/3176-24-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/4196-31-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/4196-37-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/4196-40-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download