Overview

overview

10

Static

static

10

a48c0a96db...24.exe

windows7-x64

9

a48c0a96db...24.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    129s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a48c0a96db70e3bb11907a17ff84cea6d0c964caa249f2cf019b175d795b9424.exe

  • Size

    224KB

  • MD5

    8b0f232d13fd4f1046c36e14c3519e2b

  • SHA1

    bff12b6793d73c6a1d73ca78359cbac87af943e4

  • SHA256

    a48c0a96db70e3bb11907a17ff84cea6d0c964caa249f2cf019b175d795b9424

  • SHA512

    ab67607e3c93de9a7b8a9562e56b9a7d302c2fc8e0f4166f556f25530e4ab8c9753f046bfd65b3cf6770f97d60073ca6ccb4257c46ad11726c8e1ee57b3d5506

  • SSDEEP

    6144:1Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtZy:EKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Score
9/10
persistence

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 12 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a48c0a96db70e3bb11907a17ff84cea6d0c964caa249f2cf019b175d795b9424.exe
    "C:\Users\Admin\AppData\Local\Temp\a48c0a96db70e3bb11907a17ff84cea6d0c964caa249f2cf019b175d795b9424.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1340
          4⤵
          • Program crash
          PID:3200
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4712 -ip 4712
    1⤵
      PID:3700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe
      Filesize

      4KB

      MD5

      3ba6baaf4fb5d41fd2b113e1eb012036

      SHA1

      9b11def228da6ea6f5aa70ba702d63fe5e87e68a

      SHA256

      1c64fbfbe378f4b1772fe0521464708695bccd040def6421577a92dc26023efd

      SHA512

      1ace2bbf98f5a8db91d2a85ce5eb476b6535f5901c4bc53cca773775afff6f2c7c0707d96b35fc42300bd2a47b0c4679ecc3d8897abe427e245d768d406bc6ba

      Download Submit

    • C:\Windows\SysWOW64\grcopy.dll
      Filesize

      224KB

      MD5

      72a657a607df0c85c0ef3770982013d0

      SHA1

      4d78c891fe2a63e166d50a9dcd741f28a7a6514f

      SHA256

      74820fea42f46e178b666e8a0b777d4ed886c034d447f73ffbc9bca79d5bb67b

      SHA512

      6d61fc75b462c0054e8cfd3d3606c703fe93559a251ea42af19ac4373892d69848e4557b5a62f9e2c5aed4bea347ae182e34a0ad792c924972a402fb74e2955c

      Download Submit

    • C:\Windows\SysWOW64\satornas.dll
      Filesize

      183B

      MD5

      9fdd2555f896e6b83d099243619e67ed

      SHA1

      785c5ca32b51f8700f219eb3c31d72d4eb5731d5

      SHA256

      b92f8a887de2306188d4d9681ef7aefbe92be646e4c924bd2c99cc93ab4f0272

      SHA512

      fb93d6e73baba94f13d5eb2152f6ca98833216632a432ce29ccd3bbe96e58503c1d34561fd76b395774c152451b9efbeb303b12c79c66b5b2b74fd64784812fb

      Download Submit

    • C:\Windows\SysWOW64\shervans.dll
      Filesize

      8KB

      MD5

      6eb88c2029cbd0b27d380014e1a54661

      SHA1

      476f5cbc0cc2a16bdb622a1c952063567754a692

      SHA256

      34405bb639063880355021aefcfd4629798a1ceecc1ae5d65249e3c93e759738

      SHA512

      d799d1b39467386bf57299e762cb4ec7f02906139495c5b5b82dd434326f5b5398a7125bd7b85c471e1696c795c9c3d0cb453c8d6c20df44978c715d65a923de

      Download Submit

    • memory/4368-23-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4368-22-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4368-0-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4368-18-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4712-30-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4712-38-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4712-40-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4832-24-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4832-28-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download