Overview

overview

10

Static

static

10

028188b96e...bf.exe

windows7-x64

9

028188b96e...bf.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    028188b96ee89bdaa300f27bc079567fdc8a182fed3217df30df10bc0027a7bf.exe

  • Size

    118KB

  • MD5

    544487f550b3c95f3a957439be2fcbb2

  • SHA1

    d1741aca0a0060210d74f512217009b25bb22d4e

  • SHA256

    028188b96ee89bdaa300f27bc079567fdc8a182fed3217df30df10bc0027a7bf

  • SHA512

    2619957823cb2b0f45ac1e72d323193c4dec2d59ce9e02f5659cbfba5ba872427d3cb74b05bdc74004da653178675bc563be433642e0df67a6bdf308b7cb0049

  • SSDEEP

    3072:/OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPo:/Is9OKofHfHTXQLzgvnzHPowYbvrjD/h

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\028188b96ee89bdaa300f27bc079567fdc8a182fed3217df30df10bc0027a7bf.exe
    "C:\Users\Admin\AppData\Local\Temp\028188b96ee89bdaa300f27bc079567fdc8a182fed3217df30df10bc0027a7bf.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    603bbef0d1e1f9dea07952aac6a3d2cc

    SHA1

    413ac30ae6b4070efa45efff708337ac56d07507

    SHA256

    6dcd5e3b20c9aa4d5d9d0a26b255d6e7d91e6c61fc935b940dd5c750454b56bc

    SHA512

    9b827ae67d2d711f4bd9f55905a7427bf1d453fe089966232ba64a1376ea5047e9291b1dbc0ff54863b95fd9f4181e61ffbb6da9ba3b6b125d9a73c8d7b868b6

    Download Submit
  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    6fef9665548c59433589b5b63f051820

    SHA1

    c0dc45839f582ec62053304a5deb390ec81d0384

    SHA256

    abea251896af11087b922925402cbfe27af20f4c2c05f6441568ce6bc471c375

    SHA512

    dda577d18c9d3aed1d2b37e041d02f2b38cd7d11124b8c3375b6277faf243314c97ad011079876f7a409357cd28072640991eec7e2466af2a55e0f7a3f612ffe

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    a057dab6027a1aedb8a386eb6f182d48

    SHA1

    d969bf710b2238f4f531a66b2459b1bb34089cc4

    SHA256

    cf7876946333b3ff585e04d0e857530d36e89bdd9b9a6493b96d39c5cab40557

    SHA512

    18c1dc0fb5ef2a8717e338ef580afa132da046b4680ac24574808afa3f59ffccf8d83c12cef34d3a083dd0ab25399aa5237eec35ebc2feaf2ed5a96a4485fbe0

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    Filesize

    118KB

    MD5

    790d58974075282f3ff1387af4914ee8

    SHA1

    77e1fd770c482f797c3a5de390e53e09d8ea7cf6

    SHA256

    94d5d940f5f5728e5863723480eea3b40fd190f97b92e1fd1c58ef330d682766

    SHA512

    8be4e3a436f3e494cc3a7d25d0101aaeda62936b8e274703f75b88906e8f2cc476c9f7586c1a560697fb04b531442bdc8abc5d08f06a437a61b6fd0799b1f32f

    Download Submit
  • memory/1936-25-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1936-26-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1936-0-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1936-18-0x0000000000320000-0x0000000000329000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1936-16-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2380-28-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2380-30-0x00000000003B0000-0x00000000003CF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2380-35-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2820-40-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2820-43-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2820-46-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download