Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:43

General

  • Target

    f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe

  • Size

    75KB

  • MD5

    3e26376479d7d154bcaa2d45b919a6c2

  • SHA1

    75e4251d8d637ba3cf1d28e18df7ea93fa853e9d

  • SHA256

    f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044

  • SHA512

    3b5c58b7902c6ccbe6258cefa72612e3f25c93d646b5593e22e89fcd5d094aac77b2ec04052b06f2dc052eefd967b438f5b1979c1a4fc84ba29daafe6940def2

  • SSDEEP

    1536:6x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:qOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 7 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe
    "C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 828
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    6391a5b6708f4d4996a52f1eaee6abd8

    SHA1

    af01cef882bbc720bb13a9736480a309c288eb3e

    SHA256

    42b81f8f2d21f5700bde1a75a65104590dff4bb9c1ec7ffeb65d72317feda85d

    SHA512

    ef67326edad822ff91c3a2925b88322bb07f98468373bcc074b0d3d08643e6496bfbfd13d46a1f62371d54c024b2b90d4aaa245f16a719e2e36ac1b632fb7320

  • C:\Windows\SysWOW64\smnss.exe

    Filesize

    75KB

    MD5

    28f44f2cf74eac776ddef3048c8b7d1a

    SHA1

    5a64f84076177edf31b91aa74c4ddd220c62e97a

    SHA256

    cd5192cddb79401c9c461c906c70c335a3210bad90b27f9d7ba4bd1f2bf06b49

    SHA512

    b130ba99d3e338b3f7a2f8db35f4303978c28db65eeecadf7f0f433d8809549437957e8354089f6c095907d3ed3557355681a386276c55b51be681af6906c73d

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    af4d5e1c277efad7353a242b6d37307a

    SHA1

    7d98685588dd8bb193b38224630f526e8daea790

    SHA256

    ec98dce8c1914cf5121fb009dbd266a5b04c0a66bde52ba01f65363345efed4d

    SHA512

    84b2763229929c9f839d79a92272565e4d83a0e49a8a7a5a594221dc2877791fe19ae61527cb5ebdaf9417efd0349694c35155d64a5e126ee869d2dc566da25f

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    3d35e1c88abfc7f16049f7d5dcc02212

    SHA1

    6fa757de4ec00b5937ebb15ffc735cfb451cafc1

    SHA256

    afd4b44c5e99232da031b0efed2fe9a387e1fa1e815981ade99f7eaabcb45a7d

    SHA512

    aa0723a87e019156e0482ebb2e8c485d8ebd4a3c79038de4fc1e0a7fcd223066d58051aceba89097da56cffd65f90a7293b0b846862b4573a656fc5caaa7b701

  • memory/2620-39-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2620-43-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2756-31-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2880-11-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2880-17-0x0000000000350000-0x0000000000359000-memory.dmp

    Filesize

    36KB

  • memory/2880-26-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2880-24-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB