Overview

overview

10

Static

static

10

c183189199...a6.exe

windows7-x64

9

c183189199...a6.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 02:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c18318919937d441115758cd5b65f821f791af3ad4a47d8f679f40717157d1a6.exe

  • Size

    118KB

  • MD5

    431ac29fcd9deabd011eb19a342e02e7

  • SHA1

    2d51bf3106a6a524ec5971f5f7c5910c9f478736

  • SHA256

    c18318919937d441115758cd5b65f821f791af3ad4a47d8f679f40717157d1a6

  • SHA512

    ed14e7186007bce33979a427251fef7ea254eabf374084014366b696bc0ae82ee545acfb8c9f89e6bb656ea7ee754ffd9b6e081b594c478bcdcf7ac161e6b57b

  • SSDEEP

    3072:4OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:4Is9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 12 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c18318919937d441115758cd5b65f821f791af3ad4a47d8f679f40717157d1a6.exe
    "C:\Users\Admin\AppData\Local\Temp\c18318919937d441115758cd5b65f821f791af3ad4a47d8f679f40717157d1a6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    6159dea3410120b5f9fa0edcc9fefb0e

    SHA1

    bb2de69d096baeefe0bb8f3163ae099b14daab28

    SHA256

    6c2e46a8e72713ef24f544bbe630e52e62cbf0500f5ec48e31555127263c692e

    SHA512

    e9077f3f04f1a3756398cbcc7f56b18a519ab9b4b03a93c32fdfd4f30b6a4c94c5e62115c762d13eb8f3bd1875f4180e3153cba5dfd7cf2052952a8bb406f9ba

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    118KB

    MD5

    2939dc605019a3db77fc67722dc9a2ba

    SHA1

    c196fb546facb2f576461cc6c067076c4121566d

    SHA256

    5ac25d80f0c71d31e0b9d04204d150a1c0eb7809483a50edb5a142ccad2238df

    SHA512

    757059e258b6c7688490135cc2bfa40ceea109143aa7abae69b6678e5d1336c4ac708e44636e9013daba37233bd8953a96be6e3760243a92758f011bb0c653db

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    633cb3704a396159462d3c92cb432736

    SHA1

    cc0e7802153276bd4d0f42c3654485e4101a7f92

    SHA256

    474e8d5bc14f8767237d11ab6de8ab404ec909d6efbeffe1d13bc2ced8ca004b

    SHA512

    85e12f1672e6384063cee9b8f1beb49bbeccc1ebdc4ebd7d2d62263eb35ddaa246cc76627ba73314e6c96905b202a58b7cf1be44c4bd856dd189925ddb781065

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    66ff9f1d40d7a0885a24a89bb655a573

    SHA1

    0a2af2b5b90ad8de311c93ea25ffb115989486b6

    SHA256

    6cfb6b849c29a2f04f1fe0145fb809469c3e1f279790416c01d94d0009bdd6d7

    SHA512

    2190221a81d0a81b8f9aa7e25affb452254fdb0936090df47253a99e288f65bd3fa5b66ee530394d14b4efa442092333ada722c88783ea19e683ad9007e15931

    Download Submit
  • memory/1140-23-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1140-24-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1140-0-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1140-18-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1172-25-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1172-29-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2944-31-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2944-38-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2944-41-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download